Hi,
If I have openhab behind reverse proxy (apache) which is doing the authentication (popup asks for username and password). then after typing in the credentials, I land on MainUI. But if I want to have full access (settings button etc) I have to login to OH with my user to grant admin access. Can this be avoided somehow? I mean that same credentials from proxy are passed on to OH?
I have “implicit user role” enabled.
Hi, If you are authenticating at the reverse proxy level, openHAB still does not automatically trust that session for admin rights. The proxy login and the openHAB user system are separate so that second login is expected behavior.
If you want true SSO, you do need to configure openHAB to use the same auth and properly map roles. Otherwise, there isn’t a built-in way to automatically grant admin just from the Apache popup credentials.
I would not have any authentication on the reverse proxy
I would setup an OAuth2/OIDC server like Keycloak, configure OH to use that
Configuring your reverse proxy to use Keycloak could work, it’s a pretty advanced setup
There have been some efforts in the past to add better and more extensive authorization and authentication features to OH. But they all stalled out and haven’t seen much activity recently.
Actually the problem is only with MainUI, BasicUI does not demand any additional login.
Since android OH client offers to type in user/pass in settings, I would expect to be logged in already when I launch it. it seems this works on the local network, but when I’m outside and connect via proxy, I end up not having settings and other stuff, so I am forced to type in credentials to unlock admin options every time. credentials cannot be saved? is this behaviour expected and happens to everyone? I assume people using myopenhab cloud may have different behavior…
maybe the question should be asked in android app section…
openHAB doesn’t support OIDC servers or LDAP (yet).
I do offer to implement support for LDAP authentication backends if a “sufficient” bounty is provided. I already have a very WIP prototype that shows that it is possible to implement LDAP support, but didn’t continue as I decided to focus on other topics in openHAB where I’m more interested in.
Main UI admin access always requires to authenticate against openHAB, no matter whether you have nginx, Apache or any other proxy setup. The credentials fields in the apps aim at making the app work with reverse proxies that require basic authentication, they don’t aim at authenticating for admin access.
Anyway, once logged in as admin, your login should persist. However, the mobile apps might not be handling cookies and local storage properly when switching between local and cloud access.
Hi everyone,
I was wondering if there are any plans to implement additional user login roles or proper multi-user support in openHAB.
Currently, is the system intended to be used mainly with a single admin account, or is extended role/user management on the roadmap?
Thanks in advance for any information!
At the moment, you can use openHAB with multiple admins and users, you can manage users through the console (openhab:users command).
Main UI can display parts of pages and pages only to selected users and roles, but note that through the API every user has access to all Items. So this is not security feature, but you can still use it to make Main UI display a different UI to your wife or your children.
There is a core issues where fully-fledged multi-user support has been discussed:
There already were two shots at this, but every time efforts of the individual developers have stalled, and these individual developers also had different ideas of how RBAC should be done.
Note that there is no such thing as a roadmap in a community-driven project. What is done depends 100% on what is contributed, individual developers might have their “roadmap” what they want to contribute, and usually you can “attract” developers into working on something by placing a bounty on it.
Where is it described with the main ui part?