-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document How to set login disclaimer + branding css to add SSO links to frontpage #16
Comments
to begin with, supporting "Sign on with authelia" would look like: Login Disclaimer: <a href="https://myjellyfin.example.com/sso/OID/p/authelia" class="raised cancel block emby-button authelia-sso">Sign in with Authelia</a> Custom CSS code: /* Make links look like buttons */
a.raised.emby-button {
padding: 0.9em 1em;
color: inherit !important;
}
/* Let disclaimer take full width */
.disclaimerContainer {
display: block;
}
/* Optionally, apply some styling to the `.authelia-sso` class, probably let users configure this */
.authelia-sso {
/* idk set a background image or something lol */
} |
I'm planning on restructuring the login flow just a little to accommodate this (as well as solve the issue of when the web frontend is on a different domain than the JF server). The plan is to have everything work as a programmatic API, so instead of returning a webpage, it'll return JSON or something similar and other endpoints can use that API to set cookies or whatever. Then, with this, we can set it so that the button loads some JS that interacts with the API and sets the relevant information instead. The flow would look something like this:
I think it can be simplified at some points. What do you think? |
Just putting also my input as I’ve been working hard to implement sso in different services, I’m not sure opening a secondary tab is the best UX in term of sso. Also, and maybe more important, make sure automatic sso can still be available, either with something similar to the current endpoints, or (and probably better) a configuration point telling the JS script to automatically start the login flow. edit: also, I can try to help once I understand the architecture of JF and the plugins edit 2: you can probably just skip the polling and: on load check if auth is already done, if yes poll the data and login, if no, and automatic login is implemented or the user clicks a button, start the flow, redirect just as you are doing now, and then when you redirect back to JF, it would reload the script but this time it would be in the logged in branch |
So the flow would be something like this:
|
Ah sorry - I think i mean to reply with my own take on how to approach SSO flow but I must have forgotten to submit the comment. Basically - it seems that you're implying that we add some custom javascript to the login page that handles some aspects of the flow. Although this sounds nice, I do not believe there exists an API that would allow a plugin to inject javascript / The webui (correctly) runs For now, I'm unsure how to address this, but the new-tab approach should be "good enough" for a while. |
For my own reference, here is the setting pattern used to configure loginDisclaimer & branding css: Get pattern for login disclaimer: Get pattern for custom css + disclaimer: |
Matrix conversation exerpt
|
The ideal option would be to integrate this plugin as part of the official JF spec for better frontend support, but that would be complex to maintain, and I don't know if I can manage that. In the meantime, web-based auth in conjunction with Quick-Connect should handle 99% of the use-case. |
Yep, the maintainers seem pretty resistant since it would imply that every since client would have to bring its own implementation of OIDC auth
yeah, when 10.8 gets full-released, pretty much all major clients will have implemented quick-connect |
I've implemented an additional button using the method outlined in this issue to automate the SSO login, rather then just lining back to the Server homepage. Specifically, I am hitting the auth proxy redirect URL for Jellyfin. So, if I set "Name of OID Provider" in the Jellyfin's SSO settings to "authentik" the redirect would be So, is there any way to configure the button to open in the same tab? I've tried adding |
It is hardcoded in Jellyfin web interface. |
Awww. Bummer. But thanks for the quick answer! Still way better then nothing. |
yes that looks correct |
Fixed in 076cb1b |
Hi, is it possible for the SSO Login button to follow the link in the same tab? |
It's hardcoded into the Jellyfin web interface code. |
You can use a form + button to cause the URL to be opened in the current tab. Works well on browsers, although the official Jellyfin app for Android hangs on "Logging in..." when using Authelia. <form action="https://jellyfin.example.com/sso/OID/start/PROVIDER"><button class="raised button-sso block emby-button" type="submit">Sign In with SSO</button></form> button.raised.button-sso {
background: #00a4dc;
} |
I just tested this with authentik. On IOS it logs in fine, on Android I have the same, hangs at "logging in..." Thanks for the idea with the form, at least on IOS SSO login seems possible this way (direct SSO without Quickconnect, that option remains, of course). |
You are my savior, thank you so much. This makes SSO work in Jellyfin Media Player, which my users have to use because most of my files are HEVC and can't be played on most browsers. Then quick connect will do the trick for the very few that use Kodi with the Jellyfin addon. |
If someone finds it useful. There is also a way to directly redirect to SSO if not logged in. Skipping the login-form completely. I injected JS with nginx: location /login-redirect.js {
default_type application/javascript;
add_header Content-Disposition "inline; filename=login-redirect.js";
return 200 '
let timer
function isAndroidDevice() {
return /Android/i.test(navigator.userAgent);
}
function checkForSignIn() {
const isLoginPage = window.location.href.includes("login.html")
if (isLoginPage) {
clearInterval(timer)
window.location.href = "/sso/OID/start/authentik"; // Change to your desired URL
}
const isLoggedIn = window.location.href.includes("index.html")
if (isLoggedIn) clearInterval(timer)
}
if (!isAndroidDevice())
timer = setInterval(checkForSignIn, 10);
';
} Then inside location /web:
It will simply periodically check if the user is at the Jellyfin login url. If yes it will redirect for authentication to SSO. If it detects that the user is at index.html (which is never called when not logged in) it will simply delete the timer. In my test it even worked in the mobile app. Edit: Only worked in iOS, I simply added code to exclude Android |
Originally posted by @matthewstrasiotto in #2 (comment)
An example - Here, I:
This renders out like so:
"Manual Login" and "Quick Connect" are both builtin by jellyfin, "Forgot Password" is actually my own link to authelia.
The text was updated successfully, but these errors were encountered: