Skip to content

Feature Request: Privilege revocation/granting through IdP #183

New issue
New issue
Closed
Closed
Feature Request: Privilege revocation/granting through IdP#183
@codeceptsDE

Description

@codeceptsDE
codeceptsDE
opened on Dec 30, 2025

Thank you for creating this integration, and also for your advocacy for upstream adoption!
I'm successfully running v0.7.0-alpha-rc3. It works great, including the frontend injection for the login page. I do have one feature request, though:

User roles are set in accordance to group membership on initial user creation. Changing group memberships after the fact does not update home assistant roles for the user:

  • a user with role system-users cannot be granted system-admin privileges
  • system-admin privileges cannot be revoked, downgrading the user to system-users role
  • access cannot be revoked again, downgrading the user to invalid role

Roles seem to be set once, at initial credential creation, by an external call from home assistant to async_user_meta_for_credentials.
I feel like roles should be updated again somewhere around here, line 58:

hass-oidc-auth/custom_components/auth_oidc/endpoints/callback.py

Lines 46 to 70 in 04a693c

user_details = await self.oidc_client.async_complete_token_flow(
redirect_uri, code, state
)
if user_details is None:
view_html = await get_view(
"error",
{
"error": "Failed to get user details, "
+ "see Home Assistant logs for more information.",
},
)
return web.Response(text=view_html, content_type="text/html")
if user_details.get("role") == "invalid":
view_html = await get_view(
"error",
{
"error": "User is not in the correct group to access Home Assistant, "
+ "contact your administrator!",
},
)
return web.Response(text=view_html, content_type="text/html")
code = await self.oidc_provider.async_save_user_info(user_details)
raise web.HTTPFound(get_url("/auth/oidc/finish?code=" + code, self.force_https))

That is, after fetching user_details, but just before potentially rejecting access for users where role==invalid.
Alternatively, it could be updated (saved to database) in async_save_user_info, with a separate error code being raised in case privileges were just revoked.

Upgrading users from invalid (i.e. access prohibited) to either system-users or system-admin already works as it is.
I know the other grants/revocations can be done manually through the home assistant UI, but I would prefer to be able to manage this through my IdP.

Keep up the good work! :)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions