this post was submitted on 17 Mar 2026
100 points (97.2% liked)

Selfhosted

56953 readers
1780 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
100
Single Sign in for Home Assistant now possible with OpenID (github.com)
submitted 17 hours ago by Lem453@lemmy.ca to c/selfhosted@lemmy.world
15 comments fedilink hide all child comments
 

This is a hugely requested feature for many years and a huge hole in my entire self hosted ecosystem. Every self-hosted app I have connects to my Authentik system for user management... Except home assistant. Arguably one of the apps I need it for the most for the whole family to use with their accounts.

Devs have been resistant for some reason.

There is now a community integratation that allows user management for HA to be via any openID backend (authentik, keycloak etc).

I've been running it for a few days and it works perfectly. Very easy to setup if you already have a working authentik setup and know how to use it with other apps like immich.

all 16 comments
sorted by: hot top controversial new old
[–] glizzyguzzler@piefed.blahaj.zone 2 points 7 hours ago

Do you know of how it compares to the option that’s been around for a while?
https://github.com/christiaangoossens/hass-oidc-auth

I see they say “seamless”; the extant one requires a different landing page and it doesn’t remember logged in browser well. So on the face of it, this sounds better.

But the one linked has had many more eyes and is made by the person who made a big stink on the forums https://community.home-assistant.io/t/open-letter-for-improving-home-assistants-authentication-system-oidc-sso/494223

For the ease teased, I’ll prob check it out though

[–] node815@lemmy.world 2 points 9 hours ago

I've been using this for several months, it works very well with Pocket ID. :)

[–] magic_smoke@lemmy.blahaj.zone 2 points 10 hours ago (1 children)

Haven't touched HA yet but I run FreeIPA, is there an LDAP option or will I have to get an open I'd solution go sit in front of it?

[–] Lem453@lemmy.ca 1 points 2 hours ago (2 children)

I've not looked for an LDAP solution but stuff like this is why i went with authentik over other solutions. Because authentik has LDAP built in, i can use this when needed (jellyfin) but then use openid for other apps (which us superior in almost every way for home lab use)

[–] magic_smoke@lemmy.blahaj.zone 1 points 2 hours ago* (last edited 1 hour ago)

For webapp stuff for sure, but when you want to login as the same user with the same perms across all your VMS and baremetal servers at the os, it's nice.

I use virtualization over containerization because i have the hardware resource so I might as well take advantage of improved isolation and security VMS provide. Plus I use Linux on my desktop/laptop, and have a separate dedicated storage host.

Its nice to have everything managed by one service with global accounts and permissions.

Looking at authentik it seems to provide some but not all of that. Def something to keep an eye on if freeipa decides to stop being so free.

If you're running a docker-based environment, and especially if your personal workstation/laptop doesn't run Linux, I totally get it.

I think freeIPA could use an openid provider packed in for sure. I also kinda trust api keys more than creating the service accounts for software that needs to auth.

Outta curiosity how do you handle SSO and File Storage? I like being able to make samba shares that require SSO authentication over something like nextcloud because I can directly mount the disk. Not sure if theres a good option there.

[–] Strit@lemmy.linuxuserspace.show 1 points 9 hours ago (1 children)

Everything still needs to be set in configuration.yaml. right? I see nothing that inidcates that it's possible to set up from the UI yet.

[–] Lem453@lemmy.ca 1 points 2 hours ago* (last edited 2 hours ago)

Yes its config file only, but if you get the File editor app, it's quite easy to just copy and paste a few lines into the editor.

Once it's setup it never changes.

[–] Flipper@feddit.org 10 points 16 hours ago (2 children)

If i created a service I would go in the opposit direction. Only offer SSO and no other option.

You loose quite a bit of complexity that way.

[–] illusionist@lemmy.zip 8 points 15 hours ago (1 children)

I would hate it if google and apple would be the sole identity providers. If they lock me out, I'm lost. That's what a majority of people do. And services have the power to choose the identity provider. Most offer only that and that's horrible.

[–] Flipper@feddit.org 3 points 15 hours ago (1 children)

I should have been more clear.

I meant for self hosting.

Though realistically, even if the service is provided for the public, you could just use an instance of keycloak or something similar with open registration. That's what an association I'm close to is doing already.

[–] illusionist@lemmy.zip 4 points 15 hours ago* (last edited 15 hours ago) (1 children)

I see you. There are spillover effects. If we don't use and support passwords, others wont either.

It's not even that my government provides the identity but a foreign, autocratic, power hungry company for most people

[–] boatswain@infosec.pub 1 points 10 hours ago

With keycloak you can have a single local password to all your selfhosted apps: you sign in to keycloak, then you sso into everything else from there. I'm building that out on my homelab right now, and it's working fine.

[–] Lem453@lemmy.ca 4 points 16 hours ago (1 children)

There are auth libraries that you can just plug into your app so you don't even have to worry about that part yourself and just focus on the app

https://authjs.dev/getting-started

[–] Flipper@feddit.org 2 points 15 hours ago (1 children)

By default, the Credentials provider does not persist data in the database. However, you can still create and save any data in your database, you just have to provide the necessary logic, eg. to encrypt passwords, add rate-limiting, add password reset functionality, etc.

That is exactly the complexity I wouldn't want. With just SSO it is enough to send a redirect URL to the browser and on the callback set a cookie. No js needed. If your service gets compromised and someone leeks the credentials, just log everyone out.

[–] irotsoma@piefed.blahaj.zone 2 points 14 hours ago

Problem is requiring a browser if it's not primarily a web interface. Even if initial setup is web-based, a lot of times background processes exist that don't traverse the internet, especially in higher security situations, so exposing those components to the internet just to get external credentials is not worth it, so then an additional proxying component is required. Anyway, the idea is that it can add a significant amount of complexity if it's something more complex than a simple, single component web application.