search

9p4 / jellyfin-plugin-sso

This plugin allows users to sign in through an SSO provider (such as Google, Microsoft, or your own provider). This enables one-click signin.
GNU General Public License v3.0
534 stars 25 forks source link

Integrate with Kodi Login #70

Open LeVraiRoiDHyrule opened 1 year ago

LeVraiRoiDHyrule commented 1 year ago

Hi,

I have a Jellyfin server for years and now looking to integrate it better with all my services so I'm looking to get SSO for everything. This plugin looks really cool and I'm looking forward integrating it with Authentik or Keycloak. But my problem is that I am still using the Kodi addon on some devices, even if most of my users use web.

Is there a way to get SSO and Kodi login working together ? Is there a way to still have a password that I can input in the addon ? Is there a way to have like an "app password" on Microsoft Accounts, to connect on apps that don't have a browser ?

Thanks in advance for any answer, Have a great day

9p4 commented 1 year ago

Which Kodi addon? Can you provide a link?

LeVraiRoiDHyrule commented 1 year ago

I'm talking about the official kodi add on for jellyfin https://github.com/jellyfin/jellyfin-kodi

9p4 commented 1 year ago

Atm, quick connect is recommended for devices that cannot use SSO login (ie mobile apps without a web browser). This should be fixed in a later JF version (10.9 or something idk).

I'll spin up Kodi and Jellyfin and see how I can get them working together

strazto commented 1 year ago

Is there a way to still have a password that I can input in the addon ?

Yep, I recommend checking out the LDAP auth plugin, as well at the setting for our plugin for setting default Auth provider.

Basically, accounts that already have passwords can continue using password Auth as their primary mechanism, if you configure the plugin to let them.

Where it gets slightly tricky is in the case where you create an account that doesn't already exist via SSO. The account won't be created with a password in jellyfin. The user will manually have to configure their password.

If your IDP server either uses LDAP as a source of truth, or if it exposes an LDAP interface ( Authentik does this ), then accounts that you create via the SSO plugin can be automatically configured to use the LDAP server for password auth.

From the point of view of basically any interface that uses password Auth, LDAP backed password Auth is identical to normal Auth.

@9p4 I reckon this question/use case is common enough to deserve a proper doc/FAQ write up, WDYT?

Also, when it comes to provisioning new accounts, I wonder if there's some way to nudge users to set their password in jellyfin?