Authentication in OH2

I am just wondering how the discussion and proposed PR in will impact the usage of the iOS openHAB app

As far as I understand things, opting for a nginx+certbot+basic http authentication effectively means that only the Basic, Classic or other web-based GUI can be used, right?

Also, for me the only reason to use nginx is to facilitate the automatic certbot-driven certificate renewals, which is not that friendly/easy when directly integrating certbot generated certificates in the jetty config of openHAB (Securing Openhab with free ssl Let’s Encrypt Certificates and, and SSL with OpenHAB2). Since certbot is a good initiative that we/anyone should support, we should maybe introduce a new servlet in openHAB to accommodate the automatic renewals. This sounds a lot like the OH1 “webapps” stuff which we not use anymore in OH2 (well, static html can be put in conf/html but is not served through the hidden url / well-known)

There’s no reason why a reverse proxy can’t facilitate non-web based GUIs. It’s working well for me using HABDroid and the iOS app.

And also the only important reason for me. (Being able to connect using a sub-domain on my server without forwarding another port is a minor luxury).

Am I right in thinking from one of those links that if the key is part of a bundle then we’ll also have to repack the letsencrypt key into a java keystore everytime openHAB updates?

With the basic authentication enabled on nginx? Never tried it with the iOS app, but then I wonder how you input the userid/password ? (or is the iOS app that smart that i can leverage the user/pwd setting to use for the login on the nginx?)

I admit I do not fully understand why jetty.xml does not need to be updated, but in my update script I copy and then restore the keystone file every time the whole runtime is updated.

There’s a place for it in the settings, which was originally used for http authentication on openHAB 1.x, nginx uses http authentication too so the app shouldn’t be unaware of any difference.

Ok - that does confirm it. I actually never used it that way, was rather unaware that even the old OH1 used Basic Authentication - I thought the userid/pwd was something that was done out of band.

Hey guys.

Just sorta of confirming/asking if this is still in development. If I open up port 8080 to my server at home. Could anyone pointing to the correct web address access my info? Or if security has been implemented to create a user/password but not looking in the correct place for it?

To see the current status regarding authentication, watch

Don’t open your installation to be world-accessible!!! There is no built-in auhentication as of now, AFAIK.

I understand I’d rather should help than complain (sorry, my job already takes 11h of each day), but that (lack of security) likely is a major obstacle for many, as accessing your home remotely is one of the biggest perks of IoT. Setting up a reverse proxy is nothing that uncle Joe is able to do; even I feel like “yuck, the effort to learn it, the time to set it up, the things that could go wrong”.

Suggestion: Provide something simple and working now, and something more elaborate later.

Don’t get me wrong: OpenHab is a great piece of work, and I hope and think it will be the base of many home automatization projects, a de-facto standard. is a good solution for many.

A good solution without the meed to open any port.

Yes, I am also using to access things remotely. The only ‘downfall’ is that you are depending on the 3rd party service being up and running. I haven’t had any issues with down time, but it is something you need to consider.

Thanks for the pointer! I prefer to not distribute private information though, hence cloud solutions (for anything) are not an option for me, especially “in these times”.

Understood! You could set up your own instance of openHAB Cloud, though, instead of using others’.

Of course, this is also difficult for Uncle Joe to do, like setting up nginx as a reverse proxy.

Thanks for you tips, and your persistence :slight_smile: Appreciated.

To provide some background: While I am not Uncle Joe (I am an IT professional), I find it pretty hard sometimes to find the time and muster the effort to deal with bread and butter things like auth when I feel that “just should be part of the package”. I am enjoying tinkering with hard- and software, but I am having enough fun with misbehaving Arduinos and ESP8266 chips :wink: Probably the same is true for the good people building OpenHab…


Amen brother.

With the release of OH 2.1, I fumbled through ESH issues etc. to see if simple-mode user/password made it in.

I conclude it didn’t, though some foundation work has been carried out in ESH I think?

(guess i’m Uncle Joe here, holding out on OH1 as i fancy neither cloud nor reverse-proxy complications :smile:)

I too am waiting for at least basic authentication before finally migrating from OH1.8. It is currently a show stopper for me because using a cloud service like is against the very purpose of OH keeping all data in-house.

Everyone is scared of the term “reverse proxy” when it is actually nothing more than another component you can add to your openHAB setup to get yet another feature (authentication, encryption and public domain binding). openHAB is extremely modular and shines by the flexibility given to the end user. Eventually there might be authentication included in openHAB but besides the extra setup steps, the nginx solution provides most needed features and doesn’t limit your further options.

If you are simply unsatisfied with having to go through the setup procedure, you should know that the openHABian Configuration Tool (can be used on any Debian/Ubuntu based system) includes a wizard for all of this.


Some of use run OH on Windows hosts. nginx does seem to offer at least a beta version for Win.

Given OH modularity, I guess what us luddites would hope for is a ‘nginx package’ as easy to plug-on as a device binding. I realise that may well not be a practical idea.