This is a hugely requested feature for many years and a huge hole in my entire self hosted ecosystem. Every self-hosted app I have connects to my Authentik system for user management… Except home assistant. Arguably one of the apps I need it for the most for the whole family to use with their accounts.
Devs have been resistant for some reason.
There is now a community integratation that allows user management for HA to be via any openID backend (authentik, keycloak etc).
I’ve been running it for a few days and it works perfectly. Very easy to setup if you already have a working authentik setup and know how to use it with other apps like immich.
There are auth libraries that you can just plug into your app so you don’t even have to worry about that part yourself and just focus on the app
https://authjs.dev/getting-started
That is exactly the complexity I wouldn’t want. With just SSO it is enough to send a redirect URL to the browser and on the callback set a cookie. No js needed. If your service gets compromised and someone leeks the credentials, just log everyone out.
Problem is requiring a browser if it’s not primarily a web interface. Even if initial setup is web-based, a lot of times background processes exist that don’t traverse the internet, especially in higher security situations, so exposing those components to the internet just to get external credentials is not worth it, so then an additional proxying component is required. Anyway, the idea is that it can add a significant amount of complexity if it’s something more complex than a simple, single component web application.