Disable REST authentication on OH3?

I have a simple Python script that I’ve used for a few years to update some items in my OH 2.5 setup. Now with REST API requiring authentication in OH3 it’s broken. It seems like overkill to have to rotate tokens every hour for item updates. Is there a way to disable the new REST authentication mechanism entirely?

Maybe relevant:

I also have some python scripts that update items which also broke with OH 3, but the reason was due to my scripts not setting the content type header.

Changing to use requests.put(url, "ON", headers={'Content-type': 'text/plain'}) fixed it for me.

You could also generate a fixed token in your openHAB user settings.
I think there should be no need to refresh that token that often.

By default, no authentication is required to update items with REST API. Only admin API require authentication.

That is why there are long lived API Tokens. If you want less secure access you can enable Basic authentication for the API.

Now that you mention it this may be the problem I’m seeing and not authentication. I will give this a try.

As @Bruce_Osborne said there is a possibility to turn on basic auth in the api/developer settings.
You could also run this command in the Karaf console:
bundle:stop org.openhab.core.io.rest.auth
which will restore the way everything was in OH2. Unfortunately you have to do this every time you restart openhab.

Also for everyone running small python scripts:
I’ve created HABApp which allows running python3 script as rules and abstracts the whole communication to openhab so you don’t have to deal with it.
You should definitely check it you as it’ll probably save you lots of headaches in the long run :slight_smile:

Turning off auth via bundle should anyways been the last choice too make.
The sustainable solution should be, to implement a proper authentication, at least with some static token generated in the UI.

I would have recommended basic auth since this is the easiest an more than sufficient for small scripts but the implementation is broken (performance wise).

Also without knowing more about the setup once can not say that authentication on the openhab side is needed. If its behind a proxy and this instance does authentication and maybe even encryption the authentication from openhab is just a hindrance and not required.
I understand that it’s a sensible default to have some kind of access control but without encryption and certificate pinning it’s just smoke and mirrors and it should have been opt out from the beginning.

1 Like

Yep totally agree.

But this forum is read by a variety of users who may are not that far into topic than you and me possibly are.
My post was meant for the kindly reader with not so much knowledge an experience in that area.
I am sure that you are able to secure your installation without an api based authentication too. :slight_smile:

Those are also possible things to extend the security docs with.

  • Which combination makes sense?
  • Where could one have to expect misbehavior while configuration?

But that’s a bit out of topic of this thread of course.

1 Like

Assuming you mean a proper AAA solution, or at minimum, the first 2 parts ( Authentication & Authorization) I totally agree but the current system in OH is no where near that level. There is only one authorization level and no easy way tp create more than one user.

To create new users is as easy as to use the karaf console. An example is described here Is openhab 3 multiuser? - #5 by Udo_Hartmann
Can’t these users be used for authentication ?

That is not easy for users who are not developers or system administrators. Ideally users should not even need to go to the console except for extreme debugging. I create some user interfaces for my complex AAA system as part of my daily work.

Yes, this. It turns out I needed to set the content-type header in my Python script when using the PUT to the API. OH 2.5 did not complain about this, but in OH 3 it’s required.

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.