feat: support OIDC authentication

[michaelhthomas]

Description

Adds support for logging in using an OIDC Identity Provider (Auth0, Authentik, Keycloak, etc.).

Refactors Plex OAuth login to be in its own component, like the other identity providers.

Screenshot (if UI-related)

To-Dos

• Successful build yarn build
• Translation keys yarn i18n:extract
• Database migration (if required)

Issues Fixed or Closed

• Fixes [Feature Request] Support login with OIDC #183
• Fixes [Feature request] SSO #86

[john-sp]

You may want to blur some of the info in the image

[Fallenbagel]

Ah I see that you resolved the merge conflicts. Was going to ask. Thanks

[Fallenbagel]

@michaelhthomas Hi. I tried to test this PR, however, during first setup in the library step, I get this error and I am not able to continue it setup

[michaelhthomas]

Uh oh... I'm pretty sure that means you made it to the second page but aren't logged in with Plex or Jellyfin, which probably means the login failed and I need to add some better error handling. Which one were you testing?

[Fallenbagel]

Which one were you testing?

Jellyfin. That is from the libraries setup page right after logging in

[michaelhthomas]

@Fallenbagel Found the bug and am working on a fix. Got a question...right now there's a value for MediaServerType.EMBY that's essentially unused, since emby is actually treated as MediaServerType.JELLYFIN with JELLYFIN_TYPE set to "emby". Would you be ok with removing MediaServerType.EMBY to avoid confusion, or would you rather everything use MediaServerType.EMBY instead of JELLYFIN_TYPE for consistency?

[Fallenbagel]

We need the MediaServerType=Emby as the current emby implementation is temporary. We are going to be implementing emby without the env variable through api which would also allow us to have simultaneous server support. So we need it

[michaelhthomas]

Ok sweet. I'll test Emby with my current implementation to make sure everything works as expected, and when it's implemented properly there will probably be some changes that need to be made to the login window / setup wizard.

[Fallenbagel]

Ok sweet. I'll test Emby with my current implementation to make sure everything works as expected, and when it's implemented properly there will probably be some changes that need to be made to the login window / setup wizard.

I have not tested yet but if it works for emby it should work for jellyfin. Will test tonight

[Fallenbagel]

I tested the setup and it indeed worked. However, as I have no way of testing OIDC, I will deploy this as a preview tag (:preview-pr184 for testing for now

[michaelhthomas]

@Fallenbagel resolved the merge conflicts. OIDC is working great for me (using authentik) but would love to have some others test with different OIDC providers.

[Fallenbagel]

@Fallenbagel resolved the merge conflicts. OIDC is working great for me (using authentik) but would love to have some others test with different OIDC providers.

Is LDAP possible with this? (I don't really know OIDCs and stuff so)

[michaelhthomas]

@Fallenbagel resolved the merge conflicts. OIDC is working great for me (using authentik) but would love to have some others test with different OIDC providers.

Is LDAP possible with this? (I don't really know OIDCs and stuff so)

Not directly. A number of oauth2 / OIDC providers do integrate with LDAP (including authentik) for authentication, but oauth2 is much higher level. Where LDAP acts more like an external users database, an OIDC/oauth provider handles all the sign in and authentication logic. Plex SSO actually uses oauth2 afaik, it just doesn't conform to the OIDC standard.

[BoBeR182]

I can test with Keycloak, just learning how to compile and run this build still.

[Fallenbagel]

I can test with Keycloak, just learning how to compile and run this build still.

If you want to compile it natively to test instead of the deployed docker snapshot, pull this PR and try it

And please provide feedback. Feedback is very much needed (since this is kind of a big feature)

[atropos112]

Howdy,

I am excited to see this MR, its certainly something that is missing in my setup and hence i (somewhat selfishly) want to help.

---

My relevant setup:
I am running Sonarr, Radarr, Jellyfin and of course Jellyseerr. I am also running Authelia which I currently use as my OpenID solution for ArgoCD, WikiJs, Grafana, Harbor and Gitlab.

---

I have never implemented open id login mechanism but I have connected few applications to OpenID that Authelia provides (as outlined above), I am happy to test and provide feedback. I have ran your branch locally and have few questions.

