openHAB 2 REST API authentication options?

EDIT: I’m afraid I jumped to some early conclusions and should have had some more flesh on my bones before writing the below post. I, for example, understand that third party UIs/administration dashboards etc. perhaps can’t be easily integrated in some standard openHAB authentication flow. But when discussing authentication and separate authentication methods I was mainly thinking of separating the access and authentications methods for the API and the OpenHAB2 dashboard.

Hi there!
I’ve had plans on rolling my own home automation system for a while now, but I’ve come to the conclusion that my time is way too limited. Therefore I’m looking into a hybrid approach, where I’ll perhaps will be designing some custom hardware (will be quite a lot cheaper than for example commercial z-wave equipment even if I’ll be making very small batches) communicating mainly over BLE and Wifi as well as I will be using some off the shelf Z-Wave products. My goal is to then put everything together with the help of OpenHAB.

I’m working as a software developer (mostly full stack web development at the time) but I’ve mainly been studying embedded systems so I feel quite at home within the field in general. Though I’m very new to openHAB.

I just installed OpenHAB 2 on a small server and for my needs I think the REST API looks pretty great. I haven’t had much time to really get into the openHAB platform yet though, but I have got a few questions for you regarding security and authorization/authentication. Based on what I’ve read in the documentation it seems like you’re mainly recommending to let a reverse proxy take care of the authentication parts. Is there a good reason of why to do this (other than needing to put less work on integrating various authentication methods in the openHAB platform)?


I for example would probably prefer to go with some kind of token auth (jwt) when communicating with the openHAB REST api. In order to use it simply and secure from all kinds of different client devices. Though there might be reasons of why I (or some one else) would like to access other parts (different admin UIs etc.) through other authentication methods. In such use cases it just feels like depending on a third party reverse proxy can be a bit cumbersome. And I can also see how it can feel a bit daunting and cumbersome for someone a bit less experienced who just wants to have external access to for example HABpanel.

To me, personally, it feels like it would make sense to try to incorporate as many parts as possible in the “standard” openHAB ecosystem to lower the dependency of other software and also make it easier for beginner users.

What are your thoughts about this? Perhaps there is already a roadmap or similar somewhere which includes this? Or is there somewhere I can read about the future goals of the openHAB 2 development? Or maybe I’ve missed some important information about openHAB in general which makes me ask extremely stupid questions (then please tell me!). As I said, I haven’t been looking into openHAB that much yet, so there’s a lot I don’t know. Though I’m pretty sure that I will be using openHAB for my future automation plans, as it does indeed seem to be one of the most extensive and customizable (open source) platforms existing today.

In almost all cases those two things are incompatible. I can state with the authority of my own personal experience (for what it is worth) custom hardware requires orders of magnitude more time getting up and running than off the shelf devices.

Do not forget to take into account the value of your time when determining the value of different approaches.

From an OIH perspective, the WiFi using REST or MQTT would be the easiest to integrate. BLE is in works but even when it does come along it wont support much out of the box. Each device has its own API which cannot be generalized, if I understand chris correctly.

It’s because the authentication method used in OH 1.x was not suitable for OH 2 and reimplementing the built in authentication has not yet been implemented. It is planned to be implemented, though I don’t know if it is a requirement to be there before OH 2 exits beta.

The recommendation for the reverse proxy is primarily there because the built in authentication isn’t there yet. To be honest, the real recommendation is to use and openhab Clound Connector.

The core of OH 2 is built upon Eclipse SmartHome and I think this authentication would be implemented there. I could be wrong about that though. I know both use Jetty but I don’t know if the devs had to do anything special to to make it work in Karaf vise Eclipse which would complicate matters.

From a high level the solution to “make it easier for beginner users” is and the openHAB Cloud Connector binding. For everyone else who is knowledgeable enough I expect a DIY depending on third party tools will be the norm for a long time coming. Unless someone like you steps up to PR these features.