Skip to content

Prefer external URL in WWW-Authenticate header for RFC 9728 #169658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
allenporter wants to merge 2 commits into
base: dev
Choose a base branch
from
+82 −2
Open

Prefer external URL in WWW-Authenticate header for RFC 9728 #169658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b2357f8
Prefer external URL in WWW-Authenticate header for RFC 9728
allenporter May 2, 2026
daa34a1
test: reorder and fix labels for HTTP view host matching tests
allenporter May 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions homeassistant/helpers/http.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,17 @@ async def handle(request: web.Request) -> web.StreamResponse:
# Import here to avoid circular dependency with network.py
from .network import NoURLAvailableError, get_url # noqa: PLC0415

# Get the current request header to include as resource metadata
# endpoint for RFC9728. We currently prefer external since this
# is likely most used by remote OAuth clients
try:
url_prefix = get_url(hass, require_current_request=True)
url_prefix = get_url(
hass, require_current_request=True, prefer_external=True
)
Comment thread
allenporter marked this conversation as resolved.
except NoURLAvailableError:
# Omit header to avoid leaking configured URLs
raise HTTPUnauthorized from None
raise HTTPUnauthorized(
# Include resource metadata endpoint for RFC9728
headers={
"WWW-Authenticate": (
f'Bearer resource_metadata="{url_prefix}'
Expand Down
76 changes: 76 additions & 0 deletions tests/components/http/test_view.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
"""Tests for Home Assistant View."""

from collections.abc import Generator
from decimal import Decimal
from http import HTTPStatus
import json
import math
from unittest.mock import AsyncMock, Mock, patch

from aiohttp import hdrs
from aiohttp.web_exceptions import (
HTTPBadRequest,
HTTPInternalServerError,
Expand All @@ -15,10 +17,12 @@
import voluptuous as vol

from homeassistant.components.http import KEY_HASS
from homeassistant.components.http.request_context import current_request
from homeassistant.components.http.view import (
HomeAssistantView,
request_handler_factory,
)
from homeassistant.core import HomeAssistant
from homeassistant.exceptions import ServiceNotFound, Unauthorized
from homeassistant.helpers.network import NoURLAvailableError

Expand Down Expand Up @@ -143,3 +147,75 @@ async def test_requires_auth_omits_www_authenticate_without_url(
AsyncMock(),
)(mock_request)
assert "WWW-Authenticate" not in exc_info.value.headers


@pytest.fixture
def mock_current_request(
mock_request: Mock, request_host: str, hass: HomeAssistant
) -> Generator[Mock]:
"""Set the current request context."""
mock_request.get = Mock(return_value=False)
mock_request.headers = {hdrs.HOST: request_host}
mock_request.app = {KEY_HASS: hass}
Comment thread
allenporter marked this conversation as resolved.

token = current_request.set(mock_request)
yield mock_request
current_request.reset(token)


@pytest.mark.parametrize(
("internal_url", "external_url", "request_host", "expected_url"),
[
# Match either internal or external
("https://foo.com", "https://example.com", "foo.com:18123", "https://foo.com"),
("https://example.com", "https://foo.com", "foo.com:18123", "https://foo.com"),
# Requests have a port and match external url
(
"https://foo.com",
"https://foo.com:18123",
"foo.com:18123",
"https://foo.com:18123",
),
("https://foo.com:18123", "https://foo.com", "foo.com", "https://foo.com"),
(
"http://192.168.1.2:8123",
"https://foo.com:18123",
"192.168.1.2:8123",
"http://192.168.1.2:8123",
),
# Note: We currently do not fully properly handle port matching for
# internal urls. The tests above work because of prefer_external=True, and
# we can improve get_url so that these cases also work in the future:
# ("https://foo.com", "https://foo.com:18123", "foo.com", "https://foo.com"),
# ("https://foo.com:18123", "https://foo.com", "foo.com:18123", "https://foo.com:18123"),
],
ids=[
"request_host_matches_internal",
"request_host_matches_external",
"internal_no_port_request_external",
"internal_port_request_external",
"request_internal_distinct_host",
],
)
async def test_requires_auth_www_authenticate_prefer_external(
mock_current_request: Mock,
hass: HomeAssistant,
internal_url: str,
external_url: str,
expected_url: str,
) -> None:
"""Test that 401 responses include WWW-Authenticate header matching the requested URL."""
hass.config.internal_url = internal_url
hass.config.external_url = external_url

with pytest.raises(HTTPUnauthorized) as exc_info:
await request_handler_factory(
hass,
Mock(requires_auth=True),
AsyncMock(),
)(mock_current_request)

assert exc_info.value.headers["WWW-Authenticate"] == (
"Bearer resource_metadata="
f'"{expected_url}/.well-known/oauth-protected-resource"'
)