OAuth (including Google) redirection support

[Warstomper]

I have been trying to secure my various webapps (like home assistant) using https://github.com/vouch/vouch-proxy. Mostly, this is working fine fom browsers, however, I can't seem to get it to work with the HA app (I am running the latest beta). The error mentioned in the following article is observed:

https://blog.cloudrail.com/solving-disallowed_useragent-for-google-services/

From my limited knowledge, I understand that the User Agent being used by the app is basically blacklisted by google for these kinds of authentications and it could be only a matter of changing the uer-agent as mentioned here:

https://stackoverflow.com/questions/40591090/403-error-thats-an-error-error-disallowed-useragent

Would this be something that's possible to add/support?

Thanks a lot in advance.

[torarnv]

@Warstomper Do you get HA beta to even open a webview for the auth? I tried doing something similar with Cloudflare Access, and the HA app doesn't have any logic to trigger an auth screen as far as I've learned.

[Warstomper]

I got to the point where it loaded the google error message as seen in the linked blogpost atleast, as I let nginx first force the auth via a 302 redirect.

[robbiet480]

@torarnv May be able to provide a update on this one. Turns out there was a implementation issue with HA front end which I believe he has already gotten a fix merged for?

[torarnv]

Actually this issue is due to Google not allowing just any user-agent to do the oauth flow. The HA issue i fixed in the frontend was after oauth successfully completed. I got around this issue by overriding the user-agent:

self.webView.customUserAgent = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

Since WKWebView doesn't allow custom headers for subresource requests this was the only option.

I now have a mix of:

• Setting custom headers for the Alamofire session used for verifying the connection when onboarding
• Authenticating normally via the web flow for the ASWebAuthenticationSession when onboarding
• Setting custom headers for the Alamofire session used for API requests
• Setting custom headers for the Alamofire session used for webhooks
• Authenticating normally via the web flow in the WKWebView used for the UI, after overriding the user-agent

[hyperbolic2346]

Just ran into this issue as well. Trying to use google oauth via 302 redirect on my nginx ingress.

[jutley]

I ran into this as well. It seems like the pop-up web view in the iOS app is using some old libraries. I'm not a mobile developer so I'm not sure that I can help, but I imagine there should be a better web view that can be used. Many apps are able to use the Google OAuth flow.

[xeor]

Anyone know of any progress on this? It's still a problem on both ios and android. Or have people given up on using oauth in front?

[zacwest]

I've been slowly making my way through alternative login systems (starting with being able to trust certificates, now on client certificates). This many eventually happen too, but the logistics are complicated and require a lot of changes.

[timwnl]

@zacwest is this still something you are still willing to make available and support :)?

[timwnl]

+1 - in my use case I am setting up a Cloudflare tunnel with an on-prem Authelia service. Did not succeed due to the limitation.

As a workaround I have setup a VPN which automatically creates a VPN connection towards home, as soon as my WiFi connection is lost. Unfortunately this requires portforwarding on my router to work, which I was hoping to eliminate.

[MacieGx]

I also ran into this issue while using Cloudflare Zero Trust Access and am looking forward to adding support.

[dkutan]

I also tried to add this to Cloudflare tunnel for security and it failed.

[felipebaez]

One more upvote here. Using Authentik as IdP

[cahuete95]

One more up for Cloudflare Zero Trust Access and authelia/authentik 😉

[mcvax]

And one for me using a Cloudflare ZeroTrust tunnel and Google OAuth.

[costr]

This has my vote too! Please.

[vw-kombi]

Me too - I just changed all my hosts chalanged from emailed pin to google oauth2 and everything is working except the homeassistant i[phone app - for the same reasons above. yes - I can use a safari generated saved 'app' for access, but its not as good as the real thing.

[securitypedant]

I am interested in this feature. I have a Cloudflare tunnel serving access to my Home Assistant server and it authenticates me via Azure AD.

[matellis]

This has been an open issue for 3 years. I bet devs feel this is a corner case and we should use HA Cloud instead. Seems like using github as an auth agent, if that's an option, can help. Would be nice if they simply implemented the right browser agent instead, seems fairly straightforward as described in the comments on this thread here https://stackoverflow.com/questions/69370491/you-cant-sign-in-from-this-screen-because-this-app-doesnt-comply-with-googles

[heliochronix]

I ran into this issue as well when implementing Authentik for my home systems. It works great on any browsers, but I've just discovered the iOS companion app is now broken, even though all the authentication steps worked fine. I would really love to have the option of using an authentication system.

[ScottGuymer]

Seems to be only the Apple apps that have this issue

I have Cloudflare tunnel set up, works fine from my android but my MacOS app does all the auth and then I get NSCocoaErrorDomain 3840

It did work at some point too.. As I am still getting notifications from HA app on my mac from when it worked.. Just wont show me the dashboard or UI anymore.

