search

9p4 / jellyfin-plugin-sso

This plugin allows users to sign in through an SSO provider (such as Google, Microsoft, or your own provider). This enables one-click signin.
GNU General Public License v3.0
523 stars 25 forks source link

Authelia redirect link not working #182

Open nothing2obvi opened 2 months ago

nothing2obvi commented 2 months ago

Describe the bug The Authelia redirect link is not working. See below.

To Reproduce Steps to reproduce the behavior:

  1. Set redirect URI's in Authelia for the client. See full configuration at very bottom.
    • "https://jellyfin.domain.com/sso/OID/redirect/authelia"
    • "https://jellyfin.domain.com/sso/OID/r/authelia"
  2. Set button to have: form action="https://jellyfin.domain.com/sso/OID/start/Authelia"
  3. Try to log in using button.
  4. Get the following:
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."}
  1. I also tried using /start/authelia instead and got:
Error processing request.

Expected behavior The "Sign in with SSO" button should lead to Authelia.

Configuration Sorry, idk where to find the XML file. I looked in the plugins folder. I used the instructions from here, switching out OpenID Client ID and OID Secret.

Btw, the OID Secret begins with $pbkdf2-sha512$, is that right?

Versions (please complete the following information):

Additional context Plugin was installed via repository.

From Authelia:

clients:
      - client_id: "clientidhere"
        client_name: "Jellyfin"
        client_secret: "$pbkdf2-sha512$stuffhere"
        public: False
        authorization_policy: "two_factor"
        require_pkce: True
        pkce_challenge_method: "S256"
        redirect_uris:
          - "https://jellyfin.domain.com/sso/OID/redirect/authelia"
          - "https://jellyfin.domain.com/sso/OID/r/authelia"
        scopes:
          - "openid"
          - "profile"
          - "groups"
        userinfo_signed_response_alg: "none"
        token_endpoint_auth_method: "client_secret_post"
        jwks:
          key_id: "jellyfin"
          use: "sig"
          algorithm: "RS256"
          key: |
            -----BEGIN PUBLIC KEY-----
            ...........
            -----END PUBLIC KEY-----
9p4 commented 2 months ago

Btw, the OID Secret begins with $pbkdf2-sha512$, is that right?

No, the plugin needs the decrypted form of the secret.

nothing2obvi commented 2 months ago

Thanks I'll try that and report back.

madc commented 1 month ago

I just ran into a similar issue, where the plugin would provide the redirect_uri as http instead of https. To solve this, I had to set the Scheme Override to 'https':

image

9p4 commented 1 month ago

This usually means your reverse proxy is misconfigured. @madc

allluke commented 1 month ago

I was having the same problem and changed my lower case authelia to Authelia and it worked. e.g. 

    "https://jellyfin.domain.com/sso/OID/redirect/authelia"
    "https://jellyfin.domain.com/sso/OID/r/authelia"

to

    "https://jellyfin.domain.com/sso/OID/redirect/Authelia"
    "https://jellyfin.domain.com/sso/OID/r/Authelia"