search

BeryJu / hass-auth-header

Home Assistant custom component, which allows you to delegate authentication to a reverse proxy.
GNU General Public License v3.0
219 stars 18 forks source link

[Feature Request] Map header value to username #104

Open KairuByte opened 2 years ago

KairuByte commented 2 years ago

I've been testing Header Auth with Cloudflare Zero Trust, but I've run into an odd limitation. I have no way of setting what the header passes to Home Assistant. The only value that seems to be passed is the users email address.

Would it be possible to add a list of [header_value] => [username] translations, to account for such situations?

I'm thinking something along these lines:

auth_header:
  username_header: Cf-Access-Authenticated-User-Email
  username_mapping:
    - first.last@host.com: user1
    - second.user@gmail.com: user2
    - second.again@hotmail.com: user2
BeryJu commented 2 years ago

I dont think this is something that should by done by the SSO client, I played around a bit and noticed that you can set the username to anything, so you could just set the username to the email addresses. Something I would be open to adding is a more general mutation option, like search+replace or regex replace

cchance27 commented 7 months ago

Ran into this as well, any chance for some form of manipulation?

Edit: for now i've put the display-name as the emailaddress cloudflare is setting in Cf-Access-Authenticated-User-Email, it's still secure because its all behind the cloudflared tunnel

KairuByte commented 7 months ago

Manipulation would be fine with me as well. My main concern is that users can sign in with multiple services, resulting in different emails being associated with one user.

cchance27 commented 7 months ago

True that is an issue realistically manipulation isn’t the solution you’d need some form of mapping on the HA side of valid emails to username mappings for the cloudflare case to support access from multiple login types