A typical config in Authelia looks something like this

- id: <user-picked-id-here>
  pre_configured_consent_duration: '365d'
  description: idk
  secret: <SECRETHERE>
  public: false
  authorization_policy: one_factor
  audience: []
  scopes:
    - openid
    - email
    - profile
  redirect_uris:
    - <CALLBACKURL>
   response_modes:
        - form_post 

(I believe data needed to setup is somewhat similar for KeyCloak +- some small details)

In particular both Authelia and the app (Jellyseerr in this case) need to have id and the secret, both of which are chosen by the client.. In addition authelia (keycloak also) needs the callback url and the required scopes. In your implementation I see place for id but not the secret, is there a way of adding this ? I also do not know (maybe i am missing something obvious) what the callback url is and what scopes are required.

[michaelhthomas]

Howdy,

I am excited to see this MR, its certainly something that is missing in my setup and hence i (somewhat selfishly) want to help.

My relevant setup: I am running Sonarr, Radarr, Jellyfin and of course Jellyseerr. I am also running Authelia which I currently use as my OpenID solution for ArgoCD, WikiJs, Grafana, Harbor and Gitlab.

I have never implemented open id login mechanism but I have connected few applications to OpenID that Authelia provides (as outlined above), I am happy to test and provide feedback. I have ran your branch locally and have few questions.

A typical config in Authelia looks something like this

- id: <user-picked-id-here>
  pre_configured_consent_duration: '365d'
  description: idk
  secret: <SECRETHERE>
  public: false
  authorization_policy: one_factor
  audience: []
  scopes:
    - openid
    - email
    - profile
  redirect_uris:
    - <CALLBACKURL>
   response_modes:
        - form_post 

(I believe data needed to setup is somewhat similar for KeyCloak +- some small details)

In particular both Authelia and the app (Jellyseerr in this case) need to have id and the secret, both of which are chosen by the client.. In addition authelia (keycloak also) needs the callback url and the required scopes. In your implementation I see place for id but not the secret, is there a way of adding this ? I also do not know (maybe i am missing something obvious) what the callback url is and what scopes are required.

Because Jellyseerr is a SPA (single page app), it uses the OAuth PKCE authorization flow instead of the traditional authorization flow. Since all of the login and (most of) the validation logic occurs on the client when using this flow, the client secret is not used. This is a "public" authorization flow, so the configuration will look a little bit different from apps using the traditional authorization flow. This looks to be the relevant configuration option for Authelia, and other providers should have similar options. In order to maintain security with this mechanism, be sure that the redirect URLs are limited only to your Jellyseerr instance (https://your-jellyseerr-instance.xyz/login). Also, the openid, profile, and email scopes are all used so that Jellyseer can view users' names and email addresses. Thanks for being open to testing this out!

[atropos112]

That makes a lot of sense! I take it then I need something like this

      - id: jellyseerr
        public: true
        authorization_policy: two_factor
        audience: []
        scopes:
        - openid
        - email
        - profile
        redirect_uris:
        - https://jellyserrr-instance.xyz/login
        userinfo_signing_algorithm: none
        response_modes:
        - form_post 

I am building the docker image now, will shortly deploy and update.

[Fallenbagel]

That makes a lot of sense! I take it then I need something like this

      - id: jellyseerr
        public: true
        authorization_policy: two_factor
        audience: []
        scopes:
        - openid
        - email
        - profile
        redirect_uris:
        - https://jellyserrr-instance.xyz/login
        userinfo_signing_algorithm: none
        response_modes:
        - form_post 

I am building the docker image now, will shortly deploy and update.

Docker image is already built tho. Can be access through preview-prxxx where xxx is this PRs number

[atropos112]

I wanted to test it further so I ran

docker build -t oicd-jellyseerr -f Dockerfile .
docker tag oidc-jellyseerr:latest myharbor.xyz/testing/oidc-jellyseerr:develop
docker push myharbor.xyz/testing/oidc-jellyseerr:develop

but when i run a pod with the above image I get

(pressing reload refreshes the page and this pop-up appears again)
this is strange, I tried running on the normal develop branch to see if its something with your changes (which I doubted) but I get the same issue. Data seems to need to be reloaded but even if i start on fresh pvc i still get this. Is there some variable I am missing ?

[michaelhthomas]

I wanted to test it further so I ran

docker build -t oicd-jellyseerr -f Dockerfile .
docker tag oidc-jellyseerr:latest myharbor.xyz/testing/oidc-jellyseerr:develop
docker push myharbor.xyz/testing/oidc-jellyseerr:develop

but when i run a pod with the above image I get

(pressing reload refreshes the page and this pop-up appears again)
this is strange, I tried running on the normal develop branch to see if its something with your changes (which I doubted) but I get the same issue. Data seems to need to be reloaded but even if i start on fresh pvc i still get this. Is there some variable I am missing ?

What happens when you press the reload button? That just looks like your browser still has the old version of the web interface cached

[4WaYDp]

I have set up oidc with Authelia; everything works fine except that Full Library Scan and Recently Added Scan stopped working. There are no errors thrown, not on Jellyseeerr and not Emby. The owner-user can login with oidc and is of type Emby user (3). Is anybody else having these problems?

[jorti]

I have set up oidc with Authelia; everything works fine except that Full Library Scan and Recently Added Scan stopped working. There are no errors thrown, not on Jellyseeerr and not Emby. The owner-user can login with oidc and is of type Emby user (3). Is anybody else having these problems?

I have the same problem. Jellyseerr fails to access the Jellyfin API, so things like the sync or scan of the Jellyfin libraries don't work.

[Fallenbagel]

I have set up oidc with Authelia; everything works fine except that Full Library Scan and Recently Added Scan stopped working. There are no errors thrown, not on Jellyseeerr and not Emby. The owner-user can login with oidc and is of type Emby user (3). Is anybody else having these problems?

I have the same problem. Jellyseerr fails to access the Jellyfin API, so things like the sync or scan of the Jellyfin libraries don't work.

Can you share your logs. When you press sync or scan. Need more info.

[jorti]

I have set up oidc with Authelia; everything works fine except that Full Library Scan and Recently Added Scan stopped working. There are no errors thrown, not on Jellyseeerr and not Emby. The owner-user can login with oidc and is of type Emby user (3). Is anybody else having these problems?

I have the same problem. Jellyseerr fails to access the Jellyfin API, so things like the sync or scan of the Jellyfin libraries don't work.

Can you share your logs. When you press sync or scan. Need more info.

I'm using the latest container image docker.io/fallenbagel/jellyseerr:preview-OIDC.
The only message I get when I click on "Sync libraries" is:

2024-05-29T08:37:37.111Z [error][Jellyfin API]: Something went wrong while getting libraries from the Jellyfin server: Request failed with status code 404

If I configure the Jellyfin internal URL to be my reverse proxy, I can see that the failed request goes to the /Users//Views Jellyfin endpoint:

192.168.1.1 - - [29/May/2024:08:48:27 +0000] "GET /Users//Views HTTP/1.1" 404 988 "-" "-" 104003 "jellyfin@docker" "http://10.89.0.117:80" 1ms

It looks like the double slash is causing problems:

# curl -I https://jellyfin.example.com/Users//View
HTTP/2 404 
accept-ranges: bytes
alt-svc: h3=":443"; ma=2592000
content-type: text/html
date: Wed, 29 May 2024 08:51:52 GMT
etag: "65b785cb-3dc"
last-modified: Mon, 29 Jan 2024 11:02:35 GMT
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block
content-length: 988

# curl -I https://jellyfin.example.com/Users/View
HTTP/2 405 
allow: DELETE, GET, POST
alt-svc: h3=":443"; ma=2592000
date: Wed, 29 May 2024 08:51:54 GMT
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-response-time-ms: 7.4041
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block

The relevant parts of the settings.json file:

