OAuth (including Google) redirection support #1719
Replies: 42 comments 15 replies
-
@Warstomper Do you get HA beta to even open a webview for the auth? I tried doing something similar with Cloudflare Access, and the HA app doesn't have any logic to trigger an auth screen as far as I've learned. |
Beta Was this translation helpful? Give feedback.
-
I got to the point where it loaded the google error message as seen in the linked blogpost atleast, as I let nginx first force the auth via a 302 redirect. |
Beta Was this translation helpful? Give feedback.
-
@torarnv May be able to provide a update on this one. Turns out there was a implementation issue with HA front end which I believe he has already gotten a fix merged for? |
Beta Was this translation helpful? Give feedback.
-
Actually this issue is due to Google not allowing just any user-agent to do the oauth flow. The HA issue i fixed in the frontend was after oauth successfully completed. I got around this issue by overriding the user-agent: self.webView.customUserAgent = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" Since WKWebView doesn't allow custom headers for subresource requests this was the only option. I now have a mix of:
|
Beta Was this translation helpful? Give feedback.
-
Just ran into this issue as well. Trying to use google oauth via 302 redirect on my nginx ingress. |
Beta Was this translation helpful? Give feedback.
-
I ran into this as well. It seems like the pop-up web view in the iOS app is using some old libraries. I'm not a mobile developer so I'm not sure that I can help, but I imagine there should be a better web view that can be used. Many apps are able to use the Google OAuth flow. |
Beta Was this translation helpful? Give feedback.
-
Anyone know of any progress on this? It's still a problem on both ios and android. Or have people given up on using oauth in front? |
Beta Was this translation helpful? Give feedback.
-
+1 - in my use case I am setting up a Cloudflare tunnel with an on-prem Authelia service. Did not succeed due to the limitation. As a workaround I have setup a VPN which automatically creates a VPN connection towards home, as soon as my WiFi connection is lost. Unfortunately this requires portforwarding on my router to work, which I was hoping to eliminate. |
Beta Was this translation helpful? Give feedback.
-
I also ran into this issue while using Cloudflare Zero Trust Access and am looking forward to adding support. |
Beta Was this translation helpful? Give feedback.
-
I also tried to add this to Cloudflare tunnel for security and it failed. |
Beta Was this translation helpful? Give feedback.
-
One more upvote here. Using Authentik as IdP |
Beta Was this translation helpful? Give feedback.
-
One more up for Cloudflare Zero Trust Access and authelia/authentik 😉 |
Beta Was this translation helpful? Give feedback.
-
And one for me using a Cloudflare ZeroTrust tunnel and Google OAuth. |
Beta Was this translation helpful? Give feedback.
-
This has my vote too! Please. |
Beta Was this translation helpful? Give feedback.
-
Me too - I just changed all my hosts chalanged from emailed pin to google oauth2 and everything is working except the homeassistant i[phone app - for the same reasons above. yes - I can use a safari generated saved 'app' for access, but its not as good as the real thing. |
Beta Was this translation helpful? Give feedback.
-
I’d love this to work. |
Beta Was this translation helpful? Give feedback.
-
another one for using a Cloudflare ZeroTrust tunnel and Google OAuth. |
Beta Was this translation helpful? Give feedback.
-
another one for using a Cloudflare ZeroTrust tunnel and Google OAuth. |
Beta Was this translation helpful? Give feedback.
-
Cloudflare Zero Trust tunnel and Google OAuth throwing 403: disallowed_useragent error. This really needs to get fixed, it's annoying |
Beta Was this translation helpful? Give feedback.
-
Using cloudflare zero trust I can get Google assistant, and Google authentication through the browser working with no problems but I have to use tailscale vpn if I want to use the companion app - which defeats the reason for me using zero trust in the first place. |
Beta Was this translation helpful? Give feedback.
-
For anyone getting here in the future, Set your Zero Trust to WARP+Gateway Auth and install the client on your iPhone. I personally changed my setup from Zero Trust applications to exposing the network my services running in via the cloudflared agent (local networks). If I'll find the time, I'll write a blog post with full instructions for both options |
Beta Was this translation helpful? Give feedback.
-
As an alternative consider using mTLS with CloudFlare ZTNA for example. This article explains with more details. It is working on my Android phone and watch. No additional app is needed on the client devices. Note that the above is not available for iOS devices: |
Beta Was this translation helpful? Give feedback.
-
For iOS devices there is this workaround. I tested with CloudFlare ZTNA and email code verification. |
Beta Was this translation helpful? Give feedback.
-
My setup is similar with Cloudflare Tunnel + Authentik SSO, and configured HA to bypass login (so only Authentik sso is used, and it auto connects to my default HA profile, so its easier for family members to use) |
Beta Was this translation helpful? Give feedback.
-
Still experiencing this, the above solutions didn't work |
Beta Was this translation helpful? Give feedback.
-
Please fix this issue. |
Beta Was this translation helpful? Give feedback.
-
Consider voting for this feature request: https://community.home-assistant.io/t/secure-communication-channel-for-ios-app/785129 |
Beta Was this translation helpful? Give feedback.
-
please make this happen. |
Beta Was this translation helpful? Give feedback.
-
I would like to have this fixed too, please. It prevents me from using the HA app, as I won't open up my HA instance to the world without authentication. |
Beta Was this translation helpful? Give feedback.
-
I have been trying to secure my various webapps (like home assistant) using https://github.com/vouch/vouch-proxy. Mostly, this is working fine fom browsers, however, I can't seem to get it to work with the HA app (I am running the latest beta). The error mentioned in the following article is observed:
https://blog.cloudrail.com/solving-disallowed_useragent-for-google-services/
From my limited knowledge, I understand that the User Agent being used by the app is basically blacklisted by google for these kinds of authentications and it could be only a matter of changing the uer-agent as mentioned here:
https://stackoverflow.com/questions/40591090/403-error-thats-an-error-error-disallowed-useragent
Would this be something that's possible to add/support?
Thanks a lot in advance.
Beta Was this translation helpful? Give feedback.
All reactions