search

openhab / openhab-core

Core framework of openHAB
https://www.openhab.org/
Eclipse Public License 2.0
897 stars 415 forks source link

Security measures for OpenHab 3 #1790

Open bf8392 opened 3 years ago

bf8392 commented 3 years ago

Hy :-) I want to discuss some additional security-measures for OpenHab to make it better for Selfhost and put off some weight of myopenhab :-). Here are my suggestions:

With all this, you would have a perfect Selfhost-solution for OpenHab that most people maybe prefer...later the Amazon skill can maybe adapted, so you can use Amazon wothout myopenhab cloud. All this would put off weight of myopenhab, because people can more easy Selfhost :-). It also would make OpenHab more indipendent to all other solutions I know...

I think Https is with let's-encrypt by default would also be nice, but don't know if this is an easy measure to directly integrate... traefik would be a cool option, but I don't think that it can be directly integrated in OpenHab, as it is a docker-only solution. Https would also lead to the possibility to directly integrate TLS-security options...

I think all this is a lot of work, and I would be happy to help testing and find some members who want to work together on this :-). Who is in for help and/or discussion? :-)

splatch commented 3 years ago

@bd8392 my counter proposal would be to bring JWTAuthneticationProvider for third party identity management. You can always spin more advanced security provider such Keycloak which will bring all necessary functionalities you mention. While totp integration is not that hard, it is adding more weight to security subsystem maintained by very few folks.

bf8392 commented 3 years ago

@bd8392 my counter proposal would be to bring JWTAuthneticationProvider for third party identity management. You can always spin more advanced security provider such Keycloak which will bring all necessary functionalities you mention. While totp integration is not that hard, it is adding more weight to security subsystem maintained by very few folks.

Nice idea! What about building an add-on for 2 fa :-). (Keycloak is a little heavy for a pi for example)

bf8392 commented 3 years ago

@bd8392 my counter proposal would be to bring JWTAuthneticationProvider for third party identity management. You can always spin more advanced security provider such Keycloak which will bring all necessary functionalities you mention. While totp integration is not that hard, it is adding more weight to security subsystem maintained by very few folks.

Hi =) I thought about your approach, after using OH3 for some time now...I think the problem with it is, that the App and the api won't work anymore if you have "external" auth, as it is not implemented there...would't it be easier to integrate this directly in the new OH3 auth-system and the main ui? Would it help the "maintainance case" if implemented this like binding? For example with this code: https://github.com/samdjstevens/java-totp ?