Problem Description
The default URL for Home Assistant is http://homeassistant.local:8123, but users may use a custom URL such as http://192.168.31.100:10123 or https://homeassistant.example.com. In such cases, OAuth 2.0 login will fail due to an incorrect redirect URL.
Figure 1: OAuth 2.0 login error due to incorrect redirect URL
Reason
The redirect URL in the OAuth 2.0 login process is set to http://homeassistant.local:8123 on the authorization server. If the Home Assistant URL is not http://homeassistant.local:8123, the redirect URL will be incorrect, causing the login to fail.
Solution
Figure 2: Login steps 1 to 3
Follow the instructions to log in. After clicking "Click here to login" in step 3, the browser will display an OAuth login page. Once authorization is confirmed, the page will redirect to http://homeassistant.local:8123.
Figure 3: Authorization confirmed and redirect to the default URL
Change the default URL in the browser address bar to your custom URL and press Enter. The browser will then redirect back to the Home Assistant page, and the OAuth 2.0 login will succeed.
Figure 4: Replace the default URL with the custom URL in the browser
Why is it not possible to add a function allowing users to modify the OAuth 2.0 redirect URL?
According to the OAuth 2.0 standard, the redirect URL — used to return the authorization code to the client — must be pre-configured on the authorization server. If users were allowed to modify this URL via an interface, an attacker could craft a malicious client and change the redirect URL to a server under their control. When a user logs in through this forged client, the authorization code would be sent to the attacker’s server, compromising the user’s credentials.
For security reasons, xiaomi_home will not implement this feature.