How does the Android app access the backed?

[Wpq]

I set up Jellyfin to authenticate through Authelia. This allows family and friends to use their SSO, which they have to go through anyway, as their Jellyfin account. It works perfectly when accessing Jellyfin via the web.

I am the only one to use the Android app, which does not work with SSO. I am planning to whitelist it in my LAN (so that it does not go though Authelia). To do this, I need a parameter that I can discriminate against.

My question: what in the way the Android app accesses the Jellyfin backend could be used to tag it as such? The URL it uses? Headers? User agent?

[TheDreadPirate]

If you're using a reverse proxy, it should log the user agent. The jellyfin app is a web-wrapper and would access the server in the same manner as a browser, so the URLs it uses wouldn't be different enough.

[Wpq]

> the user agent

Would you know what it is set to? (I will sniff the traffic otherwise)

[niels]

The mobile Android app has different sources for its network requests:
- The web interface via the webview
- The native part via our Kotlin SDK (used for connecting/video player metadata)
- The native part via our video player
- The native part via our image loading library

These 4 options do **not** share the same code for creating their network requests so headers will differ.

[Wpq]

@niels so you mean that there are no straightforward ways to differentiate traffic from the app from traffic from a web browser?

[niels]

Correct, you should not rely on the HTTP requests to differentiate clients.

[Wpq]

OK thanks.

I had an epiphany: I just created an alternate URL for the app, which bypasses Authelia and is limited to the LAN. Works great.