• Login
  • Register
  • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below
  • Forum
  • Website
  • GitHub
  • Status
  • Translation
  • Features
  • Team
  • Rules
  • Help
  • Feeds
User Links
  • Login
  • Register
  • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below

    Useful Links Forum Website GitHub Status Translation Features Team Rules Help Feeds
    Jellyfin Forum Support General Questions Desktop Client with Authentik OAuth

     
    • 0 Vote(s) - 0 Average

    Desktop Client with Authentik OAuth

    dnightbane
    Offline

    Junior Member

    Posts: 8
    Threads: 2
    Joined: 2025 Feb
    Reputation: 0
    #1
    2025-02-24, 03:13 PM (This post was last modified: 2025-02-24, 03:13 PM by dnightbane.)
    Hello!

    I recently installed Jellyfin, and have connected it with Authentik for SSO. This works great for the browser however when I try to login with SSO on the desktop client I just get a black screen after hitting "Sign in with SSO" (shown below). Is there something I'm missing in the setup or is LDAP the only option (This would require setting a local password on the OAUTH user so not necessarily the ideal scenario)?

    Initial screen when opening the app
       

    After hitting the Sign in with SSO button
       
    TheDreadPirate
    Offline

    Community Moderator

    Posts: 15,375
    Threads: 10
    Joined: 2023 Jun
    Reputation: 460
    Country:United States
    #2
    2025-02-25, 02:23 PM
    Which server version are you running and what version of Jellyfin Media Player? Also, are you using a reverse proxy?
    Jellyfin 10.10.7 (Docker)
    Ubuntu 24.04.2 LTS w/HWE
    Intel i3 12100
    Intel Arc A380
    OS drive - SK Hynix P41 1TB
    Storage
        4x WD Red Pro 6TB CMR in RAIDZ1
    [Image: GitHub%20Sponsors-grey?logo=github]
    dnightbane
    Offline

    Junior Member

    Posts: 8
    Threads: 2
    Joined: 2025 Feb
    Reputation: 0
    #3
    2025-02-25, 03:10 PM
    Apologies, that would be useful information to include.

    Jellyfin Version: 10.10.6 (docker)
    Jellyfin Player Version: 1.11.1 (Windows)
    Reverse Proxy: Nginx (docker)
    TheDreadPirate
    Offline

    Community Moderator

    Posts: 15,375
    Threads: 10
    Joined: 2023 Jun
    Reputation: 460
    Country:United States
    #4
    2025-02-25, 03:26 PM
    Can you go over this walkthrough another forum user wrote?

    https://forum.jellyfin.org/t-jellyfin-au...n-tutorial

    Double check your setup lines up with their walkthrough?

    And can you provide your Nginx config? Censor the domain.
    Jellyfin 10.10.7 (Docker)
    Ubuntu 24.04.2 LTS w/HWE
    Intel i3 12100
    Intel Arc A380
    OS drive - SK Hynix P41 1TB
    Storage
        4x WD Red Pro 6TB CMR in RAIDZ1
    [Image: GitHub%20Sponsors-grey?logo=github]
    dnightbane
    Offline

    Junior Member

    Posts: 8
    Threads: 2
    Joined: 2025 Feb
    Reputation: 0
    #5
    2025-02-25, 04:19 PM
    Definitely a good guide for LDAP with 2FA, thank you!

    That post also made me realize my initial post was missing a few more details, apologies about that.

    The authentik flow for this domain is set to OAUTH with plex.tv (Figured this would be an easy way to allow my users to choose whichever they want without having to maintain multiple credentials) so when a user goes to https://jellyfin.domain.com they are instantly redirected to authentik which pops a login for plex.tv. This works as expected in the browser but I suspect may not be a supported configuration for the clients so LDAP and different credentials may be the route I need to go.

    My nginx config
    server {
    listen 443 ssl;
    http2 on;
    server_name jellyfin.domain.com;
    include /etc/nginx/conf.d/https.conf;

    ## The default client_max_body_size is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";

    # Permissions policy. May cause issues with some clients
    # add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";

    access_log /var/log/nginx/jellyfindomain/jellyfin.access.log;
    error_log /var/log/nginx/jellyfindomain/jellyfin.error.log;

    location / {
    # Proxy main Jellyfin traffic
    proxy_pass http://jellyfin:8096;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;

    # Disable buffering when the nginx proxy gets very resource heavy upon streaming
    proxy_buffering off;
    }

    location /socket {
    # Proxy Jellyfin Websockets traffic
    proxy_pass http://jellyfin:8096;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Protocol $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    }
    }
    TheDreadPirate
    Offline

    Community Moderator

    Posts: 15,375
    Threads: 10
    Joined: 2023 Jun
    Reputation: 460
    Country:United States
    #6
    2025-02-25, 04:36 PM
    The Nginx config looks fine. But I don't think your current flow will work with a lot of clients so, as you said, you will probably need to go the LDAP route.
    Jellyfin 10.10.7 (Docker)
    Ubuntu 24.04.2 LTS w/HWE
    Intel i3 12100
    Intel Arc A380
    OS drive - SK Hynix P41 1TB
    Storage
        4x WD Red Pro 6TB CMR in RAIDZ1
    [Image: GitHub%20Sponsors-grey?logo=github]
    Duvel
    Offline

    Member

    Posts: 69
    Threads: 9
    Joined: 2023 Jul
    Reputation: 3
    Country:Belgium
    #7
    2025-02-26, 07:28 AM (This post was last modified: 2025-02-26, 08:23 AM by Duvel. Edited 8 times in total.)
    The clients capabilities are really the bottleneck in using OAUTH/SSO pluggin. IMO Its not usable in the actual state because of this and should be disregarded.

    Everyone that use or have users using different clients than web (which is most probably the case of everyone), can only use the LDAP pluggin if they want proper working SSO.... And LDAP is much, MUCH harder to setup.

    It would be nice if the Jellyfin team could emphasis on the importance to implement SSO OAUTH correctly in the clients. We are in 2025... I just dont get how client devs still dont realize that its not a "nice-to-have" anymore. Its rather a must-have to not say an obligation.
    « Next Oldest | Next Newest »

    Users browsing this thread: 1 Guest(s)


    • View a Printable Version
    • Subscribe to this thread
    Forum Jump:

    Home · Team · Help · Contact
    © Designed by D&D - Powered by MyBB
    L


    Jellyfin

    The Free Software Media System

    Linear Mode
    Threaded Mode