Authentication for OpenHab 3/App

Development
1

Hi :slight_smile: I just wanted to ask if OpenHab 3 has authentication in place…if not, I wanted to offer my help :slight_smile:. I would suggest to implement authelia :slight_smile: Maybe we can just make the app compatible with it, so People can use it on their reverse-proxy. I use traefik with the OpenHab docker and absolutely love it :slight_smile:. If someone is interested, I can help test/develop a solution with traefik here together, but the best thing would be to integrate Auth/user management directly to OpenHab if planned so :slight_smile:

2

OpenHAB 3 has authentication.

1 Like
3

Oh very cool :slight_smile: thank you :slight_smile: is dual-factor also supported?

4

No, not yet.
Authelia is primarily a reverse-proxy based solution, as far as I understand it, while openHAB currently only supports its own identity provider (based on users in the JSON DB).

In the future we can imagine options to trust an OpenID Connect provider, and accept their tokens as valid authentication to openHAB services, or exchange them with openHAB ones. Authelia plans to act as a OpenID Connect provider, at least it’s on their roadmap (https://www.authelia.com/docs/roadmap.html). Then you’d identify yourself using any MFA option it offers. openHAB could also support popular MFA provider internally.

2 Likes
5

I think internal MFA would be the better option for now… because I think most people only use reverse-proxy on OpenHab because of missing Auth in 2…with internal MFA OpenHab would be more versatile and secure I think :slight_smile:. But I would not program it from scratch…maybe this is a good solution?: http://www.linotp.org/. I have no experience with directly integrated MFA, but maybe authy is a good solution? Found this: https://github.com/twilio/authy-java

6

Multi function Authentication is WAY more than a lot of people want at home. It may ne a good OPTION but not the default.

1 Like
7

Authy is fine, but generic TOTP (which is supported by both Authy, Google Authenticator and others) would be better. There are a number of TOTP libraries in Java apparently, so it appears doable.
In any case, I think you should start a discussion in Issues · openhab/openhab-core · GitHub with what you’re planning to do.

8

Yes :slight_smile: I also wouldn’t use it as default but as additional security measure. Especially for the people who like to Selfhost OpenHab :slight_smile:. Maybe it brings some weight of myopenhab…also security-headers like nextcloud implements by default would be a nice security measure :slight_smile:

9

@ysc thanks :slight_smile: I’ll try that :slight_smile:

10

Opened an Issue :slight_smile: hope we find some security-enthusiasts :slight_smile: https://github.com/openhab/openhab-core/issues/1790

1 Like
11

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.