It’s entirely likely that I’m asking the wrong question, let alone suggesting the wrong solution, but I’d appreciate the thoughts of others here.
I’ve written a little Chrome extension that runs the OpenHAB 1.x web app in a popup iframe. This allows very quick control of the home from a little icon in the browser.
Unfortunately Chrome does not share the authenticated session in a browser window with the extension, so this means my extension doesn’t work with HTTPS and authentication (i.e. for most users they can only use the extension within their home network, not outside).
It’s bad practice to store credentials in Chrome’s local storage as it’s not encrypted, and the recommended way to do this is to register the web app with OAuth2.
What’s the best way to do the above? Would this require someone to write an authentication binding for OpenHAB that allows a user to authenticate to OpenHAB using OAuth2? Is that even possible? It’s probably above and beyond my capabilities (although I’m game for learning new things!)
It would not be a binding, but it would be a core code change to add OAuth2 to openHAB runtime. Using OAuth2 authorization to openHAB would allow new kinds of deployments, but doing it right (so it has long term value) would require proper planning, and I don’t think openHAB 1.x would be the target.
I’ve downloaded it and have been awaiting HTTPS support. Guess I’ll have to keep waiting.
Or implemented in my.openhab. I suspect they already use OAuth2 to authenticate with IFTTT. Perhaps that would be easier to expose then adding it to openHAB directly.
Right, this is also the best way that I am seeing for it. For OAuth2, you need fixed redirect urls, so you need some server that is exposed on the internet. I actually also would like to see OAuth2 support in the native iOS&Android apps when using my.openHAB, so that there is no need to store/enter any credentials on the device itself. I already discussed this with @belovictor, who was so far a bit reluctant; but maybe he can now join the discussion here.
OAuth2 is implemented in my.openhab.org, that’s true. I see no problem adding another application there. The only question is how would it keep the oauth2 secret securely inside this Chrome plugin? Another issue is that you will have to be a my.openhab user to use it and communication will go through my.openhab.org even if you are at home.
As for iOS and Android support Kai, I was not reluctant. I told you that I’m waiting to see security model of ESH/OH2 before implementing that. There are already too many different mechanisms for connections in the existing apps which make it quite complicated and I don’t want to multiply it further. my.openhab.org operates as a proxy for HTTP calls so It’s a bad idea to introduce different schemes for openHAB local connection and my.openHAB connection. Let’s do OAuth2 in OH2 and then it will be logical to do it in iOS and Android and in my.openhab.org.
