Example Home Assistant auth_provider using curl -> Authelia

[wez]

The back story is:

• Home Assistant allows deploying a command line authentication provider hook; see Authentication Providers
• An example is using LDAP via this example script, but it doesn't work because curl missing LDAP protocol home-assistant/supervisor#940
• Since Authelia provides various HTTP-based endpoints, we can ask it a bit more directly than hitting the LDAP server that sits behind it
• This requires curl and jq to be available to your Home Assistant instance; both are present in current versions of the docker image

You need to deploy this authelia.sh script to your Home Assistant instance. I use a bind mount in my docker-compose.yml:

services:
  hass:
     ...
     volumes:
        ./auth:/auth

then this script goes in auth/authelia.sh in the same directory as the compose file:

#!/bin/sh

# This script can be used by home assistant to authenticate against an authelia instance.
# You'll need to put this into your home assistant configuration.yaml, and arrange for
# this script to be visible at the path used in the `command` field, perhaps using a
# bind mount if you are a docker user:
#
# homeassistant:
#   auth_providers:
#     - type: command_line
#       command: /auth/authelia.sh
#       args: ["auth.example.com"]
#       meta: true
#     - type: homeassistant

die() {
  echo "$1" >&2
  exit 1
}

AUTHELIA="$1"
test -z "$AUTHELIA" && die "Usage: username=USER password=PASS authelia.sh auth.example.com"

cookie_jar=$(mktemp)
trap "rm -rf \"$cookie_jar\"" EXIT

curl -c "$cookie_jar" -s -f -X 'POST' \
  "https://$AUTHELIA/api/firstfactor" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d "$(jq -n --arg u "$username" --arg p "$password" '{username: $u, password: $p}')" > /dev/null \
  || die "user '$username' failed to authenticate"

name=$(curl -b "$cookie_jar" -s -f -X 'GET' \
  "https://$AUTHELIA/api/user/info" \
  -H 'accept: application/json' | jq -r .data.display_name \
  || die "failed to retrieve user information for '$username'")

curl -b "$cookie_jar" -s -X 'POST' \
  "https://$AUTHELIA/api/logout" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{}' > /dev/null

echo "name=${name}"

then you need to put this fragment into your home assistant configuration.yml:

homeassistant:
  auth_providers:
    - type: command_line
      command: /auth/authelia.sh
      args: ["auth.example.com"] # point to YOUR authelia hostname
      meta: true
    - type: homeassistant

Restart home assistant, and users will have the choice of Command Line authentication or Home Assistant Local authentication when they log in.

When using Command Line authentication to talk to Authelia, the user is authenticated, and if successful, their display name is reported back to Home Assistant, and Home Assistant will create a user record for that user, as a member of the Administrators group. There is not currently a way to have those users placed into the Users group instead:

• command_line authentication provider provisions all users with admin rights home-assistant/core#82204

You can review users by visiting the /config/users URL in your home assistant instance:

[mikew]

Wish I searched before writing something lol 🤦 . I went a little different, since that /api/firstfactor doesn't seem to work for me (only trying it in Authelia's generated Swagger docs)

I'm using the /api/verify?auth=basic endpoint. Bonus is that returns groups so users can be mapped to Home Assistant admins based on their groups in Authelia. I also think I've got it set up to properly use Authelia to deny certain users.

My script:

#!/usr/bin/env python
import argparse
import os

import requests
from requests.auth import HTTPBasicAuth

username = os.environ.get('username')
password = os.environ.get('password')

if username == None:
    raise Exception('Environment variable missing: username')

if password == None:
    raise Exception('Environment variable missing: password')

parser = argparse.ArgumentParser()
parser.add_argument(
    '--authelia-base',
    required=True,
)
parser.add_argument(
    '--authelia-header-email',
    default='Remote-Email',
)
parser.add_argument(
    '--authelia-header-groups',
    default='Remote-Groups',
)
parser.add_argument(
    '--authelia-header-full-name',
    default='Remote-Name',
)
parser.add_argument(
    '--authelia-admin-group',
    default='admins',
)
parser.add_argument(
    '--authelia-home-assistant-proto',
    default='https',
    choices=['http', 'https'],
)
parser.add_argument(
    '--authelia-home-assistant-domain',
    required=True,
)

args = vars(parser.parse_args())

basic = HTTPBasicAuth(username, password)
headers = {
    'X-Forwarded-Proto': args['authelia_home_assistant_proto'],
    'X-Forwarded-Host': args['authelia_home_assistant_domain'],
    'X-Forwarded-URI': '/',
}
request = requests.get(
    f"{args['authelia_base']}/api/verify?auth=basic",
    auth=basic,
    headers=headers,
)

if not request.ok:
    raise Exception('Could not log in')

full_name = request.headers.get(args['authelia_header_full_name'], '')
# email = request.headers.get(args['authelia_header_email'], '')
groups = request.headers.get(args['authelia_header_groups'], '').split(',')
is_admin = args['authelia_admin_group'] in groups
home_assistant_group = 'system-admin' if is_admin else 'system-users'

print(f"name = {full_name}")
print(f"group = {home_assistant_group}")
print(f"local_only = false")

my Home Assistant configuration.yaml:

homeassistant:
  auth_providers:
    - type: command_line
      meta: true
      command: /authelia-auth
      args:
        - --authelia-base
        - !env_var AUTHELIA_BASE
        - --authelia-home-assistant-domain
        - !env_var AUTHELIA_HOME_ASSISTANT_DOMAIN

and since I use docker, my docker-compose.yml for Home Assistant:

services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant
    volumes:
      - ./data/authelia-auth:/authelia-auth
    environment:
      # For Authelia Auth
      - AUTHELIA_BASE=https://auth.${HOMELAB_BASE_DOMAIN}
      - AUTHELIA_HOME_ASSISTANT_DOMAIN=home.${HOMELAB_BASE_DOMAIN}

[Daniel-dev22]

@wez

When using Command Line authentication to talk to Authelia, the user is authenticated, and if successful, their display name is reported back to Home Assistant, and Home Assistant will create a user record for that user, as a member of the Administrators group. There is not currently a way to have those users placed into the Users group instead:

I hope this script still works for you. I figured I'd mention this pr was merged to allow setting the group. Are changes needed for your script to implement this?

home-assistant/core#92906

Edit: just read the comment before mine and realized @mikew implemented the ability to pass back user groups.

@mikew does this still work for you and would it work for second factor auth?

[wez]

Good to hear that group handling is now improved! However, I recently refactored my network and no longer use authelia, so I've removed this script and have no immediate plans to revisit it.

[Daniel-dev22]

Good to hear that group handling is now improved! However, I recently refactored my network and no longer use authelia, so I've removed this script and have no immediate plans to revisit it.

No worries. I was able to get a python script together that does first factor auth then uses the session cookie to do duo push and it's working. If the push is denied/times out then authentication fails else it succeeds.