Plex Authentication

[agundimeda]

Hello,

Not sure if this would be the place to request a feature. Would it be possible to use Plex Authentication? It seemed to me that Plex doesen't use standard OAuth, but I'd like to be able to login to Nextcloud via Plex.

[NowyQuei]

i am too interested here!!

[zorn-v]

What is plex ?

[zorn-v]

Close then

[newb23]

What is plex ?

I would like to re-visit (and re-open?) this conversation and actually give an answer. Plex is a "cable cutter" service allowing users to utilize and share their own media content with chosen others. https://www.plex.tv/

In my particular use-case, I am attempting to "embed" NextCloud into Organizr, and want to use the Plex authentication as a registration/login/SSO agent. (Organizr docs w/r/t Plex SSO: https://docs.organizr.app/features/sso/plex-sso)

Other projects that utilize Plex SSO/OAuth are Ombi (https://github.com/Ombi-app/Ombi) and Overseer (https://github.com/sct/overseerr)

Edit: As I continue my research, here's some more (hopefully helpful!) info: https://forums.plex.tv/t/authenticating-with-plex/609370 https://github.com/Arcanemagus/plex-api/wiki/Plex.tv https://github.com/sct/overseerr/blob/c6a133d4e55312de5212929585b46d4ade19dcf6/server/api/plextv.ts#L145

[zorn-v]

Check v5.1.0

[newb23]

Progress!

I was able to update and see the new option, but when clicking on the link on the first page I am not not prompted to log in in any way. If, however, I preview the page, or open in another tab, I get prompted from the set appid, and can login.

Next, after the token is returned, it appears that it's attempting to create a new user regardless of the 'prevent creating an account if the email address exists in another account' option. The account in question already exists, and expected behavior is to simply log in to that account.

Pictures!

Thank you for the quick turnaround!

[zorn-v]

I am not not prompted to log in in any way

This seems plex.tv issue. I got same behavior several times and some time later it just "fixed". Probably cloudflare misconfig, as if you check "network" tab in browser there is "cloudflare cache expired" in response headers and redirect from https://app.plex.tv/auth#?params to https://app.plex.tv/auth/ and then to main page https://www.plex.tv

and expected behavior is to simply log in to that account

It not worked that way. OAuth is not trusted source and app does not "log in via email of existing account" in any way. If you want, you can link existing account in personal settings.

[newb23]

This seems plex.tv issue. I got same behavior several times and some time later it just "fixed". Probably cloudflare misconfig, as if you check "network" tab in browser there is "cloudflare cache expired" in response headers and redirect from https://app.plex.tv/auth#?params to https://app.plex.tv/auth/ and then to main page https://www.plex.tv

Actually at a computer now, I apologize. The error I am getting in the console is:

Mixed Content: The page at 'https://<SNIP>/#NextCloud' was loaded over HTTPS, but requested an insecure resource 'http://app.plex.tv/auth/#?clientID=<SNIP>&code=<SNIP>&forwardUrl=https%3A%2F%2F<SNIP>%2Fnextcloud%2Fapps%2Fsociallogin%2Foauth%2FPlexTv%3Fcode%3D2058103243%26state%3DHA-LAWJ9C1I3G42T7YMZUS6B5OKPQ0RFED8XNHV&context%5Bdevice%5D%5Bproduct%5D=AppId'. This request has been blocked; the content must be served over HTTPS.

I suspect this is a calling application/site/config issue, not your plugin, as you clearly call <protected $apiBaseUrl = 'https://plex.tv/api/v2';> in your code; I'll dig this one deeper. Final thought though, would spawning a new popup/window for the authentication process, then passing the token back to the original help with this?

Edit: I found your note about the http in the plugin description (config.php), the re-direct/new window appears to be unneeded, I just needed to read more!

As for:

It not worked that way. OAuth is not trusted source and app does not "log in via email of existing account" in any way. If you want, you can link existing account in personal settings.

My though was that the flow would be something like:

User Authenticates with Plex -> Plex user's email exists in NC -> Log in to NC
or
User Authenticates with Plex -> Plex user's email does not exist-> Create a new NC user with the returned token information (email and username in particular) -> Log in to NC 

Is this flow not accurate?

Final parting shot, it looks like, after I link the social sign in with my account, it does, in fact, follow the first flow. Making an assumption, I would be willing to think that once the http/https and/or popup/new window issue is resolved, it'll work as I would have expected it to.

I need to dig into your code to try to understand your process vs my expectation, and also look into that above http/https... thing. Thank you again for your hard work!

[zorn-v]

but requested an insecure resource 'http://app.plex.tv/auth/#?clientID=

Very strange. Method getAuthorizeUrl return explicitly https url https://github.com/zorn-v/nextcloud-social-login/blob/2ab024486a62ef025ec0e64a72f1a95f5773cebd/3rdparty/custom/Hybridauth/Provider/PlexTv.php#L45

Added: hmmm, in your url there is slash after "auth", seems some redirects occurred. Can you explain your full login flow with details ?

Is this flow not accurate?

No. Some providers may not have email at all, some may not require email verification (some user set admin email and ooooops) etc. Moreover, in nextcloud email is not unique - many users may have same email.

[newb23]

Fair enough! With that said, from my perspective, I would consider this capability implemented and closed!

On Sat, Nov 12, 2022, 18:42 zorn-v @.***> wrote:

but requested an insecure resource 'http://app.plex.tv/auth/#?clientID=

Very strange. Method getAuthorizeUrl return explicitly https url https://github.com/zorn-v/nextcloud-social-login/blob/2ab024486a62ef025ec0e64a72f1a95f5773cebd/3rdparty/custom/Hybridauth/Provider/PlexTv.php#L45

Is this flow not accurate?

No. Some providers may not have email at all, some may not require email verification (some user set admin email and ooooops) etc. Moreover, in nextcloud email is not unique - many users may have same email.

— Reply to this email directly, view it on GitHub https://github.com/zorn-v/nextcloud-social-login/issues/217#issuecomment-1312428169, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABV44G3TSFM62J3QDQU5Y73WH5Q63ANCNFSM4V6RP7SQ . You are receiving this because you commented.Message ID: @.***>

[zorn-v]

Added: hmmm, in your url there is slash after "auth", seems some redirects occurred. Can you explain your full login flow with details ?

[newb23]

Added: hmmm, in your url there is slash after "auth", seems some redirects occurred. Can you explain your full login flow with details ?

I had a user report that this was still happening for them, so, interesting!

Login flow is: User logs into my site (plex authentication - provided through organizr) -> user selects the nextcloud tab in organizr -> user is prompted with the NC login page -> user clicks the Log in with PlexTv button -> error.

workaround is: user right clicks the button and opens in a new tab and is able to authenticate then use said tab to continue onto the NC content.

edit: I do have 'overwriteprotocol' => 'https', in my config.php file.

[zorn-v]

Can I try to click that button on your site ? Maybe some iframe related things.

[joe-eklund]

I just attempted to implement this in an identical way to @newb23 (Nextcloud iFramed in Organizr with Plex as the Social Auth Plugin provider). I'm also using Traefik 2 as my reverse proxy, but I don't think that is affecting my problem.

I am running into identical issues.

1. @newb23, did you ever find a good workaround for not having to have each user go associate their account with the Plex account?

2. And what about the iframe http issue? I am also getting that and it requires me to either access Nextcloud outside of Organizr or right click and open it in a new tab to authenticate. I looked at my Chrome network traffic and see that the Plex.tv login button on my Nextcloud instance first goes to:

   • https://nextcloud.domain.tld/index.php/apps/sociallogin/oauth/PlexTv then it loads,
   • http://app.plex.tv/auth, which then redirects to
   • https://app.plex.tv/auth/

So the issue seems to be coming directly from Plex authentication servers? And upon investigating the initiator chain, this seems to confirm. Looks like something Plex devs would need to fix.

One potential fix for this is to perform the authentication how Organizr does it. When you click on Login with Plex, it opens a small popup window on top of your current one, you perform the login, and then that window autocloses and it continues with the authentication. That would get around the mixed content I think since it wouldn't be iframed for the actual auth part.

[zorn-v]

I thought about "popup style" auth, but no. I just can not debug it, coz I does not use it.