balloob
commented
4 years ago This is too much of an advanced feature to consider for the official app.
Closed photinus closed 4 years ago
balloob
commented
4 years ago This is too much of an advanced feature to consider for the official app.
carlos-sarmiento
commented
4 years ago @balloob I understand there might be more important feature requests right now. But is there any chance this will be considered in the future? For people that value the security of their installations enough to use Mutual TLS Auth, not having it means effectively blocking them from using the official client
balloob
commented
4 years ago This app is still very very young. It will take time to evolve it and get it to a point that it does all the things people expect from a basic app. People will always come up with other authentication schemes or features that they want. Each of those comes at a cost that needs to be forever supported. Not by you, but by us. So we need to make choices, and if the choice means that we block a tiny tiny fraction of the user base so that we can have an easier to maintain app, it's an easy choice.
You can always use the browser to look at the UI or fork the app, it's open source 👍
carlos-sarmiento
commented
4 years ago Thanks for your thoughtful reply. As I mentioned above, I completely understand the reasoning (including the need to support it). I take it from your last sentence that the HA team would not be interested in getting a PR for this feature? I just ask because I was considering rolling my sleeves during the holidays, but if the HA team understandably doesn't want it, I could work on other HA stuff I'm thinking about
balloob
commented
4 years ago I think that it's too much of a niche feature to accept a PR for. If that changes in the future, we could reconsider.
carlos-sarmiento
commented
4 years ago Got it. Thanks for engaging on this closed issue 😄
pdecat
commented
4 years ago Would PRs implementing mutual TLS authentication with client certificate be accepted?
For reference:
pdecat
commented
4 years ago I've submitted https://github.com/home-assistant/android/pull/870 to implement this:
bgernert
commented
3 years ago I would love to see this added to the official android client. For me this is definitely a showstopper for my migration from openhab to homeassistant.
hllhll
commented
3 years ago I Understand that either there's some issue with OKHttp, or, HA-Android team has other priorities, Did anyone may have forked/picked up the glove on that?
@pdecat If I were to compile your branch at is, it should work until they solve it? (BTW, could you please provide binary/apk :P )
pdecat
commented
3 years ago @pdecat If I were to compile your branch at is, it should work until they solve it? (BTW, could you please provide binary/apk :P )
Nope, my PR won't work as is.
ArthurHNL
commented
3 years ago Can this be re-opened? Client certificates are a must for me, I don’t want to simply allow all connections from the outside world and neither do I want to use a VPN all the time.
With IoT security becoming a bigger and bigger issue everyday, I would not consider this to be a niche feature anymore. And I’m open to contribute (even though I am not that experienced with Android Development).
cpainchaud
commented
3 years ago Guys you really must reconsider this! We are not asing for HA to authenticate poeple via TLS, but only the client app to allow usage of a client TLS certificate!
carlos-sarmiento
commented
3 years ago It's been two years since this issue was opened (and it was one of the very first requests). @balloob (since you were the one who engaged with us then) has there been any change in the HA team's perspective regarding this? It is obvious that it is more of a niche request, but for those of us who value the protection mutual TLS provides, it is an important one.
Is there any way there can be a collaboration between the community and the HA team to get this feature built and merged? How can we (the community) mitigate your concerns?
dshokouhi
commented
3 years ago The HA team that works on the android app are all made of volunteers. You guys are more than welcome to pick this up and work on a PR as you can see up above someone had already made an attempt. Given that we are all volunteers there is nothing set in what needs to be done. Volunteers work on whatever it is we want to work on. HA is open source so if you want to help, then make the PR and we can determine the right way forward.
dshokouhi
commented
2 years ago In case you guys might have missed it a PR was submitted for client cert support. Would be great if we get a couple of other testers with the debug APK. You can find what needs to be done in the corresponding docs PR.
Link to APK: https://github.com/home-assistant/android/actions/runs/1596894980 PR: #2023
tormentist
commented
2 years ago Just tried it and got it working, left more details in PR #2023 Only tested on Android 10, can't test on WearOS as I don't own one. Short story: Use a CER-encoded public cert and unencrypted key
Seriously though, THANKS @mircoboschi & @dshokouhi
frigi83
commented
2 years ago Hi @dshokouhi I want to test, but I have no idea how to configure the app. mTLS works on my computer and phone browser.
I have installed the app-full-debug.apk app on a phone, but I have no idea where to put the certificate. Where do I need to put the certificate?
Big Thanks for the work!
mircoboschi
commented
2 years ago @frigi83 Please see this PR containing documentation. https://github.com/home-assistant/companion.home-assistant/pull/636 Here is relevant document diff: https://github.com/home-assistant/companion.home-assistant/pull/636/files
Thanks for your time.
tormentist
commented
2 years ago Where do I need to put the certificate?
Check out the doc:
https://github.com/home-assistant/companion.home-assistant/pull/636/files
Since you're using the debug app, it'll be in Android/data/io.homeassistant.companion.android.debug/files.
hllhll
commented
2 years ago Will the private key still be using HW backed keystore (which is protected by trustzone/fingerprint)? or just read it from the storage?
mircoboschi
commented
2 years ago Public and private keys is stored in AndroidKeyStore using KeyStore APIs; Android should use HW backed keystore if present. Note: you can remove files from storage after key import is completed.
frigi83
commented
2 years ago Hi @mircoboschi and @tormentist thanks for the hints. It works!
I have tested on a separate instance and with the app on an old phone (Android 7).
I have some questions:
mircoboschi
commented
2 years ago Hi @frigi83 I found this guide, seems to do the job https://smallstep.com/hello-mtls/doc/server/traefik App loads tls_client.key and tls_client.crt every time it starts (if they're present), replacing previously imported certificate.
Would be nice to have the ability to provide a client certificate for authenticating to Home Assistant when used with a proxy server.