Authentication in OH2

Is there currently any way to enable authentication (Username, Password) in OpenHAB 2.
Haven’t found anything when searching for it.

1 Like

No, this is still an open issue (see first known restriction on
If you would like to work on adding this feature, please let me know! The tricky part is that it should not be specific for Jetty, since it needs to be hooked into Eclipse SmartHome, which only requires an OSGi HTTP server, but does not require it to be Jetty.

Thanks @Kai.
I haven’t really had time to look into the server side code of OpenHAB yet. I have plans to do so, but would probably start of contributing to a less critical part of the system.

Actually, afaik @teichsta wanted to look at adding this feature through servlet filters. Not sure how far this has evolved though.

nothing new from my side! Still on business/family trip in Milano … we should probably discuss when i am back on Tuesday.

Which Tuesday exactly?

1 Like

still nothing new in this area due to changed project priorities. Since i will start my holidays on Sep. 12th there won’t be any time before i’m afraid.

“Just” adding the servlet filters won’t help too far. First we would have to add some entities to the domain model in order create a notion of a user, role and permission. These new entities should also be accessible/administrable through rest and so forth. So it might be one the issue that start small and getting bigger and bigger the longer on thinks about it.

@mattias_markehed do you have anything special in mind (model) when thinking about roles and permissions?

@teichsta didn’t really have anything except basic authentication for https. Would be nice to be able to connect to the server over the internet without having it open to everyone.

But would be really cool to be able to give different users access to different sitemaps.

since the my.openHAB2 bundle has been merged recently (see you could use my.openHAB to accomplish this kind of authentication for you …

I think the very basic requirement is to be again backward compatible with openHAB 1, i.e. have the possibility to add some simply authentication to HTTP(S) again. If it is designed in a modular way that allows pluggable authentication providers, it shouldn’t be too hard to make this work with a simple users.cfg file (as one authentication option, this is what @mattias_markehed asked for in this issue) similar to openHAB 1.x, don’t you think?

Do you mean “before” or “after”?

:slight_smile: i won’t be able to work on this topic before my holidays. Since i don’t have any clue about the WiFi quality in my Hotel i won’t be able to make any promises for the holiday time, too.

Any update? I am waiting on this feature too^^

In the meantime, I am using Firewall to block all other IPs except my activity range^^, which is not perfect as you know~


Don’t really understand ㅠ,ㅠ

You mean HTTPS to my server can be accomplished using


Exactly, install the myopenhab persistence addon and register an account on and you will get a https “relay” to your local openhab instance.


Any activity here? Is there any discussion going on about implementing a user-role based access model?

Permission to view sitemap items, read and change item states would be really handy.

Real world examples: Tablet presenting information at first floor could be accessed with a user with limited access, avoiding people from changing stuff you don’t want to give access to for everyone walking by.

“Guest user”: Give simple access to multimedia at the livingroom and perhaps some lighting for the babysitter.

Prevent the “teenagers” in the house from switching on/off certain switches :wink:

1 Like

I do provide this feature in my installation using a mircosoft web application proxy (wap) as a reverse proxy in dmz. External connections will be authorized with two-factor auth (mfa) over ssl, while internal connections are bound to domain accounts (which are bound to sitemaps). I do understand, this is pretty much overkill for an enduser, but I would never expose my smarthome hub directly to WWW (even with http-auth on it).
my.openhab is the best solution for the “normal” user, as it is also a kind of reverse proxy.
On my smartphone I am using my own app over a certificate based vpn (full blown ipsec).
So from my pov, I would not spend so much time on a sophisticated auth in OH2. Better to make my.openhab a rock solid solution for everyone (for a price). No need to think about fixed ip, ipv6, ds-lite…

For internal usage a limited sitemap should work fine.

no, not afaik but would be great to start that discussion … will you?

The right place might be

For basic authentication stuff, we will have to look at what pax-web & karaf has to offer - but it is probably better to wait for next week, as I plan to introduce these new frameworks next week.

Hi, any news on this since OH2 is on the new frameworks?

I would hope that @splatch will help on this, see also this thread.