Comments (9)
Here's a discussion I had about implementing user-facing views for user self-service
It was good news, the task seems straightforward
Matthew Strasiotto
Howdy! Continuing a discussion with Cody Robibero:
So I've implemented admin config client-side view for my plugin, it lives here
https://github.com/9p4/jellyfin-plugin-sso/tree/main/SSO-Auth/Config
I basically used trakt, ldapauth , and jellyfin-webs library views as references
Developing this admin config view is pretty straightforward for now
I want a user self-service view.
I don't think I can use pluginconfigpage API to register it, I think that's only for admin views
Cody Robibero
The view itself doesn't require permissions
Matthew Strasiotto
Ohhh, okay
Cody Robibero
It's the api the makes the requirements
Matthew Strasiotto
Does the link appear in the side menu for non-admins?
No Biggie if not
Cody Robibero
In 10.8 you can add a line to a json file with the link
Matthew Strasiotto
That makes my task much more straightforward!
Yep, that's what I thought
Cody Robibero
https://jellyfin.org/docs/general/clients/web-config.html#custom-menu-links
Though the server admin would need to set it
Matthew Strasiotto
Cody Robibero
Though the server admin would need to set it
That's no problem, the plugin is maturing anyway, and I get a feeling that someone will probably add user-side config for the custom menu link setting to jf eventually
(I would imagine that setting eventually living next to the disclaimer and branding stuff)
Awesome! All I need to do is use built-in self service endpoints as a reference for how to check role/permissions, and then implement a separate plugin config view that communicates with those endpointsCody Robibero
That sounds about right
Matthew Strasiotto
So I guess presently if I manually type in the URL for a plugin config page on a non-admin account, the page will load correctly and everything will work until the ApiClient tries to access an endpoint that it doesn't have permission for
Awesome
Cody Robibero
Correct
from jellyfin-plugin-sso.
My vision is that SSO can be used to sign into an existing account when the usernames differ.
Furthermore, there has to be something for "Sign in with Google" to have better username support.
All providers can add metadata about the user (full name, etc)
from jellyfin-plugin-sso.
My vision is that SSO can be used to sign into an existing account when the usernames differ.
Furthermore, there has to be something for "Sign in with Google" to have better username support.
hm, yeah. Personally I now use google as a SSO provider for my authentik instance, so it no longer affects me.
There are a few options for something like this -
- Allow configurable UID Claim in provider config.
- Users can instead claim on some other property, for example, email address
- There are plenty of caveats to this, and google warns against it
- The main problem is that most "human-friendly" properties on a google OIDC payload are either:
- non-unique to the account
- not-guaranteed to be immutable
- email address is an example of this
- Although configurable UID claim might have some use-case (idk what right now), it's probably not a good solution
- Allow some form of user-name registration flow when authenticating a new user via OIDC provider
- This is probably more robust, but likely involves rolling-our-own UI
- DIY UI probably relies on #21
- We probably want this to be as simple as possible
- This raises the question:
- How flexible is jellyfin's user-model when it comes to storing custom metadata + attributes?
Answer: Not very - Where do we store this relationship?
Answer: Probably in the plugin config, though I'm unsure of how resilient this would be to concurrency, but maybe that doesn't matter. - How should we structure this relationship?
- A given provider has a 1-n relationship with users, perhaps each provider has a hashmap of canonical name -> jellyfin ID?
- How flexible is jellyfin's user-model when it comes to storing custom metadata + attributes?
- Does jellyfin allow plugins to provide user-facing configuration pages, so that we can give a UI to link existing accounts to providers?
- If not, we will likely have to DIY this UI, and use the new custom menu item feature to let users access it https://jellyfin.org/docs/general/clients/web-config.html#custom-menu-links
- This is probably more robust, but likely involves rolling-our-own UI
All providers can add metadata about the user (full name, etc)
By "providers" do you mean OIDC providers, or Jellyfin Identity Providers? I know OIDC providers can give plenty of metadata, but I don't know much about jellyfin ID providers
from jellyfin-plugin-sso.