 "main": {
  "apiKey": "REDACTED",
  "applicationTitle": "Jellyseerr",
  "applicationUrl": "https://jellyseerr.example.com",
  "csrfProtection": true,
  "cacheImages": false,
  "defaultPermissions": 71303200,
  "defaultQuotas": {
   "movie": {
    "quotaLimit": 0,
    "quotaDays": 7
   },
   "tv": {
    "quotaLimit": 0,
    "quotaDays": 7
   }
  },
  "hideAvailable": false,
  "localLogin": false,
  "mediaServerLogin": true,
  "newPlexLogin": true,
  "oidcLogin": true,
  "oidc": {
   "providerName": "Authelia",
   "providerUrl": "https://auth.example.com",
   "clientId": "jellyseerr",
   "clientSecret": "REDACTED",
   "userIdentifier": "preferred_username",
   "requiredClaims": "email_verified",
   "scopes": "email openid profile groups",
   "matchJellyfinUsername": true,
   "automaticLogin": false
  },
  "region": "ES",
  "originalLanguage": "",
  "trustProxy": true,
  "mediaServerType": 2,
  "partialRequestsEnabled": true,
  "locale": "es"
 },
 "jellyfin": {
  "name": "",
  "hostname": "http://jellyfin:8096",
  "externalHostname": "https://jellyfin.example.com",
  "jellyfinForgotPasswordUrl": "https://auth.example.com/reset-password/step1",
  "libraries": [
   {
    "id": "ed2a25286c558a96e1424971742ca350",
    "name": "Movies",
    "enabled": true,
    "type": "movie"
   },
   {
    "id": "5ddaa59a73205234890fdcfc683e14ef",
    "name": "Shows",
    "enabled": true,
    "type": "show"
   }
  ],
  "serverId": "a0c6a6aff1ce4463c0a2eda775a310f9"
 },

In addition to that, I had to grant myself owner permissions by editing the database manually:

# sqlite3 /var/lib/containers/storage/volumes/jellyseerr/_data/db/db.sqlite3

sqlite> select id, email, username, permissions from user;
sqlite> update user set permissions = 3 where id = 1;
sqlite> .exit

[jorti]

After a bit more digging I've found a workaround for the 404 errors when accessing the Jellyfin API. The problem is that Jellyseerr doesn't know my Jellyfin user id, so the call to /Users/JELLYFIN_USER_ID/View is incorrect.

I've discovered my user id and created an API key in Jellyfin, then added them to my user in Jellyseerr:

sqlite> select id, email, username, jellyfinUsername, jellyfinAuthToken, jellyfinUserId, jellyfinDeviceId from user;
1|[email protected]|username||||

sqlite> update user set jellyfinUsername = 'username', jellyfinUserId = 'JELLYFIN_USER_ID', jellyfinAuthToken = 'REDACTED'  where id = 1;

After that, the library scan works.

I think this Jellyfin API key setting should be a global option and not per-user.

[Fallenbagel]

I think this Jellyfin API key setting should be a global option and not per-user.

We dont use apikeys. We use auth tokens (specifically the auth token of the owner account for syncing). So whatever apikey you generate on jellyfin doesn't matter as we only use authTokens. Which is something that's designed to be automatically retrieved when logging in. Sounds like your jellyfinUserId changed (which should never happen) but that was causing jellyseerr to not update your authtoken(?) but im not sure why you were getting a 404.

Just an fyi, the behavior of login, authtokens are already very different from this PR (I think this pr is about 2 versions old).

[michaelhthomas]

Just an fyi, the behavior of login, authtokens are already very different from this PR (I think this pr is about 2 versions old).

Yeah.... I'm thinking of just making a new PR based on the one upstream (sct/overseerr#3746) with some tweaks and additional features from this one. Since that might have a smaller scope, hopefully it could end up being merged more quickly. I could then make some smaller PRs with additional user interface and functionality improvements that aren't strictly necessary to get the feature released.

[Fallenbagel]

Just an fyi, the behavior of login, authtokens are already very different from this PR (I think this pr is about 2 versions old).

Yeah.... I'm thinking of just making a new PR based on the one upstream (sct/overseerr#3746) with some tweaks and additional features from this one. Since that might have a smaller scope, hopefully it could end up being merged more quickly. I could then make some smaller PRs with additional user interface and functionality improvements that aren't strictly necessary to get the feature released.

