OAuth (including Google) redirection support

[Warstomper]

I have been trying to secure my various webapps (like home assistant) using https://github.com/vouch/vouch-proxy. Mostly, this is working fine fom browsers, however, I can't seem to get it to work with the HA app (I am running the latest beta). The error mentioned in the following article is observed:

https://blog.cloudrail.com/solving-disallowed_useragent-for-google-services/

From my limited knowledge, I understand that the User Agent being used by the app is basically blacklisted by google for these kinds of authentications and it could be only a matter of changing the uer-agent as mentioned here:

https://stackoverflow.com/questions/40591090/403-error-thats-an-error-error-disallowed-useragent

Would this be something that's possible to add/support?

Thanks a lot in advance.

[torarnv]

@Warstomper Do you get HA beta to even open a webview for the auth? I tried doing something similar with Cloudflare Access, and the HA app doesn't have any logic to trigger an auth screen as far as I've learned.

[Warstomper]

I got to the point where it loaded the google error message as seen in the linked blogpost atleast, as I let nginx first force the auth via a 302 redirect.

[robbiet480]

@torarnv May be able to provide a update on this one. Turns out there was a implementation issue with HA front end which I believe he has already gotten a fix merged for?

[torarnv]

Actually this issue is due to Google not allowing just any user-agent to do the oauth flow. The HA issue i fixed in the frontend was after oauth successfully completed. I got around this issue by overriding the user-agent:

self.webView.customUserAgent = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

Since WKWebView doesn't allow custom headers for subresource requests this was the only option.

I now have a mix of:

• Setting custom headers for the Alamofire session used for verifying the connection when onboarding
• Authenticating normally via the web flow for the ASWebAuthenticationSession when onboarding
• Setting custom headers for the Alamofire session used for API requests
• Setting custom headers for the Alamofire session used for webhooks
• Authenticating normally via the web flow in the WKWebView used for the UI, after overriding the user-agent

[hyperbolic2346]

Just ran into this issue as well. Trying to use google oauth via 302 redirect on my nginx ingress.

[jutley]

I ran into this as well. It seems like the pop-up web view in the iOS app is using some old libraries. I'm not a mobile developer so I'm not sure that I can help, but I imagine there should be a better web view that can be used. Many apps are able to use the Google OAuth flow.

[xeor]

Anyone know of any progress on this? It's still a problem on both ios and android. Or have people given up on using oauth in front?

[zacwest]

I've been slowly making my way through alternative login systems (starting with being able to trust certificates, now on client certificates). This many eventually happen too, but the logistics are complicated and require a lot of changes.

[timwnl]

@zacwest is this still something you are still willing to make available and support :)?

[timwnl]

+1 - in my use case I am setting up a Cloudflare tunnel with an on-prem Authelia service. Did not succeed due to the limitation.

As a workaround I have setup a VPN which automatically creates a VPN connection towards home, as soon as my WiFi connection is lost. Unfortunately this requires portforwarding on my router to work, which I was hoping to eliminate.

[MacieGx]

I also ran into this issue while using Cloudflare Zero Trust Access and am looking forward to adding support.

[dkutan]

I also tried to add this to Cloudflare tunnel for security and it failed.

[felipebaez]

One more upvote here. Using Authentik as IdP

[cahuete95]

One more up for Cloudflare Zero Trust Access and authelia/authentik 😉

[mcvax]

And one for me using a Cloudflare ZeroTrust tunnel and Google OAuth.

[costr]

This has my vote too! Please.

[vw-kombi]

Me too - I just changed all my hosts chalanged from emailed pin to google oauth2 and everything is working except the homeassistant i[phone app - for the same reasons above. yes - I can use a safari generated saved 'app' for access, but its not as good as the real thing.

[akirayamamoto]

I am using CloudFlare ZTNA + GitHub auth. I still have this issue.

[sumsh]

I’d love this to work.

[rpeyret]

another one for using a Cloudflare ZeroTrust tunnel and Google OAuth.
I'm getting the NScocoaerrordomain 3840 error

[nathanphillips001]

another one for using a Cloudflare ZeroTrust tunnel and Google OAuth.
I'm getting the NScocoaerrordomain 3840 error

[bartschneider]

Cloudflare Zero Trust tunnel and Google OAuth throwing 403: disallowed_useragent error. This really needs to get fixed, it's annoying

[lostbygps]

Using cloudflare zero trust I can get Google assistant, and Google authentication through the browser working with no problems but I have to use tailscale vpn if I want to use the companion app - which defeats the reason for me using zero trust in the first place.

[via-justa]

For anyone getting here in the future,

Set your Zero Trust to WARP+Gateway Auth and install the client on your iPhone.
When using the WARP Client for auth the app works perfectly including notification.

I personally changed my setup from Zero Trust applications to exposing the network my services running in via the cloudflared agent (local networks).
That way, it's working like client2site VPN. I use my UDM to publish local DNS records and set the WARP policies to point private domain to the UDR. That way I'm always accessing HA via the local domain.

If I'll find the time, I'll write a blog post with full instructions for both options

[fgimenezm]

That works, but one of the goals of using Zero Trust is to avoid the need of a VPN (or vpn-like) app.

[akirayamamoto]

As an alternative consider using mTLS with CloudFlare ZTNA for example.

This article explains with more details. It is working on my Android phone and watch. No additional app is needed on the client devices.

Note that the above is not available for iOS devices:

• Allow using installed client certificate for authentication #1788
• Allow supplying client certificates #2144

[akirayamamoto]

For iOS devices there is this workaround. I tested with CloudFlare ZTNA and email code verification.

#1872 (comment)

[Macleykun]

Thank you so much for suggesting this!

[Aymendje]

My setup is similar with Cloudflare Tunnel + Authentik SSO, and configured HA to bypass login (so only Authentik sso is used, and it auto connects to my default HA profile, so its easier for family members to use)
And while it works fine in web and Android, I am also hitting the NSCocoaErrorDomain Code=3840
Interestingly, in HA, I can see that a token was successfully emitted for the iOS app, but the app is unable to connect and just throws the domain error instead

[Braekpo1nt]

Still experiencing this, the above solutions didn't work

[brenner-tobias]

+1

[joerivang]

Please fix this issue.

[akirayamamoto]

Consider voting for this feature request:

https://community.home-assistant.io/t/secure-communication-channel-for-ios-app/785129

[mdhwoods]

please make this happen.