Adopting IndieAuth extension about architecture HOT 7 CLOSED

Can we have a client_id white list feature? I feel more safe if I can control/see who can access my system.

# configuration.yml

auth:
  allowed_unknown_client: False
  allowed_client_ids:
    - https://hassbian.local:8123/
    - https://mypersonaldomain.com/

from architecture.

It's not giving any extra security.

The Client ID of the Home Assistant frontend will always be accessible. If a hacker wants to try out your logins, it can just try to login to your normal frontend.

from architecture.

Yes, so I say I feel safe. I can imagine that may users will make similar feature request after this change released.

from architecture.

OK, I have a scenario for it.

Let's say I am very worry my security, I don't want anyone access my frontend though Internet, but I have to open API access for some webhook, so I just open 443 port, and only allow https://mydomain.com/api/some_endpoint be access from Internet.

In that case, hacker need only discovery "some_endpoint" before he can play attack. He doesn't need to know client_id. If I white list client_id, my security level back to normal setup of OAuth2, he need to first guess my client_id now.

from architecture.

This use case is more for a proxy. We should make our http/frontend component safe as possible but we should not go into competition to a full featured webserver/proxy.

from architecture.

I am not talking about how to filter URL. The indie auth basically eliminate the usage of client id, anyone can use HA auth provider without preregistration.

from architecture.

Given that they know your instance url, they already could because the frontend contains a client id.

from architecture.