Closed duncan-valleix closed 1 year ago
If you are using the old /p/
paths, then the plugin will use the /r/
paths for the redirect. Instead, try going to /start/
instead of /p/
.
futhermore, OIDScopes should be just a space separated list, not JSON-formatted.
If you are using the old /p/ paths, then the plugin will use the /r/ paths for the redirect. Instead, try going to /start/ instead of /p/
as mentioned above, I've tried all 4 and the result is the same in the end.
futhermore, OIDScopes should be just a space separated list, not JSON-formatted.
I will take note of this and modify it. thank you.
in authelia it is currently declared as follows,
- id: jellyfin
description: Jellyfin
# Client secret should be randomly generated
secret: '$pbkdf2-sha512$REDACTED'
authorization_policy: one_factor
redirect_uris:
- https://jellyfin.ndd.com/sso/OID/redirect/authelia
in jellyfin like this
<OidEndpoint>https://auth.ndd.com</OidEndpoint>
so if I call https://jellyfin.ndd.com/sso/OID/start/authelia
I should have received a favourable reply, but instead I got this one {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."}
Can you upload the whole Jellyfin log? I need to see what happens when you go to /start/authelia
Can you upload the whole Jellyfin log? I need to see what happens when you go to
/start/authelia
when I make a call from /start/authelia
I have this in the jellyfin log
[18:11:58] [INF] [23] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
and I have this in authelia's log
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP client attempting connection to smtp.gmail.com:465"
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP client using submissions port 465. Make sure the mail server you are connecting to is configured for submissions and not SMTPS."
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP client connected successfully"
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP connection is already encrypted, skipping STARTTLS"
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP server supports authentication with the following mechanisms: LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH"
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP client attempting AUTH PLAIN with server"
time="2023-08-20T18:14:34+02:00" level=debug msg="Notifier SMTP client authenticated successfully with the server"
time="2023-08-20T18:14:34+02:00" level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/'"
time="2023-08-20T18:14:51+02:00" level=error msg="Authorization Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls." method=GET path=/api/oidc/authorization remote_ip=10.0.20.50 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_authorization.go:32 OpenIDConnectAuthorization\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35 SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25 SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16 SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216 (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414 (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154 (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594 goexit"
Can you force the redirect scheme to be "https"? This should be the "scheme override" option in the settings.
Can you force the redirect scheme to be "https"? This should be the "scheme override" option in the settings.
it works, so I guess that was the problem. many thanks
It seems like your reverse proxy is misconfigured and not sending Jellyfin the right headers that lets it know that it is running over HTTPS. Jellyfin was then using "http" instead of "https" to generate the redirect url, which caused the issue.
See also: https://github.com/9p4/jellyfin-plugin-sso/issues/129 and many more.
It seems like your reverse proxy is misconfigured and not sending Jellyfin the right headers that lets it know that it is running over HTTPS. Jellyfin was then using "http" instead of "https" to generate the redirect url, which caused the issue.
See also: #129 and many more.
this is very likely because between my reverse proxy (traefik) and jellyfin, it communicates via the network with the container_name.http://jellyfin:8096
well now I have a permission problem, do I have to look elsewhere or can you help me?
in the jellyfin log I have this
[18:35:38] [INF] [22] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[18:35:41] [INF] [22] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[18:35:42] [WRN] [20] Jellyfin.Plugin.SSO_Auth.Api.SSOController: OpenID user f6141dcb-3d4e has one or more incorrect role claims: [{"Type": "amr", "Value": "pwd"}, {"Type": "azp", "Value": "jellyfin"}, {"Type": "client_id", "Value": "jellyfin"}, {"Type": "jti", "Value": "4a6dadce-2c66-4f1e-b830-a4dd54e3e975"}, {"Type": "name", "Value": "Prenom NOM"}, {"Type": "preferred_username", "Value": "prenom-nom"}, {"Type": "rat", "Value": "1692549338"}, {"Type": "sub", "Value": "f6141dcb-3d4e-"}]. Expected any one of: ["seedbox_users"]
You can create a discussion post for the permission error. I can tell you that it looks like authelia is not sending over any group/role information. I'm not very good with authelia, so I won't be of much help with that side of things.
You can create a discussion post for the permission error. I can tell you that it looks like authelia is not sending over any group/role information. I'm not very good with authelia, so I won't be of much help with that side of things.
I'll have a look at this, thank you very much. :D
I can't set up the connection via authelia despite trying several times, I always get an error either in authelia when I call
https://jellyfin.ndd.com/sso/OID/p/authelia
orhttps://jellyfin.ndd.com/sso/OID/start/authelia
, I have this error{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."}
be at jellyfin's level when I callhttps://jellyfin.ndd.com/sso/OID/r/authelia
orhttps://jellyfin.ndd.com/sso/OID/redirect/authelia
, I have this errorError processing request.
Versions:
authelia
jellyfin
in the authelia config file I tried putting (one by one) after modification I also restarted authelia
when I put
redirect_uri
authelia won't start, I even tried to set the scopesin the jellyfin config I tested various configurations (one by one))
I even tried with and without admin roles and roles.
As for logs, here's what happens when I get the error with authelia the authelia log
jellyfin's log
and here are the logs when the problem is blocked on jellyfin (I don't reach authelia so I have no logs) jellyfin log for
https://jellyfin.ndd.com/sso/OID/r/authelia
jellyfin log for
https://jellyfin.ndd.com/sso/OID/r/authelia