search

YunoHost-Apps / jellyfin_ynh

Jellyfin package for YunoHost
https://jellyfin.org/
GNU General Public License v3.0
26 stars 24 forks source link

Support SSO #123

Closed MayeulC closed 1 month ago

MayeulC commented 1 year ago

I'm not sure how doable this is, but there is a plugin that might work to an extent:

https://github.com/9p4/jellyfin-plugin-sso/

It's probably not 100% ready (especially with apps), but worth keeping an eye on this.

Feature request: https://features.jellyfin.org/posts/230/support-for-oidc

Salamandar commented 1 year ago

SSO and OpenID are two very different things.

SSO should be supported by Jellyfin on Yunohost via the pre-installed LDAP plugin (I guess this one https://jellyfin.org/docs/general/server/plugins/#ldap). What that means is that you can connect with your yunohost credentials on Jellyfin.

The OpenID Connect though… It seems more tricky. The first step would be that Yunohost provides what's required for OpenID.

Nitpick: the issue should be named "Support OpenID Connect SSOs besides LDAP".

MayeulC commented 1 year ago

Well, I was thinking of the Single Sign On portal provided by Yunohost... I had always assumed it was OpenID Connect or SASML.

Of course, I would still prefer to login through that, but the architecture is completely different from the one I thought, and I need to read a bit more about it... I'm not sure if this feature request is easily doable, then.

The idea being that password managers only need to remember a single website, which could go on to implement 2FA, etc. Less confusing for users too :)

Salamandar commented 1 year ago

Ah, yes, i see what you mean, i made a mistake myself. It's not SSO, but more like centralized authentication. Being authentified in Yunohost does not make yourself autentified in Jellyfin automagically. You just have the same credentials.

Yunohost provides some kind of sso via a http header though. Maybe this could be used by Jellyfin.

selfhoster1312 commented 1 year ago

Yunohost provides some kind of sso via a http header though. Maybe this could be used by Jellyfin.

Requested for a long time, never implemented. I tried to do it myself last year but i don't know a lot of C# and Jellyfin authorization system is so complex, full of API keys and tokens for all endpoints (not binary user authorization/deny like a HTTP header does)... i could not do it.

tituspijean commented 1 month ago

Let's close for the time being, feel free to reopen if the situation evolves upstream.