Add browser callback/code authentication (WSO2/CAS) as alternative to password by MattXcz · Pull Request #17 · MattXcz/CEZ

MattXcz · 2026-03-04T11:37:58Z

Add support for browser callback code/ticket or full callback URL so users who sign in via SSO (WSO2 Identity Server / Google/Apple) can authenticate without storing a password.
Keep existing password-based login while allowing a fallback for service-ticket style authentication.
Improve UX by exposing the new option in the config flow, translations and README.

Introduced new config keys CONF_BROWSER_AUTH and CONF_SERVICE_TICKET and exposed them in const.py.
Extended the config flow (config_flow.py) to accept an optional browser_auth field, validate mutual exclusivity between password and browser callback input, and persist browser_auth (also saved as service_ticket for backwards compatibility).
Updated the API client (api.py) to accept browser_auth, added _login_with_browser_auth which accepts either a raw code/ticket or a full callback URL and exchanges it for an API token, and added _extract_browser_auth_value to parse the provided input.
Adjusted integration setup (__init__.py) to read browser_auth (or legacy service_ticket) from the config entry and pass it to the API client.
Updated user-facing text in README.md and translations (translations/cs.json and translations/en.json) to document the new authentication method and to add validation error messages (missing_auth_data, too_many_auth_methods).

Align browser auth flow with WSO2 callback code

ed70a02

MattXcz added the codex label Mar 4, 2026 — with ChatGPT Codex Connector

Provide feedback