[Feature Request] Support login with OIDC

[michaelhthomas]

Description

Authentication providers like Authelia, Auth0, Authentik, Keycloak, etc. make managing user permissions across selfhosted services much easier.

Desired Behavior

I would like to be able to configure a custom OIDC provider for logins, and have this option appear on the Jellyseer login page. This PR from Overseerr implements support for generic OIDC login. Since OIDC is already supported for Plex SSO, supporting other external authentication services is fairly straightforward.

Additional Context

Here is a screencast from the linked Overseerr PR showing what this feature would look like when implemented.

https://cln.sh/wGbPIdYUKas2QId0cqxw

Code of Conduct

• [X] I agree to follow Overseerr's Code of Conduct

[michaelhthomas]

I'd be happy to try my hand at re-implementing this for Jellyseerr, so long as all are onboard.

[Fallenbagel]

I'd be happy to try my hand at re-implementing this for Jellyseerr, so long as all are onboard.

Any help would be much appreciated c:

[michaelhthomas]

@Fallenbagel Would you say it's alright to go ahead and remove the Plex OAuth login stuff in here as well? It's intertwined with the authentication logic a little more than I'd like.

[Fallenbagel]

@Fallenbagel Would you say it's alright to go ahead and remove the Plex OAuth login stuff in here as well? It's intertwined with the authentication logic a little more than I'd like.

If the plex OAuth is removed, wouldn't that remove support for plex?

[michaelhthomas]

Login with Plex, yes. If the goal is to keep that support in place, then I can definitely leave it. I could also see if it's possible to just detangle the Plex login a bit so that it's isolated like the rest of the auth providers.

[Fallenbagel]

Login with Plex, yes. If the goal is to keep that support in place, then I can definitely leave it. I could also see if it's possible to just detangle the Plex login a bit so that it's isolated like the rest of the auth providers.

Yeah the goal is for plex to be supported as well

[michaelhthomas]

Got it. I'll try separating plex login into its own component so all the login logic isn't on the main Login component

[ados8]

Testing with Authentik and it fails the OIDC login due to exceeded threshold.

Jellyseerr presents an error to sign in.

My config is as follows: OIDC Issuer URL: https://auth.domain.com/application/o/jellyseerr/ OIDC Provider Name: Authntik OIDC Client ID: generated ID from Authntik

[kurokay]

It would be an awesome feature to add !

[largelyinept]

Definitely +1 to the interest here! I use Authentik and would love to more easily and granularly secure my *rr stack

[Fallenbagel]

Definitely +1 to the interest here! I use Authentik and would love to more easily and granularly secure my *rr stack

Could you test out the :preview-184 tag. Make sure to not test on your production server

[largelyinept]

Thanks @Fallenbagel! I tested a setup with Authentik and it's worked great! Only thing to note is the oidc-authenticated user is shown as type 'local', and the email (rather than username) is used as displayname (not sure if this is easy to change - I don't really mind all that much)

[Sapd]

So I have :preview-184 running with only SSO login since mid of December without any problems. (Also with Authentik)

[fistwho]

I would like some help, please. I wanted to test SSO with Authentik and pulled the :develope docker image. But where exactly can I configure OIDC SSO? I can't find anything in the settings. Or is this feature only available in the :preview-pr184 docker image.

Thanks in advance

[Fallenbagel]

Only available in :preview-184

[fistwho]

Thank you. I tested it with Authentik it works like a charm. I hope we can get it in a stable release soon.

[muppie]

What return_uri did you use? I cannot get it to work

[fistwho]

What return_uri did you use? I cannot get it to work

In authentik i use: https://jellyseerr.yourdomain.com/login/oidc/callback

[Fallenbagel]

Hey everyone! I'm not super familiar with the tags on Github. Will this be available in the normal release branch or is it still just available in :preview-184?

It's now available in :preview-OIDC as indicated in my previous comment.

EDIT: Oh wait this is not the PR. Here. https://github.com/Fallenbagel/jellyseerr/pull/184#issuecomment-1800121937

[thimplicity]

What return_uri did you use? I cannot get it to work

In authentik i use: https://jellyseerr.yourdomain.com/login/oidc/callback

When using this (and every other one so far) I get "The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri)."

Any ideas?

[M-Davies]

What return_uri did you use? I cannot get it to work

In authentik i use: https://jellyseerr.yourdomain.com/login/oidc/callback

When using this (and every other one so far) I get "The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri)."

Any ideas?

Had a similar issue with the Jellyfin SSO plugin https://github.com/9p4/jellyfin-plugin-sso/discussions/154

Apparantly disabling endpoint verification can help on the Jellyfin side but it's probably not recommended that it's enabled in actual production environments

[bobobado]

First off, thank you so much for your work on this. It is extremely appreciated as I transition from Plex and Overseer to Jellyfin and Jellyseer! Would it be possible to implement a redirect to the authentik page? For example with Audiobookshelf, you can set "Auto Launch" so if a user accesses the Audiobookshelf URL, it redirects to the OIDC provider's page instead. Once authenticated, the user is then redirected to Audiobookshelf. Happy to help test if this is doable!

[Fallenbagel]

Can't you already achieve that using reverse proxy and authentik. I remember doing exactly that for sonarr and radarr when I setup authentik

I think they even have it documented in their docs how to achieve that.

Tho they'll have two login pages then. One to authenticate to get the login page of jellyseerr then login page of jellyseerr.

Isnt the oidc login through jellyseerr better so it'd work better with pwas too. Otherwise your users will get redirected and out of the pwa app

[bobobado]

The two login pages is what I'm trying to avoid. By using the "Auto Launch" feature in Audiobookshelf, users authenticate once and are immediately taken into the service. This is what I was hoping for

[Fallenbagel]

The two login pages is what I'm trying to avoid. By using the "Auto Launch" feature in Audiobookshelf, users authenticate once and are immediately taken into the service. This is what I was hoping for

The integrated solution is better though. Why have it redirect to authentik page to authenticate when it can just do a callback and authenticate with authentik in jellyseerr itself? Like how jellyfin authentication is done. Like how the preview build if the OIDC pr has already implemented and is being used by man many people. I still dont understand why thats not a better option.

[bobobado]

I totally get what you're saying and maybe I'm misunderstanding how to accomplish this with the tools currently available but my goal is a single authentication page for several services. By going to the Authentik embedded outpost, a user can authenticate and immediately launch the Audiobookshelf service, without having to authenticate again. The way I understand it now, if a user were to login to the embedded outpost and then select the jellyseer application, they will have to login again or at the very least, click the OIDC button at the jellyseer page. Please enlighten me if I'm missing something. This might just be personal preference

[Fallenbagel]

Doesnt the current OIDC work like you click the oidc button and it logs you in

[bobobado]

Yes, if the user has authenticated with Authentik in another window previously

[Fallenbagel]

So whats the issue then 🤔

[bobobado]

I wouldn't call it an issue. If the user authenticates with Authentik and then goes to jellyseer and clicks the OIDC button, it logs them in to jellyseer. One additional click isn't a huge deal, I just liked the simplicity of launching the app from the embedded outpost and immediately being taken to the application. Again, this might just be a personal preference I have. I appreciate your work on this greatly and your willingness to discuss.

[Fallenbagel]

I wouldn't call it an issue. If the user authenticates with Authentik and then goes to jellyseer and clicks the OIDC button, it logs them in to jellyseer. One additional click isn't a huge deal, I just liked the simplicity of launching the app from the embedded outpost and immediately being taken to the application. Again, this might just be a personal preference I have. I appreciate your work on this greatly and your willingness to discuss.

What happens if the user didnt authenticate then pressed oidc button. Does that open an authentik window to authenticate?

[bobobado]

Yes. That works perfectly

[Fallenbagel]

Yes. That works perfectly

Thanks for clarifying. I haven't tested or reviewed that pr yet 😅

[bobobado]

Once I knew what to do in Authentik, it was a breeze. Thank you so much again for implementing this in the first place!

[Fallenbagel]

Once I knew what to do in Authentik, it was a breeze. Thank you so much again for implementing this in the first place!

Thanks goes to @michaelhthomas c:

[SadRobot11]

Can someone kindly explain to me, how can I access this feature? Is this not part of the :latest release yet?

[Fallenbagel]

Can someone kindly explain to me, how can I access this feature? Is this not part of the :latest release yet?

You need to use the tag :preview-OIDC

[SadRobot11]

I am trying to set this up with Authelia, and I get this error

The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.

What kind of redirect uris should I set up in Authelia config for jellyseerr?

[Fallenbagel]

I am trying to set this up with Authelia, and I get this error

The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls.

What kind of redirect uris should I set up in Authelia config for jellyseerr?

You should ask this in #184

[BartvanLaar]

This does not seem to work on the RPI 5 as i get an Exec format error when using the :preview-OIDC tag.

I would've loved to try and test this though.

[Fallenbagel]

This does not seem to work on the RPI 5 as i get an Exec format error when using the :preview-OIDC tag.

I would've loved to try and test this though.

Because the preview tag doesn't build for arm. You could build a preview tag on the pi itself or cross build too

Or even run natively after checking out to this pr

[BartvanLaar]

This does not seem to work on the RPI 5 as i get an Exec format error when using the :preview-OIDC tag. I would've loved to try and test this though.

Because the preview tag doesn't build for arm. You could build a preview tag on the pi itself or cross build too

Or even run natively after checking out to this pr

When I try to do this, on both windows and the Raspberry Pi 5, I get the following error (both on dev and pr branches);

Is this something i should follow a readme for or should this have worked from the get go?

edit: after cleaning everything and following the readme, it's currently building main. I'll try the PR branch afterwards.

edit:edit: after switching to the pr, the build still fails.

After some googling, running 'yarn install url' fixed my issues.

[marouamghar]

FYI, it's failing to auth with the latest versions of Authelia (master branch, or the latest tag for 4.38 beta), because of these two errors: "request.cookies should have required property 'oidc-state'" "cookie 'connect.sid' required"

[j007bond007]

When will this be part of the stable/main release? This is the one feature holding me back from migrating from Ombi. Thankyou!

[keesfluitman]

When will this be part of the stable/main release? This is the one feature holding me back from migrating from Ombi. Thankyou!

i cant get ombi header auth working either with authentik...how did you get that to work? It just refuses to authenticate using a header. Thanks for this preview. Ill test it.

[nebb00]

I also very much want this, if it's possible to give an idea on a timeline please