search

9p4 / jellyfin-plugin-sso

This plugin allows users to sign in through an SSO provider (such as Google, Microsoft, or your own provider). This enables one-click signin.
GNU General Public License v3.0
585 stars 27 forks source link

RoleClaims parser failure on authelia's OIDC setup #210

Open grapemix opened 3 days ago

grapemix commented 3 days ago

Describe the bug jellyfin-plugin-sso is unable to parse/handle from authelia openId result because of different format (JSON key pair vs str array). I just use very basic setup. See below.

To Reproduce Use SSO btn to login after setup.

Expected behavior Error from console:

Jellyfin.Plugin.SSO_Auth.Api.SSOController: OpenID user 538f10fb-6d0e-4c42-b636-b329a8cf928b has one or more incorrect role claims: [{"Type": "amr", "Value": "pwd"}, {"Type": "azp", "Value": "jellyfin"}, {"Type": "client_id", "Value": "jellyfin"}, {"Type": "groups", "Value": "admin"}, {"Type": "groups", "Value": "user"} ... Skip.... ]. Expected any one of: ["user", "admin"]

Based on OpenID's result, we would like to find something like '{"Type": "groups", "Value": "user"}' instead of just "user". I've tried to put '{"Type": "groups", "Value": "user"}' in the Roles field, but I have no luck. The Role Claim seems not support this JSON key pair case since the JSON is not like {"groups": ["user", "admin"]}.

I've seen a few post's cfg is like mine, but they seems have no problem... https://github.com/9p4/jellyfin-plugin-sso/issues/23 https://github.com/9p4/jellyfin-plugin-sso/issues/88

Configuration Authelia cfg:

      - client_id: jellyfin
        client_name: jellyfin
        client_secret: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        consent_mode: 'implicit'
        public: false
        require_pkce: true
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
        scopes:
          - openid
          - profile
          - groups
        redirect_uris:
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/start/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/p/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/redirect/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/r/authelia

Plugin cfg:

  OidEndpoint: https://authelia.example.com/.well-known/openid-configuration/
  OidClientId: jellyfin
  OidSecret: <omitted>
  Enabled: true
  EnableAuthorization: true
  EnableAllFolders: true
  EnabledFolders: []
  Roles: [user,admin]
  Admin Roles: [admin]
  EnableFolderRoles: false
  FolderRoleMapping: []
  # As the UI page suggested
  RoleClaim: groups
  Request Additional Scopes: groups

Versions (please complete the following information):

Additional context Add any other context about the problem here. Was the plugin built from source?

9p4 commented 1 day ago

Can you upload the configuration as a .XML ?