Skip to content

fix(oauth): use dynamic HA instance URL for redirect_uri (closes #19)#37

Open
daboynb wants to merge 1 commit into
Connectlife-LLC:mainfrom
daboynb:fix/oauth-dynamic-redirect-uri
Open

fix(oauth): use dynamic HA instance URL for redirect_uri (closes #19)#37
daboynb wants to merge 1 commit into
Connectlife-LLC:mainfrom
daboynb:fix/oauth-dynamic-redirect-uri

Conversation

@daboynb

@daboynb daboynb commented May 22, 2026

Copy link
Copy Markdown

Summary

Replace the hardcoded OAuth redirect URL with a runtime-computed value based on the actual Home Assistant instance URL.

Currently oauth2.py:17 hardcodes:

OAUTH2_CALLBACK_URL = "http://homeassistant.local:8123/auth/external/callback"

homeassistant.local only resolves on HAOS via mDNS. On HA Container, HAOS without mDNS, or instances behind a reverse proxy / Tailscale Funnel the OAuth setup flow lands on a callback URL the browser can't reach (DNS_PROBE_POSSIBLE / 404). Users currently work around it by manually pinning homeassistant.local in /etc/hosts on the OAuth-initiating client.

This PR derives the redirect from homeassistant.helpers.network.get_url(), the upstream-recommended way to obtain the HA instance URL with proper internal/external precedence. Falls back to the previous hardcoded value only if get_url() raises NoURLAvailableError (e.g. very early in startup).

Closes

Compatibility test (existing tokens)

The Hisense OAuth backend was tested live against https://oauth.hijuconn.com/oauth/token with an existing user's refresh_token (issued previously with the hardcoded homeassistant.local redirect_uri), to verify the change does not break already-authenticated users:

grant_type=refresh_token request HTTP Result
with original redirect_uri=http://homeassistant.local:8123/... 200 new tokens
without redirect_uri 200 new tokens
with different redirect_uri (http://192.168.1.4:8123/...) 200 new tokens

Additionally, after a successful refresh the original refresh_token remained valid on subsequent calls (server is not single-use), so existing installations whose tokens were issued under the old hardcoded URL keep working as redirect_uri changes value across refreshes — the Hisense backend does not enforce a match against the authorize-time URL on the refresh grant.

Diff

-OAUTH2_CALLBACK_URL = "http://homeassistant.local:8123/auth/external/callback"
+OAUTH2_CALLBACK_PATH = "/auth/external/callback"
+OAUTH2_CALLBACK_URL_FALLBACK = f"http://homeassistant.local:8123{OAUTH2_CALLBACK_PATH}"

 @property
 def redirect_uri(self) -> str:
-    """Return the redirect uri."""
-    return OAUTH2_CALLBACK_URL
+    """Return the redirect uri based on the actual HA instance URL."""
+    try:
+        base = get_url(self.hass, prefer_external=False, allow_internal=True)
+    except NoURLAvailableError:
+        return OAUTH2_CALLBACK_URL_FALLBACK
+    return f"{base}{OAUTH2_CALLBACK_PATH}"

Test plan

  • Python syntax check (ast.parse) passes
  • Live compatibility tested against https://oauth.hijuconn.com/oauth/token (see table above)
  • HA helper API verified against current upstream homeassistant/helpers/network.py
  • New OAuth flow on HA Container (no /etc/hosts workaround) — to be verified by maintainer / community on next release

OAUTH2_CALLBACK_URL was hardcoded to http://homeassistant.local:8123
which only resolves on HAOS via mDNS. HA Container, HAOS without
mDNS, and instances behind a reverse proxy / Tailscale Funnel all
break during OAuth setup with DNS_PROBE_POSSIBLE / 404 on the
callback URL. Users currently work around it by manually pinning
homeassistant.local in /etc/hosts on the OAuth-initiating client.

Compute the redirect at runtime via homeassistant.helpers.network.get_url(),
which is the upstream-recommended way to obtain the instance URL.
Fall back to the previous hardcoded value if get_url() raises
NoURLAvailableError (e.g. very early in startup).

Closes Connectlife-LLC#19.
@oyvindwe

oyvindwe commented Jul 3, 2026

Copy link
Copy Markdown

@daboynb I'm not able to get this to work - I get an error message whenever the redirect URL is different from http://homeassistant.local:8123/auth/external/callback.

I wonder if ConnectLife has to whitelist additional redirect URLs, at least https://my.home-assistant.io/redirect/oauth, and for dev purposes http://localhost:8123 (understandable if they won't whitelist this one).

@daboynb

daboynb commented Jul 3, 2026

Copy link
Copy Markdown
Author

I switched to the https://github.com/oyvindwe/connectlife-ha integration, and everything works flawlessly without any code changes.

@oyvindwe

oyvindwe commented Jul 3, 2026

Copy link
Copy Markdown

I switched to the https://github.com/oyvindwe/connectlife-ha integration, and everything works flawlessly without any code changes.

Ah, yes, I was actually trying to add OAuth to my integration, but it will only work for HAOS or using the DNS hack.

@daboynb

daboynb commented Jul 3, 2026

Copy link
Copy Markdown
Author

Ha, I just realized that repo is actually yours ahah
Btw, yeah, that's server-side: ConnectLife only whitelists http://homeassistant.local:8123/auth/external/callback, so any dynamic redirect_uri gets rejected... they'd need to whitelist https://my.home-assistant.io/redirect/oauth to fix this properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants