logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

How to Enable Web Authentication in OpenBeken Version 1.17.342 and newer

castorw 3447 16

TL;DR

  • OpenBeken version 1.17.342 and newer adds web authentication for the administrative interface, protecting the web portal and APIs with HTTP basic authentication.
  • Enable it in Config → Configure WiFi & Web configuration, then use the Web Authentication section to turn on authentication and set the Admin Password.
  • The username is always admin, and the feature is supported on OpenBK7231T, OpenBK7231N, OpenXR809, and OpenBL602.
  • Once enabled, the device requires admin and the configured password for web access, including any web-based API integrations.
  • Safe Mode still keeps authentication enabled by default, and global flag 44 can disable it there, though that is not recommended.
Generated by the language model.
ADVERTISEMENT
Report a violation of the law
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
  • Login window for the administrative interface with the password field filled.
    Intro
    Authentication to administrative interface is present for most connected devices and a basic security requirement. OpenBeken supports web authentication since version 1.17.342. Web authentication is implemented using simple HTTP basic authentication mechanism. This allows protection of devices against unwanted access or malicious configuration or control. When web authentication is enabled the entire web admin interface and APIs are protected with HTTP basic authentication. This (currently) does not apply to various integrations implemented within OpenBeken.

    Supported platforms:
    * OpenBK7231T,
    * OpenBK7231N,
    * OpenXR809,
    * OpenBL602.

    Setup
    To enable web password authentication login to your OpenBeken device web interface and enter Config -> Configure WiFi & Web configuration section.

    On the bottom you can see Web Authentication section. This section provides two options:
    * Enable web authentication - enables web authentication and will require user to log in before accessing web admin interface,
    * Admin Password - password to be used.

    Username is always admin.

    Screenshot showing network authentication interface with an enabled option and a password field.


    Usage
    Next time you will access web portal or API, you will be required to enter username (admin) and configured password. Any integrations using any web-based API will need to authenticate as well.

    Login window with basic HTTP authentication showing user admin.


    Safe Mode
    By default web authentication (if configured) is enabled even when the device enters Safe Mode. This acts as a security measure, since device creates open AP to which anyone can connect and could possibly control the device or even misconfigure it to cause damage (eg. relays used to control heating, water pumps, etc.).

    If you, however, wish to disable password authentication is safe mode, this can be done using global flag 44 in Config -> Configure General/Flags section. It is not recommended though.

    Configuration window with flag options in the OpenBeken interface.


    And that would be all, now your device has at least some basic security when it comes to administration 😉

    Cool? Ranking DIY
    About Author
    castorw
    Level 1  
    Offline 
    castorw wrote 1 posts with rating 2. Been with us since 2023 year.
  • ADVERTISEMENT
  • #2 20860396
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14548
    Help: 654
    Rate: 12551
    This is surely a very important feature. Here's a link to the first public build that includes it:
    https://github.com/openshwprojects/OpenBK7231T_App/releases/tag/1.17.343
    Btw, the LittleFS issue we've spoke about is fixed now. I just had to reduce the binary size by 2KB...
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #3 21244001
    mbk_med
    Level 5  
    Posts: 9
    Rate: 2
    Hi, is it possible to have Authentication on the W600 platform?
    Thank you.
  • #4 21244010
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14548
    Help: 654
    Rate: 12551
    @divadiow do you have W600 at hand? @max4elektroda ?
    Helpful post? Buy me a coffee.
  • #5 21244038
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    Sorry, no W600 here, but W800, which is in the same line with W600 for the define in new_pins.h.
    So I could try with W800
  • ADVERTISEMENT
  • #6 21244053
    divadiow
    Level 38  
    Posts: 4978
    Help: 436
    Rate: 888
    p.kaczmarek2 wrote:
    @divadiow do you have W600 at hand? @max4elektroda ?

    a transplanted TW-02 in a mini switch. Air602 in the post.
  • #7 21244064
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    PR1369 is compiling ATM

    Added after 27 [minutes]:

    Ahh, its missing a "char webPassword[33]" in "mainConfig_t".

    If I calculated correctly and we have "initCommandLine[512]" starting at 0x000005E0 (dec 1504),
    we end at 2016 leaving only 32 to fill 2048
    Screenshot of source code displaying sections related to W600 and W800 platforms.
    So can we put the 33 bytes to the "unusedSectorAB" for W600 and W800?
  • #8 21244121
    mbk_med
    Level 5  
    Posts: 9
    Rate: 2
    >>21244010 Hi, I have 3 wall sockets with a W600 that I just successfully flashed.
  • #9 21244140
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14548
    Help: 654
    Rate: 12551
    My memory may not be right but I seem to remember that there was some issue with config size on W600 or W800.... that it was failing to save config when the config size was bigger than given threshold... but I am not sure....
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #10 21244175
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    O.k, made a PR with a password reduced to 30 bytes.
    Tested W800 : After OTA I had to restart it by hand and then at least WiFi config was gone (started as Open AP).
    But setting SSID and PW worked and I could set web password successfully.

    @p.kaczmarek2 : Is the change to new_pins.h o.k.?
    Is 2048 the limit as expected?

    Code changes in C source files.
  • #12 21244198
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    Nice, did your config "survive" the update on W600?
  • #13 21244201
    p.kaczmarek2
    Moderator Smart Home
    Posts: 14548
    Help: 654
    Rate: 12551
    Wait, shouldn't config stay if you don't change the size of config structure?
    As per new_cfg.c:
    Code: C / C++
    Log in, to see the code

    It ignores the fields and just interprets whole config as a single bytes block.
    Helpful post? Buy me a coffee.
  • #14 21244210
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    I didn't attach serial, so I can't tell what was wrong...
    In the end it seems to work
  • #15 21244243
    divadiow
    Level 38  
    Posts: 4978
    Help: 436
    Rate: 888
    max4elektroda wrote:
    Nice, did your config "survive" the update on W600?

    appears to have done. did OTA to latest public then OTA to PR.

    The only minor behavioural thing is that the password is ineffective if you use the same browser session after setting the password. device reboots, ctrl-f5, all just bring up OBK as if no password. And even the admin password checkbox and password are clear. Go incognito or use a different browser then it works and shows as set.
  • #16 21244260
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    Yes, that's the problem with the used basic auth, it's saved in the browser as long as the tab/window isn't closed; since there is no additional information, it will access the device even after a reboot.
  • #17 21266762
    max4elektroda
    Level 24  
    Posts: 749
    Help: 48
    Rate: 184
    p.kaczmarek2 wrote:
    It ignores the fields and just interprets whole config as a single bytes block.

    Since @divadiow asked in git: @p.kaczmarek2 could you please take a look in git if my assumption about the reason is reasonable ;-)?
Reply Cool? Ranking DIY | New topic
Notify about new articles
📢 Listen (AI):
Report a violation of the law

Topic summary

✨ Web authentication has been implemented in OpenBeken starting from version 1.17.342, utilizing HTTP basic authentication to secure the administrative interface and APIs against unauthorized access. Users can enable this feature by accessing the web interface and navigating to the WiFi & Web configuration section. Discussions include inquiries about the possibility of enabling authentication on the W600 platform, with users sharing experiences and technical challenges related to configuration sizes and memory limitations. Some users reported successful flashing of devices and the need for adjustments in password storage. Issues with browser session persistence affecting password effectiveness were also noted, highlighting the limitations of basic authentication in retaining session data.
Generated by the language model.
Today's popular

FAQ

TL;DR: OpenBeken web authentication works from version 1.17.342, and “Username is always admin.” This FAQ helps OpenBeken users enable HTTP basic auth, secure the web panel and API, understand Safe Mode behavior, and assess current W600/W800 testing limits. [#20859771]

Why it matters: Web authentication adds a basic security layer to device administration and helps block unwanted access to both the OpenBeken web interface and its web API.

Option Status Key detail
Officially supported platforms Available OpenBK7231T, OpenBK7231N, OpenXR809, OpenBL602
W600 Experimental discussion Thread asks about adding support; config-size limits are the main concern
W800 Tested in-thread Web password could be set, but OTA behavior showed quirks

Key insight: OpenBeken’s web password feature is straightforward on officially supported platforms, but W600/W800 support depends on very tight configuration-memory limits, including a 2048-byte structure ceiling.

Quick Facts

  • Web authentication is available from OpenBeken 1.17.342, while the first public build mentioned with the feature is 1.17.343. [#20860396]
  • The login format is fixed: username admin plus a user-set password, and protection covers the full web admin interface and web APIs. [#20859771]
  • Safe Mode keeps authentication enabled by default because the device may create an open AP, which allows anyone nearby to connect. [#20859771]
  • W600/W800 testing centered on config storage limits: a proposed webPassword[33] field overflowed a layout with initCommandLine[512], leaving only 32 bytes before the 2048-byte limit. [#21244064]
  • A workaround test reduced the password field to 30 bytes on W800; after OTA, the device needed a manual restart and briefly came up as Open AP before reconfiguration. [#21244175]

How do I enable web authentication in OpenBeken 1.17.342 and newer from the Configure WiFi & Web page?

Open Config -> Configure WiFi & Web and enable the Web Authentication section. Then set an admin password and save. 1. Log into the device web interface. 2. Go to Configure WiFi & Web. 3. Tick Enable web authentication and enter Admin Password. The feature is available from version 1.17.342 onward. [#20859771]

What username and password format does OpenBeken use for HTTP basic authentication on the web admin interface?

OpenBeken uses HTTP basic authentication with a fixed username and a user-defined password. The username is always admin, and you choose the password in Configure WiFi & Web. On the next web or API access, the browser prompts for admin plus that configured password. [#20859771]

Why does OpenBeken web authentication also protect API access, and which integrations are not covered by it?

It protects API access because OpenBeken applies the same HTTP basic authentication to the whole web admin interface and its web APIs. That means browser access and API calls both need credentials. The thread also states this protection does not currently apply to various integrations implemented inside OpenBeken. [#20859771]

What is HTTP basic authentication in OpenBeken, and how secure is it for protecting device administration?

HTTP basic authentication is the mechanism OpenBeken uses to require a username and password before granting web or API access. "HTTP basic authentication" is a login method that sends fixed user credentials with each protected request, using a simple browser-supported challenge-response flow. In this thread, it is presented as basic security, not full hardening, because it mainly prevents casual or unwanted admin access. [#20859771]

What is Safe Mode in OpenBeken, and why is web authentication still enabled there by default?

Safe Mode is a recovery state where the device can create an open access point for local connection and reconfiguration. OpenBeken keeps web authentication enabled there by default because that open AP can let anyone connect. The thread warns that an unauthenticated device in this state could be controlled or misconfigured, including relay-driven loads like heating or water pumps. [#20859771]

How can I disable password authentication in OpenBeken Safe Mode using global flag 44, and what risks does that create?

You can disable it in Safe Mode by changing global flag 44 in Config -> Configure General/Flags. That turns off the password requirement during Safe Mode only. The risk is direct: the device may expose an open AP, so anyone who connects can reach the admin interface and potentially change settings or control outputs. The original post explicitly says this is not recommended. [#20859771]

Which OpenBeken platforms officially support web authentication, and where do W600 and W800 currently fit in?

OpenBeken officially lists 4 supported platforms for web authentication: OpenBK7231T, OpenBK7231N, OpenXR809, and OpenBL602. W600 and W800 are not listed in that official support block. In the later discussion, both appear as experimental targets under test, with W800 tested in-thread and W600 discussed as possible if config-size issues are handled. [#20859771]

How can web authentication be added or tested on the W600 platform in OpenBeken, given the config size limitations discussed in the thread?

The thread suggests adding or testing it by shrinking the password storage so the config still fits the platform limit. One proposed fix was moving or resizing the password field because webPassword[33] did not fit cleanly. Later testing used a reduced password length and verified web password operation on the related W800 platform, which gives a practical path for W600 experiments. [#21244175]

Why was the webPassword field size reduced for W600/W800, and how does the 2048-byte mainConfig_t limit affect implementation?

It was reduced because the original 33-byte password field pushed the configuration layout past the apparent 2048-byte limit. The thread calculates that initCommandLine[512] starts at 0x000005E0 and ends at 2016, leaving only 32 bytes before 2048. Reducing the field to 30 bytes made room on W800 and allowed web-password testing to proceed. [#21244064]

What does mainConfig_t mean in OpenBeken, and why does its size matter for saving configuration on W600 and W800 devices?

mainConfig_t is OpenBeken’s main configuration structure, and its size matters because the firmware saves and validates that whole block. "mainConfig_t" is a firmware configuration structure that stores persistent device settings in one contiguous memory block, including fields whose total size affects whether save, checksum, and upgrade logic still work. On W600/W800, the thread ties failures to crossing an apparent 2048-byte threshold. [#21244201]

Why might a W800 device lose WiFi settings or boot into Open AP after an OTA update while testing web authentication?

Because the OTA test showed unstable config persistence during the experimental W800 build. One tester reported that after OTA the device needed a manual restart, then at least the WiFi configuration was gone and the device started as Open AP. After re-entering SSID and password, the tester could still set the web password successfully. [#21244175]

How does OpenBeken calculate and validate config checksums in new_cfg.c, and why would structure size changes affect upgrades?

OpenBeken calculates the checksum over the configuration as a single byte block, not field by field. In new_cfg.c, the code derives header_size, sets configSize, computes remaining_size, and runs Tiny_CRC8 over that region. That means structure-size changes matter during upgrades because the saved data length and interpreted block size can diverge when a platform has tight config-space limits. [#21244201]

Why does the admin password seem ineffective in the same browser session right after enabling OpenBeken web authentication?

Because the browser can keep HTTP basic-auth credentials for the current tab or window after you set the password. In the thread, a tester saw the device reboot and still open normally after Ctrl+F5, with the password fields appearing clear. Another reply explains that this is expected with basic auth until that browser session ends. [#21244260]

What's the difference between using the same browser tab, a new browser, or incognito mode when testing OpenBeken basic auth?

The same tab can silently reuse saved basic-auth credentials, while a different browser or incognito session forces a fresh authentication check. The thread describes one clear test: the password looked ineffective in the original session, but worked correctly in incognito or a different browser. That makes private mode the quickest way to verify whether OpenBeken authentication is actually active. [#21244243]

How do W600 and W800 compare for OpenBeken web authentication support, especially around OTA behavior, config persistence, and available memory?

W800 is further along because it was actually tested, while W600 stayed at the discussion and feasibility stage. Both platforms appear constrained by config memory, especially near the 2048-byte mainConfig_t ceiling. On W800, a 30-byte password field worked, but OTA caused quirks such as a manual reboot and temporary loss of WiFi config. On W600, testers mainly focused on whether the same memory workaround would fit and preserve settings. [#21244175]
Generated by the language model.
ADVERTISEMENT