OIDC authentication is currently undocumented as part of the upcoming HA release. While it is still subject to change, it is unlikely to change.
It supports using any standard OIDC library. The specifics on how to configure that library are as follows:
- Ensure Auth Code w/ PKCE is used
- The client id should be
openziti - The standard
.well-known/openid-configurationURL can be used to configure the client either at the root level or at the/edge/client/v1/or/edge/management/v1/level. - The authentication endpoints are in the format of
POST /oidc/login/<method>?authRequestID=<OIDC auth request id>
OIDC auth request id is a result of the first step in the OIDC process, which sets up an auth context that lives for a maximum of 30m. Before that time, the auth request must finish primary authentication (UPDB, Cert, Ext JWT, etc.) and any secondary authentication (TOTP, Secondary Ext JWT).
The methods are:
cert- a client certificate and private key must be used during the POST to perform certificate authenticationpassword- UPDB (username/password) authentication. POST must containusernameandpasswordvalues either in a JSON object or a form encoded content.ext-jwt- Requires an externally created JWT to be submitted in theauthenticationheader.
For TOTP (aka MFA) submission:
POSTto/totpwith the current TOTP in acodevalue (either JSON or form encoded)