Closed enticedwanderer closed 5 months ago
I was trying this a while ago, and it is unlikely to come about in the desktop app as there are a few annoying requirements:
This can be bypassed in the browser (just host Feishin on the same domain on a subpath) without any extra work.
All in all, while I was able to get it (sort of) to work, I cannot endorse this as a practical solution. Unfortunately for the desktop it'll have to wait for #419.
If you have questions about how to setup the web version in the meantime to work with reverse proxy authentication, feel free to add on here, but otherwise I'll probably close this issue.
Oh I thought feishin already supported subsonic directly. I didn't realize you were using direct navidrome APIs. In that case yeah, I'll just wait until #419 is ready. Thanks! Yeah I agree it's likely not worth going through the hoops you mentioned above.
Yeah, it's a pain point for me as well (I can't use the desktop app on my work device), but I know that to properly support Subsonic in the current scheme would require more rework (that I'm personally not comfortable taking over). If you like the webapp I would still suggest giving it a shot. I appreciate the understanding
Expected Behavior
Feishin can login/connect to a Navidrome instance that is OIDC protected.
Current Behavior
Feishin currently is unable to login at all to a OIDC protected Navidrome (sitting behind Traefik/Authentik). Sonixd on the other hand works fine with the same setup. This is similar to #16 except this deals with the OAuth/OIDC delegation which makes it slightly worse.
From the logs in the web console, Feishin will issue 2 requests:
https://navidrome.home.lan/auth/login
. This is protected by the OIDC layer and gets bounced to Authentik.Calls from Feishin in web console:
Logs from navidrome container:
Navidrome expects url params
u=username
andt=jwttoken
orp=password
on its subsonic API calls. My guess is that unlike Sonixd, Feishin tries to call the auth/login entrypoint to get the jwt token instead of using the password directly. If so, it doesn't conform to what Navidrome expects when delegating auth to an BasicAuth or OAuth/OIDC 3rd party provider provider.Steps to Reproduce
rest/*
endpoints for direct auth bypassing OIDC.Possible Solution (Not obligatory)
Simplest solution would be to remove the need to fetch a jwt token and use the password directly as a URL param, or make it optional/configurable through a flag.
Another potential workaround would be to allow auth/login endpoint in navidrome to be bypassed in OIDC but then other clients may break and a user might get presented with a native login screen from navidrome.
Context
Trying to migrate from Sonixd to Feishin. Blocker since it can't even connect.
Your Environment