[eyalspier]

+1 for this. I'd be happy if anyone figured out a workaround. Is there for instance a way to add a device to any biomass policies?

[vw-kombi]

The update in the unraid App Store is working fine. Just had a popup 2fa on iPhone and I said ok and did nothing with the code. All working fine.

[flash286]

+1 for the solution
my case is Zero Trust + Github as an identity provider

[via-justa]

Same here, iOS, ZeroTrust, and GitHub identity provider
It would be great to be able to use the app with all the added security of ZeroTrust.

[howiemunson]

+1 for this. I would like to use IOS, zeroTrust and Google identity provider.

[Drik78]

Same here, iOS, Cloudflare Zero Trust...

[johntdyer]

Me too

[btsirkin]

To folks here who can log in through the web but not from the iOS app due to NSCocoaErrorDomain 3840, I am using Authentik and was able to solve this by excluding the HA /api path. Hope this helps someone. Cheers.

[b177y]

I'm not familiar with the internals of HA, but my assumption is that it's separated into static web content (created with React or similar), and an api, hosted at /api. This would mean that by putting auth in front of HA, but then allowing anything through to /api without the additional auth, there is no benefit of Authentik (/cloudflare etc) as you're only blocking unauthorised access to the static web assets.

Maybe someone with more knowledge on HA internals can confirm, but just a warning that your intended security posture might not match your actual security when using that exclusion method.

[btsirkin]

Thanks for your comment, that's a fair point I thought about as well. My 2 cents:

• I use Authentik to have SSO for all my apps, both for convenience and also because some of them do not natively support authorization, so I need to somehow put them behind a gate.
• HA does support authorization, so I'd expect it to block unauthorized calls to /api anyway.

Happy to hear your thoughts if you have any.

[lukewill93]

What is the API path? subdomain.domain.com/api?

[i7zTr0n]

Thanks, you're an absolute Legend!
For everyone wondering, what exactly he meant:
In the Provider in Authentik you can set Exclusions under Advanced Protocol Settings

[b177y]

If you're using Authentik anyway and it's easier to run home assistant behind that for SSL etc then that makes sense but you should note that you're getting no additional security (on top of what home assistant provides) by running it behind Authentik.

This is fine if that's your security posture, it depends on your approach, e.g:

1. You trust home assistant's authorization to be secure (it has gone through independent security audits)
   • You don't need to use Authentik, but if you choose to because other services you run are set up with Authentik and it's just easier than setting up a separate reverse proxy, then excluding /api still matches your security posture.
2. You don't fully trust home assistant's authorization, home assistant is purpose built for home automation, CloudFlare / Authentik etc are purpose built for security, have a higher security bar, more security testing etc, and you want to use SSO to protect access to home assistant
   • Using authentik / cloudflare with exclusions for /api does not improve your security posture
3. You intend to use defense in depth and want to layer both SSO and Home Assistant auth so that if a compromise is found in just one, your instance is still secured.
   • Same as above, using SSO but excluding /api will not give you your intended security posture.

If your approach is 2 or 3, the best options currently available for additional security on top of home assistant auth (as far as I'm aware) are:

• Set up a VPN such as wireguard to secure connections from your mobile device to your home assistant instance.
• Use homeassistant through mobile browser only with SSO (although this loses you mobile tracker, sensors and other features)
• (if you have the time and experience necessary..) help home assistant iOS project by developing the feature to handle SSO proxies in the app

The approach you go with is down to personal preference, e.g. if you don't have smart locks, cameras, home/away indication etc, a lower security posture might be suitable - worst case someone starts playing with your lights.

[d3adc0de]

would like to see this implemented as well.

[pebar101]

It looks as though this issue has been fixed.

I use the Cloudflared add-on to create the tunnel and have then enabled two factor authentication using Cloudflare Zero Trust. I can use the iOS Home Assistant app remotely. The only issue is I must use another device to retrieve the authentication code as the authentication process resets if I switch between the HA application and my email program.

[fgimenezm]

I still get "Error 403: disallowed_useragent" when using Cloud Flare Zero trust with Google for authentication.

[LuisCRSousa]

I still get the NScocoaerrordomain 3840 error

[johntdyer]

Yea, I am getting the 403: disallowed_useragent as well

[akirayamamoto]

I am using CloudFlare ZTNA + GitHub auth. I still have this issue.

[sumsh]

I’d love this to work.

[rpeyret]

another one for using a Cloudflare ZeroTrust tunnel and Google OAuth.
I'm getting the NScocoaerrordomain 3840 error