core icon indicating copy to clipboard operation
core copied to clipboard
Published 2 days ago verified publisher icon home-assistant

Add webauthn auth provider

Open VDigitall opened this issue 1 year ago • 1 comments

Breaking change

Proposed change

Add the webauthn auth provider

The webauthn auth provider allows log in with a passkey or a security key, such as YubiKey. Passkeys are a secure and convenient way to authenticate users using web authentication standards. Screenshot 2024-07-30 at 08 13 50 Screenshot 2024-07-30 at 08 14 16 Screenshot 2024-07-30 at 08 15 09

Type of change

  • [ ] Dependency upgrade
  • [ ] Bugfix (non-breaking change which fixes an issue)
  • [ ] New integration (thank you!)
  • [x] New feature (which adds functionality to an existing integration)
  • [ ] Deprecation (breaking change to happen in the future)
  • [ ] Breaking change (fix/feature causing existing functionality to break)
  • [ ] Code quality improvements to existing code or addition of tests

Additional information

  • This PR fixes or closes issue: fixes #
  • This PR is related to issue:
  • Link to documentation pull request: https://github.com/home-assistant/home-assistant.io/pull/33998
  • Link to frontend pull request: https://github.com/home-assistant/frontend/pull/21485

Checklist

  • [x] The code change is tested and works locally.
  • [x] Local tests pass. Your PR cannot be merged unless tests pass
  • [x] There is no commented out code in this PR.
  • [x] I have followed the development checklist
  • [x] I have followed the perfect PR recommendations
  • [x] The code has been formatted using Ruff (ruff format homeassistant tests)
  • [x] Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

If the code communicates with devices, web services, or third-party tools:

  • [ ] The manifest file has all fields filled out correctly.
    Updated and included derived files by running: python3 -m script.hassfest.
  • [x] New or updated dependencies have been added to requirements_all.txt.
    Updated by running python3 -m script.gen_requirements_all.
  • [ ] For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.

To help with the load of incoming pull requests:

VDigitall avatar Jul 28 '24 07:07 VDigitall

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (config) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of config can trigger bot actions by commenting:

  • @home-assistant close Closes the pull request.
  • @home-assistant rename Awesome new title Renames the pull request.
  • @home-assistant reopen Reopen the pull request.
  • @home-assistant unassign config Removes the current integration label and assignees on the pull request, add the integration domain after the command.
  • @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
  • @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

home-assistant[bot] avatar Jul 28 '24 07:07 home-assistant[bot]

I've looked at this, and, the problem is that I don't feel comfortable accepting this code.

There are some things that are weird but fixable, like it's extracting usernames from credentials it shouldn't touch, or having a function named add_challenge that actually overrides a key.

But in the end, I don't feel like we, the maintainers of Home Assistant, should take up the risk of adopting this code and maintaining it into perpetuity. The risk that bad code causes us to expose HA instances exists.

Combine that with the fact that most users don't know what passkeys are. The users that do, might not know the implications. If you store your passkey in Chrome password manager, you can now not login if you're on another browser. I feel like it would lead to more, not less, people getting locked out.

I know that it's a popular feature among a certain part of our user group, which will not agree with this decision, and that's okay. You cannot make software for everyone by pleasing everyone on everything.

balloob avatar Nov 14 '24 22:11 balloob

If there's a discussion about this somewhere I can take it up there

@balloob AFAIK there isn't much of an easy way to add community auth providers for ourselves. Would this instead be an option for Home Assistant to consider making easier so that we who are a bit more technical or want another way of logging in can extend and support for example WebAuthn?

Venefilyn avatar Nov 14 '24 22:11 Venefilyn

One of the safest and flexible things for Home Assistant to do would be to implement SSO aka OAUTH. This takes the code maintenance out of home assistant and users can implement whatever authentication methods they prefer, or stick with the built in options. There is an open letter on the community page requesting this that is one of the most up voted requests that the devs refuse to acknowledge or comment on. @balloob while I understand the security risks of any auth method, why can’t changes be made to the auth framework to more easily allow us power users the choice of auth providers since home assistant is supposed to be all about choice and local control. It’d be great if someone could actually acknowledge the demand for this, just because a dev doesn’t want it for themselves doesn’t mean others don’t want the feature or support. But unfortunately the current way the front end handles auth we have no way to insert any other methods.

koolsb avatar Nov 14 '24 22:11 koolsb

I appreciate all the feelings about this topic, we know it's an often requested feature.

However, I am going to lock this PR, as pull requests are not the place where discussion should happen.

balloob avatar Nov 14 '24 22:11 balloob