By "providers" do you mean OIDC providers, or Jellyfin Identity Providers? I know OIDC providers can give plenty of metadata, but I don't know much about jellyfin ID providers
OIDC/SAML providers putting name, etc into JF.
from jellyfin-plugin-sso.
@9p4 I think I'd like your eyes on #34
In particular, I'm not sure about the best way to build an an endpoint for linking pre-existing users to idenity providers.
The current endpoint is probably not good enough - rigth now it just lets users manually set their canonical name for a given provider.
I think instead, we need something which initiates the flow, but the callback can differentiate between linking and auth requests, and we can validate the response based on that.
I kind of feel like there should be a GET endpoint that actually initiates the flow, client-side flow,
- and then the client-side flow initiates the flows with the provider,
- and accepts the callbacks they need to, except that, this time, (ideally)
- the client passes some extra state to the provider which is passed back on callback to the client (Does saml and oidc support this) which flags that we're just linking here, not authorizing.
EDIT
Actually, for OIDC, we can just use statemanager to differentiate auth requests from linking requests and delegate the correct method.
For SAML, I'm less clear on the correct way to distinguish these flows.
EDIT
I actually think we can implement linking endpoints that mirror the existing
/sso/{mode}/Auth/{provider}
endpoints, instead:
/sso/{mode}/Link/{provider}/{jellyfinUserId}
Just like with /sso/{mode}/Auth/{provider}
, we generate a js client that includes the OIDC / SAML state data (XML, or state id), which queries our endpoint, /sso/{mode}/Link/{provider}/{jellyfinUserId}
, but:
- We also add the
{jellyfinUserId}
to the generated page - our endpoint requires basicAuth,
- because the user already has a session, it can use the
AssertCanUpdateUser
helper to verify the user has permission to create this link
- because the user already has a session, it can use the
- Our endpoint then verifies the auth response data
Third edit (lol)
Actually, for saml requests, we can use relayState to keep state & track the kind of request it is, and for OIDC, we can track whether each request is linking or not within the TimedAuthroizeState
object
from jellyfin-plugin-sso.
I think that the auth and linking would be ideally combined. On first login, the linking request will be created. Then, every other login would automatically work.
from jellyfin-plugin-sso.
I think that the auth and linking would be ideally combined. On first login, the linking request will be created. Then, every other login would automatically work.
That's what I wound up making, I believe
from jellyfin-plugin-sso.
Ah I must have misunderstood the code. I'll have to take a more careful look through.
from jellyfin-plugin-sso.
Ah I must have misunderstood the code. I'll have to take a more careful look through.
Either that, or an old revision, I wound up re-doing it to go from linking req to flow, without an api call that explicitly links
from jellyfin-plugin-sso.
Related Issues (20)
- System.ArgumentNullException: Value cannot be null. (Parameter 'collection') HOT 3
- Connexion impossible via authelia HOT 12
- Error loading discovery document: Endpoint belongs to different authority HOT 2
- Linking page still uses /p/ URLs, causes redirect URI error HOT 3
- System.ArgumentNullException: Value cannot be null. (Parameter 'collection') HOT 2
- UniFi ID SAML Error HOT 17
- Does the Subpath /jellyfin/ cause a 404? HOT 2
- [Feature Request] X-Forwarded-* Header Support. HOT 2
- SSO login not working after changing username HOT 10
- "Enable Authorization by Plugin: false" should be able to create users with no permissions HOT 4
- Synology SSO SAML - Stuck on logging in HOT 4
- Custom OAuth2/OIDC login (for Discord) HOT 1
- Authentik "Provider does not exist" OIDC Failure HOT 12
- Kanidm Support HOT 13
- Update README to suggest hiding login form HOT 2
- Better styling for login button HOT 3
- Error processing request. URL GET /sso/OID/r/authentik. HOT 33
- Improve login buttons (README) HOT 2
- domain name is wrong. HOT 4
- Manually set redirect URL HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jellyfin-plugin-sso.