That would be great. Specifically the biggest change we're gonna get on auth is #773 and apikeys (we're gonna stop authtokens)

[Sapd]

There is a bug at least in the latest build:

When a user has an email like John.Doe@gmail.com in Authentik (watch at the upper-cases) and then trys to login, he will get an error and the log report:

SQLITE_CONSTRAINT: UNIQUE constraint failed: user.email"

Changing his email to lower case in Authentik fixes it.

[Scot-Survivor]

There is a bug at least in the latest build:

When a user has an email like John.Doe@gmail.com in Authentik (watch at the upper-cases) and then trys to login, he will get an error and the log report:

SQLITE_CONSTRAINT: UNIQUE constraint failed: user.email"

Changing his email to lower case in Authentik fixes it.

Can confirm this bug still happens my side. And I am using Keycloak, so can't use this fix.

[maarten-vdb]

I'm having problems (statuscode 401) getting the required claims working with "custom scopes". No matter what scopes I enter in the jellyseer oidc configuration, only "email openid profile" appear to be requested according to Authentik.

When the Required Claims value is something that is returned without needing a specific scope(email_verified), my problems with 401 errors are fixed. Have i messed up something or is this an actual bug?

[kartik2406]

This works perfectly for me using Authentik and Plex including automatic login. I started from scratch and do not have any advanced config settings in NPM.

Jellyseerr: Issuer URL: https://auth.example.com/application/o/applicationname

Authentik Provider: Redirect URI: https://jellyseerr.example.com/login/oidc/callback

This works perfectly for me using Authentik and Plex including automatic login. I started from scratch and do not have any advanced config settings in NPM.

Jellyseerr: Issuer URL: https://auth.example.com/application/o/applicationname

Authentik Provider: Redirect URI: https://jellyseerr.example.com/login/oidc/callback

Thank you!
This worked for me :D

[Doug411]

@chinyongcy or @crltc....Has anyone figured out the custom scopes issue with Authentik? I've tried everthing, but cant pass through a custom property. Its not showing in my payload in jellyseer. I can only make this work with email/email_verified. Thats a bummer. I have a custom scope going though in jellyfin OIDC plugin, so it seems the issue is on the jellyseer side, not Authentik.

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.

[Alumni1506]

For people looking to use the latest version of authelia, using the previous working configuration will result in an error. You need to add token_endpoint_auth_method: 'client_secret_post' to the configuration file.

For those that have been running authelia and recently updated, this suggested change fixed my errors post update.

[nebb00]

Is there a rough idea on a timeline for this support? Really want to migrate my users to jellyfin and jellyseer using Authelia as user management

[TheRedCyclops]

I have managed to set this up with authelia, but there is one small error, when signing out it redirects to: https://jellyseerr.example.com/api/v1/auth/undefined instead of the login page or whatever page it was trying to redirect to.
No relevant logs

[mikevanes]

Any information of the status of this PR? Currently using the preview branch which seems to work nicely, would love to see it merged.

[lucaam]

Any information of the status of this PR? Currently using the preview branch which seems to work nicely, would love to see it merged.

Hello, you should have a look here #883

[Ruakij]

Any information of the status of this PR? Currently using the preview branch which seems to work nicely, would love to see it merged.

Hello, you should have a look here #883

I dont 100% understand why this cant be parallel? So this PR being integrated before Linking is introduced.
Linking needs to support multiple anyways and needs to migrate current states over, so this wouldnt be an exception. Ideally this would then only incur minimal changes there. (i.e. Enum + adding a Provider)

Just seems this feature will be pushed more and more because of more and more changes to the underlying system and parallel development state. :/

[0dragosh]

I agree with @Ruakij, it seems this has been pushed for over 2 years yet there’s a build with the feature fully operational.

Are there any downsides to merging what’s in preview-OIDC and adding linking later?

[Fallenbagel]

This PR is way outdated. It's not even close to the state that develop is in. We cannot just simply merge this pr.

And if you look at #926 you can find that it's in the roadmap. But we need to completely rework this pr to even be compatible.

[0dragosh]

Alright @Fallenbagel, no worries. Thanks for the work!

[pando85]

If there are some rework here. We should change the callback schema to allow https even if you run it in http because you can deploy Jellyseer behind a reverse proxy which is quite common.