Comments (13)
TheRealGramdalf
commented on August 28, 2024
1
It does technically work, but full support via the issue with identityModel is a must for me due to origin checks. In any case, many thanks for the awesome plugin either way!
from jellyfin-plugin-sso.
TheRealGramdalf
commented on August 28, 2024
1
Please check if commit d51e506 fixes this issue. You can use the nightly release of the plugin (0.0.0.0).
With the following configuration:
<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SamlConfigs />
<OidConfigs>
<item>
<key>
<string>kanidm</string>
</key>
<value>
<PluginConfiguration>
<OidEndpoint>https://auth.domain.tld/oauth2/openid/jellyfin-aer_rs</OidEndpoint>
<OidClientId>jellyfin-aer_rs</OidClientId>
<OidSecret>...</OidSecret>
<Enabled>true</Enabled>
<EnableAuthorization>false</EnableAuthorization>
<EnableAllFolders>false</EnableAllFolders>
<EnabledFolders />
<AdminRoles />
<Roles />
<EnableFolderRoles>false</EnableFolderRoles>
<EnableLiveTvRoles>false</EnableLiveTvRoles>
<EnableLiveTv>false</EnableLiveTv>
<EnableLiveTvManagement>false</EnableLiveTvManagement>
<LiveTvRoles />
<LiveTvManagementRoles />
<FolderRoleMappings />
<RoleClaim />
<OidScopes />
<NewPath>false</NewPath>
<CanonicalLinks>...</CanonicalLinks>
<DisableHttps>false</DisableHttps>
<DoNotValidateEndpoints>false</DoNotValidateEndpoints>
<DoNotValidateIssuerName>false</DoNotValidateIssuerName>
</PluginConfiguration>
</value>
</item>
</OidConfigs>
</PluginConfiguration>And the nightly plugin version as of Feb 20, 2024, everything seems to work fine. I'll mark everything as done, so feel free to close this when it can make it into a release.
from jellyfin-plugin-sso.
9p4
commented on August 28, 2024
1
v3.5.2.3 is released with the changes.
from jellyfin-plugin-sso.
josephdecock
commented on August 28, 2024
1
If anyone in this thread wants to take a look, we released a preview of the next version of IdentityModel today that includes an updated error message that shows both the endpoint and allowed base addresses.
from jellyfin-plugin-sso.
9p4
commented on August 28, 2024
As both tasks are complete, can this issue be closed?
from jellyfin-plugin-sso.
TheRealGramdalf
commented on August 28, 2024
The latter hasn't made it into a client tool release yet, so I can't actually test the custom claims as of yet. It should be fine as long as jellyfin-sso supports custom claims represented as a JSON array, ssv, or csv: docs
I would still like a little more insight on the former if possible - it's labeled as insecure in the settings, so I'd like to know the reason behind it so I can make an informed decision.
from jellyfin-plugin-sso.
TheRealGramdalf
commented on August 28, 2024
One other thing that I forgot was how it requests claims - ideally the group scope shouldn't be required for login (which I believe is the case currently) - I believe the "correct" implementation is to request it as an additional scope after initial authentication has occurred and set groups/roles according to the claims therein.
As it stands right now (iirc), the group scope is required for the user to log in to their account, and if not present, the user is unable to log in, period - even if they have manually defined groups or otherwise.
Hopefully I can give a more concrete example once the client tools are updated and I can actually test things out.
from jellyfin-plugin-sso.
lf-
commented on August 28, 2024
The latter hasn't made it into a client tool release yet, so I can't actually test the custom claims as of yet. It should be fine as long as jellyfin-sso supports custom claims represented as a JSON array, ssv, or csv: docs
I would still like a little more insight on the former if possible - it's labeled as
insecurein the settings, so I'd like to know the reason behind it so I can make an informed decision.
It does!
Set up kanidm with:
kanidm system oauth2 update-claim-map jellyfin_oauth groups jellyfin_admin admin
I haven't granted the group scope so this shouldn't be necessary.
from jellyfin-plugin-sso.
TheRealGramdalf
commented on August 28, 2024
Just as a status update, the only thing left really is the over validation of URIs (see the original post) - once that has been resolved I'm happy with everything as it is.
from jellyfin-plugin-sso.
9p4
commented on August 28, 2024
KanIDM does work when the option to bypass the check is enabled, right?
from jellyfin-plugin-sso.
josephdecock
commented on August 28, 2024
IdentityModel validates that the endpoints use an expected base address. It uses the issuer as the default for this validation, but you can add additional base addresses in the configuration. See IdentityModel/IdentityModel#553 (comment).
I'm going to update the error message to improve discoverability of this feature in our upcoming next release, but you should be able to use the existing configuration options to solve this problem today.
from jellyfin-plugin-sso.
josephdecock
commented on August 28, 2024
Can you please give that a try and let me know if it works for you?
from jellyfin-plugin-sso.
9p4
commented on August 28, 2024
Please check if commit d51e506 fixes this issue. You can use the nightly release of the plugin (0.0.0.0).
from jellyfin-plugin-sso.
Related Issues (20)
- UniFi ID SAML Error HOT 17
- Does the Subpath /jellyfin/ cause a 404? HOT 2
- [Feature Request] X-Forwarded-* Header Support. HOT 2
- SSO login not working after changing username HOT 10
- "Enable Authorization by Plugin: false" should be able to create users with no permissions HOT 4
- Synology SSO SAML - Stuck on logging in HOT 4
- Custom OAuth2/OIDC login (for Discord) HOT 1
- Authentik "Provider does not exist" OIDC Failure HOT 12
- Update README to suggest hiding login form HOT 2
- Better styling for login button HOT 3
- Error processing request. URL GET /sso/OID/r/authentik. HOT 33
- Improve login buttons (README) HOT 2
- domain name is wrong. HOT 4
- Manually set redirect URL HOT 16
- After installation plugin is in Status:NotSupported HOT 2
- authelia redirect link is wrong HOT 6
- Help with Authelia -- jwks HOT 4
- Authelia redirect link not working HOT 6
- Cannot login with Android app HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jellyfin-plugin-sso.