FUTURE WORK ( v4.0.0.0 release) - Native Client Support #61
Comments
|
Man this will be so cool! I am wondering, given it's popularity in the Jellyfin community, if we could get Infuse to also add support. |
|
Great work on this plugin, I really hope it gets integrated upstream sometime soon. In the meantime, I have made a small script that allows the official Android app to login with your plugin. It works on both Android and a Browser for me, but YMMV. I think some of that could be integrated in a PR for this projet, but it was a bit too much work for me to setup a development environment. FYI I didn't have to do much to get the plugin working. The auth page expects the device id to be in localstorage, but the app uses a native function: Add the SSO login on AndroidDisclaimer: While I'm not personally aware of any security risk this script could cause, I am not a security expert.
Script:
|
9p4
changed the title
Awesome work, script works for me on both platforms (with one caveat that's more a limitation of using webviews for OAuth), what an excellent and minimal workaround
For the people hosting on containers, I've written a Dockerfile that automates this. I've uploaded it + a modified version of the script to the following repo: https://github.com/strazto/jellyfin-plugin-sso-custom-jf-dockerfile Basically just modifies the standard jellyfin image by adding the script, and injecting the ARG JELLYFIN_TAG=10.8.10
FROM jellyfin/jellyfin:${JELLYFIN_TAG}
COPY ./add-oauth-button.js /jellyfin/jellyfin-web/oauth.js
RUN sed -ri \
's#<head>#&<script type="text/javascript" src="/web/oauth.js"></script>#' \
/jellyfin/jellyfin-web/index.htmlI've also updated the script for the following:
Caveat of OAuth within jellyfin appThis approach doesn't appear to work if using Google as your idp, due to google's security policy around "secure browsers". This policy is probably enforced in this case due to the degraded security of using android Webviews or iframes for oauth flows potentially allowing information leakage (I forget the specifics). I realized this, as my idp server, Authentik, is configured to allow me login to my account either manually (username/password), or via external social sign on (eg Google). Username/password works in my case, but google gives an error when going via android app. This limitation is probably not resolvable on our end, but rather would be solved by implementing the flow specified in jellyfin/jellyfin-meta#28 , which I've been intending to get around to for over a year at this point 🙃 |
Your repo appears to be private 🙃 I'm happy If could be of help. I've been trying to make the Android app work with the auth_request that I've setup in my reverse proxy, but I'm not sure I can make it work without upstream changes to the Jellyfin app. |
|
Here I found a workaround to serve jellyfin behind a reverse proxy with forward auth. I'm using nginx within Nginx Proxy Manager, but it should work for Traefik as well. It's a dirty dirty hack that uses knowledge of the internal working of the Android app and could stop working at any point in the future. The code shared here is not to be used as is, I didn't detail the auth_request configuration nor any security or even the headers for the proxy_pass. But it should be enough for someone dedicated enough to update their own configuration :) Reverse proxy (nginx) configuration# This endpoint is called before opening the webview
location /System/Info/Public {
proxy_pass http://jellyfin_host:8086/System/Info/Public;
}
# This is called from the webview, the application checks if the application has loaded by waiting
# for a call to fetch main js bundle. We trick it by making a request to a file with a similar name that
# does not exist before redirecting to the index.html that is protected by a auth_request
location = / {
add_header Content-Type text/html;
return 200 '<html><head><script>fetch("/main.xxx.bundle.js"); window.location.replace("/web/index.html");</script></head><body>Loading...</body></html>';
}
# This proxy_pass will basically serve the whole application
location / {
auth_request @authcheck;
proxy_pass http://jellyfin_host:8086;
} |
|
I was considering a mechanism like that, but I think it'll break anything that doesn't use the webUI (clients that use the API exclusively, ie devices without webviews) |
|
Yes that's true, it works for me because I'm only using a browser and the web player of the official Android app. And I'm willing to make some sacrifices for the increased security. But to implement a change like this upstream would be a lot more involved |
|
I believe switching the default username from |
Thanks, tried your script. Yet when I use the android app and press the sso button I am logged in in the browser but not the app. |
9p4
changed the title
|
Hi, is there any news about this feature ? |
|
I am working on a set of patches to bring OpenID support to Jellyfin natively. |
@9p4 that's awesome - just in case you're not across it, you may wanna let them know on jellyfin/jellyfin-meta#68 , particularly taking note of their implementation discussions Thanks for picking this up :D |
|
Hi, |
I've been lobbying the jellyfin client maintainers regarding implementing some kind of support for our plugin/similar plugins, & I've managed to get some traction + we've reached a consensus about what the architecture might look like.
jellyfin/jellyfin-meta#28
Once I get jellyfin/jellyfin-meta#28 resolved, and the change is merged into a release (this is going to be in a 10.9 or 10.10 release of jf-server, as well as a subsequent update of as many clients as i care to touch, starting with
jf-android&jf-expo, probably swiftfin eventually), we will be able to incorporate it into our plugin.Essentially, we'll be able to redirect back to a custom scheme that opens the native jellyfin app (ios, android, etc) and provides a single use code that authenticates a session.
The text was updated successfully, but these errors were encountered: