Does not work on Jellyfin 10.9.9

[C0D3D3V]

I have not tested it with older versions.

jellyfin  | [23:02:04] [INF] [28] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for c0d3d3v has been denied (IP: 10.32.0.35).
jellyfin  | [23:02:04] [ERR] [28] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request: Invalid username or password entered. URL POST /Users/authenticatebyname.

But authentication on Authelia is successful.

[nikarh]

Hi, I just tested the plugins latest version 1.0.14.0 against 10.9.9 and it works as intended. It seems that this is caused by misconfiguration, please check the content of this field in the config, it should contain a domain that would be allowed by the authelia access control rule (it doesn't need to be a real registered domain that leads to your Jellyfin instance btw, it just needs to be a string that is matched by authelia)

[C0D3D3V]

Ok thank you, thats what I wanted to know :D I updated from 10.8.13 and installed the plugin fresh (removed the old plugin folder). On 10.8.13 it worked. But since authelia logs sucessfull authentications from jellyfin I thought the plugin might be broken.

I will try again.

[C0D3D3V]

Still does not work. I even tried to delete the users from jellyfin that authenticate via authelia.

Jellyfin Log looks like this:

jellyfin  | [11:55:11] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:14] [INF] [79] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:14] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:14] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:14] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:14] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:14] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:16] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:17] [INF] [21] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for c0d3d3v has been denied (IP: 10.32.0.35).
jellyfin  | [11:55:17] [ERR] [21] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request: Invalid username or password entered. URL POST /Users/authenticatebyname.
jellyfin  | [11:55:19] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:19] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:19] [INF] [79] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:19] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:19] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:19] [INF] [79] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:21] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:24] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:24] [INF] [79] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:24] [INF] [79] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:24] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:24] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:24] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:26] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:29] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:29] [INF] [21] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:29] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:29] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:29] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:29] [INF] [3] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.
jellyfin  | [11:55:31] [INF] [38] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged.

The message: Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: CustomAuthentication was challenged. is repeating a lot after I try to authenticate (I guess none stop) until I successfully authenticate using an internal jellyfin account.

Authelia:

authelia  | time="2024-08-08T11:55:16+02:00" level=debug msg="Mark 1FA authentication attempt made by user 'c0d3d3v'" method=POST path=/api/firstfactor remote_ip=10.32.0.27
authelia  | time="2024-08-08T11:55:16+02:00" level=debug msg="Successful 1FA authentication attempt made by user 'c0d3d3v'" method=POST path=/api/firstfactor remote_ip=10.32.0.27
authelia  | time="2024-08-08T11:55:16+02:00" level=debug msg="Check authorization of subject username=c0d3d3v groups=everybody,request-pirate ip=10.32.0.27 and object https://stream.my.domain (method GET)."
authelia  | time="2024-08-08T11:55:16+02:00" level=debug msg="Required level for the URL https://stream.my.domain is one_factor" method=POST path=/api/firstfactor remote_ip=10.32.0.27
authelia  | time="2024-08-08T11:55:16+02:00" level=debug msg="Redirection URL https://stream.my.domain is safe" method=POST path=/api/firstfactor remote_ip=10.32.0.27

I just think it's strange because it worked before the update. :/

[nikarh]

Can you share your config of the plugin (please mask the domain names but keep protocol/ports)?

[nikarh]

Also what is your version of authelia?

[C0D3D3V]

I now updated authelia to v4.38.10. It still does not work.

My authelia rules start with:

  rules:
    - domain: 'stream.my.domain'
      policy: 'one_factor'

Authelia-Auth.xml:

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <AutheliaServer>https://auth.my.domain</AutheliaServer>
  <AutheliaRootCa />
  <AutheliaAdminGroup />
  <CreateUserIfNotExists>true</CreateUserIfNotExists>
  <JellyfinUrl>https://stream.my.domain</JellyfinUrl>
</PluginConfiguration>

And jellyfin also uses authelia as you can see in the log above. But jellyfin logs it as Authentication request for c0d3d3v has been denied.

I now activated trace logs on authelia. That gave me a hint:

level=trace msg="Replied (status=404)" caller="github.com/authelia/authelia/v4/internal/middlewares/log_request.go:16 handleRouter.LogRequest.func40" method=GET path=/api/verify remote_ip=10.32.0.27

/api/verify is no longer a valid endpoint of authelia. So maybe I should redirect /api/verify to api/authz/forward-auth using traefik. See https://www.authelia.com/blog/4.38-release-notes/#changes-customizable-authorization-endpoints

I will try this.

[C0D3D3V]

Adding these lables to my authelia docker compose file solved the problem:

      traefik.http.routers.authelia-secure.middlewares: redirect-verify
      traefik.http.middlewares.redirect-verify.replacepathregex.regex: '^/api/verify(.*)'
      traefik.http.middlewares.redirect-verify.replacepathregex.replacement: '/api/authz/forward-auth$1'

[nikarh]

That's extremely weird, as I'm testing it in fresh containers with jellyfin/jellyfin:10.9.9 and authelia/authelia:4.38.10 and it works for me :(

Anyway I'll migrate it to the new api on the weekend, may be it will help.

[C0D3D3V]

Maybe there is a way to keep the /api/verify endpoint functioning. Thats maybe why it works for you. For me it no longer works :/

[nikarh]

It's great though that your hack works, I'll migrate to the new API and it should fix the problem :+1:

[nikarh]

@C0D3D3V Hey, I've just released a new version of the plugin which uses authz API instead of the legacy endpoint. Please check it works for you with redirects disabled :pray:

https://github.com/nikarh/jellyfin-plugin-authelia/pull/69/files

[C0D3D3V]

Yes it works. But I had to enable the /api/authz/auth-request endpoint like this:

authz:
      forward-auth: # I have this turend on for treafik
        implementation: 'ForwardAuth'
        # authn_strategies: []
      # ext-authz:
        # implementation: 'ExtAuthz'
        # authn_strategies: []
      auth-request:
        implementation: 'AuthRequest'
        # authn_strategies: []

Maybe if you turn on the lagacy authz maybe the /api/verifyendpoint works.

Would be great if you somehow mention in the Readme that you need to activate the auth-request endpoint.

[ursuscamp]

I also had to active the auth-request endpoints to get this working. Might be worth noting in the docs.

[nikarh]

I also had to active the auth-request endpoints to get this working. Might be worth noting in the docs.

Hey, did your authelia config contain the server.endpoints section before you enabled auth-request? Authelia doc is unfortunately not descriptive enough to understand how these settings behave. From the source code (defaults and config parsing), it seems that if there's no such section in the config at all, the endpoint is enabled by default.

[ursuscamp]

Interesting. I had Forward Auth active for another reason so that would make sense