I’m looking to install the SSO provider for Jellyfin, and it would would be really great to have client support for OIDC/SSO in Symfonium.
Problem solved:
I’m looking for ways to better secure the applications that I self-host and adding a SSO provider seems really great security-wise, plus it will bring convenience as I login through a single provider.
Brought benefits:
Increased security and flexibility for users running Jellyfin servers. Plus the more clients that support OIDC, the less need for a secondary method like LDAP.
Other application solutions:
As an example/reference, Audiobookshelf added OIDC last year. I don’t know how much of this would apply to Symfonium, but might be nice to have as a reference. Although it looks like there’s already some sort of SSO implemented in Symfonium for Plex.
Unfortunately that’s not how it works and that easy.
Plex support SSO because it have a very specific API to handle this, but the SSO and everything is done on Plex side, then they provide a specific API to get the token.
What they do in the PR to intercept the callback uri is all but secure, if it was possible with things like Google this would mean that anyone could intercept.
When you configure sso, you register valid callback urls, and those can’t be intercepted by random apps.
So to support SSO in Jellyfin it requires that Jellyfin offers a proper API. Quickconnect is not really suited for that.
Hi, and thanks for the reply. I’ll admit that I’m very much a beginner when it comes to SSO and OAuth.
I don’t understand what you mean when you say they are intercepting the callback uri. From what I can tell (with my limited knowledge), it looks like the callback URI is supplied by the Audiobookshelf server, and they are doing some parsing to put it in the proper format. Though really I just linked that PR as an example of how SSO has been implemented recently in another media player type project. If there is some security issue with their implementation, I’d be happy to open an issue against Audiobookshelf.
I may have jumped the gun slightly on this feature request, as it looks like (hopefully) SSO will land in Jellyfin official sometime soon. There’s a some discussion about authentication flows for the implementation:
In the current state, it looks like as you’ve said, quick connect is the only way to accomplish this via jellyfin-plugin-sso. I took a look at Finamp’s recent implementation and it indeed uses quick connect:
From my perspective as a Jellyfin server operator, SSO via quick connect would probably still be an improvement because then I can make my users go through my own login flows and enforce policies like MFA.
That being said, once SSO actually lands in Jellyfin officially, would you consider looking at an implementation in Symfonium?
And do you have any suggestions for API support, or anything that helped with the Plex integration that I could try to help pass along to the Jellyfin developers?
