Authentik "Provider does not exist" OIDC Failure #154

M-Davies · 2023-12-03T00:38:16Z

M-Davies
Dec 3, 2023

Describe the bug
My Jellyfin instance cannot seem to find my Authentik OIDC provider after deployment in my local Docker media stack. When accessing my SSO url at https://jellyfin.mydomain.tld/sso/OID/p/authentik, I recieve an error in the browser (Error processing request.) and in the logs, the following more detailed error:

[00:17:08] [INF] [126] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[00:17:08] [ERR] [126] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request. URL GET /sso/OID/p/authentik.
System.ArgumentException: Provider does not exist
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidChallenge(String provider, Boolean isLinking)
   at lambda_method1607(Closure , Object )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Jellyfin.Server.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Server.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Server.Middleware.IpBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Server.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Server.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Server.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Server.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

I have attached some screenshots below showing my Authentik and Jellyfin setup that roughly followed the guide in providers.md as well as one on Reddit. Please can you confirm whether this is a me problem or something deeper in the library that could be at fault.

To Reproduce
Steps to reproduce the behavior:

Go to https://jellyfin.mydomain.tld/sso/OID/p/authentik
See error

Expected behavior
A prompt to login via Authentik should appear

Screenshots
Authentik Scope Mapping Setup

Authentik Provider Setup

Authentik Application Setup

Jellyfin OIDC Settings

Configuration
Available on request via private communication channels, would like to keep detailed logging information out of the public domain if possible

Versions (please complete the following information):

OS: Host Linux <hostname> 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux (jellyfin runs inside docker container)
Browser: N/A
Jellyfin Version: 10.8.13
Plugin Version: 3.5.2.1

Additional context

Authentik users are divided into groups, Jellyfin-Users and Jellyfin-Admins. An admin is in both groups, a user just the Users one.
OIDC has worked on my Audiobookshelf installation so I know it's not an issue with Authentik directly (at least, not with the installation, the config settings above may still be incorrect)
My authentik instance is at auth.mydomain.tld

Answered by 9p4

Dec 3, 2023

In the Jellyfin plugin configuration, there's a checkbox that says, "Do not validate endpoints (insecure)". Try enabling that. Ideally you shouldn't keep it enabled, but this kind of issue usually points to a hard-to-debug configuration issue with how your server is set up.

View full answer

9p4 · 2023-12-03T19:26:42Z

9p4
Dec 3, 2023
Maintainer

When you navigate to https://jellyfin.mydomain.tld/sso/OID/p/authentik, the authentik part has to match the name of the provider in the Jellyfin configuration exactly. You have the name set to Authentik OAuth. Either you can change this name or visit https://jellyfin.mydomain.tld/sso/OID/p/Authentik%20OAuth.

0 replies

M-Davies · 2023-12-03T21:05:21Z

M-Davies
Dec 3, 2023
Author

When you navigate to https://jellyfin.mydomain.tld/sso/OID/p/authentik, the authentik part has to match the name of the provider in the Jellyfin configuration exactly. You have the name set to Authentik OAuth. Either you can change this name or visit https://jellyfin.mydomain.tld/sso/OID/p/Authentik%20OAuth.

Thanks for replying so quickly @9p4 :) I changed my provider to Authentik and updated the redirect URLs and launch URL in authentik. That got me past that error but am now hitting a redirect error after navigating to https://jellyfin.mydomain.tld/sso/OID/p/Authentik:

My redirect URL in Jellyfin is https://jellyfin.mydomain.tld/sso/OID/redirect/Authentik.

I also tried adding https://jellyfin.mydomain.tld/sso/OID/r/Authentik to my redirect URLs but, no matter the order between the two redirect URLs, I get another Error processing request. clientside and some errors in the logs serverside:

[21:02:30] [INF] [96] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[21:02:31] [ERR] [101] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request. URL GET /sso/OID/r/Authentik.
System.InvalidOperationException: Error loading discovery document: Endpoint belongs to different authority: https://auth.mydomain.tld/application/o/authorize/
   at IdentityModel.OidcClient.OidcClient.EnsureProviderInformationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 410
   at IdentityModel.OidcClient.OidcClient.EnsureConfigurationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 371
   at IdentityModel.OidcClient.OidcClient.ProcessResponseAsync(String data, AuthorizeState state, Parameters backChannelParameters, CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 184
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidPost(String provider, String state)
   at lambda_method970(Closure , Object )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Jellyfin.Server.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Server.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Server.Middleware.IpBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Server.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Server.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Server.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Server.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

0 replies

M-Davies · 2023-12-03T21:07:28Z

M-Davies
Dec 3, 2023
Author

Might be related to #138

0 replies

9p4 · 2023-12-03T21:08:33Z

9p4
Dec 3, 2023
Maintainer

In your list of redirect URLs, can you add the same URL but instead with "r" instead of "redirect"? This was a sloppy mistake on my part when I tried to clarify and simplify paths and just made it more complicated and confusing for everyone else.

0 replies

M-Davies · 2023-12-03T21:14:19Z

M-Davies
Dec 3, 2023
Author

In your list of redirect URLs, can you add the same URL but instead with "r" instead of "redirect"? This was a sloppy mistake on my part when I tried to clarify and simplify paths and just made it more complicated and confusing for everyone else.

@9p4 So I'm getting the same error I mentioned above, either with r on it's own or alongside redirect:

I also tried adding https://jellyfin.mydomain.tld/sso/OID/r/Authentik to my redirect URLs but, no matter the order between the two redirect URLs, I get another Error processing request. clientside and some errors in the logs serverside:

[21:02:30] [INF] [96] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[21:02:31] [ERR] [101] Jellyfin.Server.Middleware.ExceptionMiddleware: Error processing request. URL GET /sso/OID/r/Authentik.
System.InvalidOperationException: Error loading discovery document: Endpoint belongs to different authority: https://auth.mydomain.tld/application/o/authorize/
   at IdentityModel.OidcClient.OidcClient.EnsureProviderInformationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 410
   at IdentityModel.OidcClient.OidcClient.EnsureConfigurationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 371
   at IdentityModel.OidcClient.OidcClient.ProcessResponseAsync(String data, AuthorizeState state, Parameters backChannelParameters, CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 184
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidPost(String provider, String state)
   at lambda_method970(Closure , Object )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Jellyfin.Server.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Server.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Server.Middleware.IpBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Server.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Server.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Server.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Server.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Server.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

0 replies

9p4 · 2023-12-03T21:18:38Z

9p4
Dec 3, 2023
Maintainer

Can you upload the contents of the .well-known OpenID configuration URL? I want to check if Authentik is replying with the public-facing domain name or if it is instead replying with internal addresses.

0 replies

M-Davies · 2023-12-03T21:22:02Z

M-Davies
Dec 3, 2023
Author

Can you upload the contents of the .well-known OpenID configuration URL? I want to check if Authentik is replying with the public-facing domain name or if it is instead replying with internal addresses.

{
  "issuer": "https://auth.mydomain.tld/application/o/jellyfin/",
  "authorization_endpoint": "https://auth.mydomain.tld/application/o/authorize/",
  "token_endpoint": "https://auth.mydomain.tld/application/o/token/",
  "userinfo_endpoint": "https://auth.mydomain.tld/application/o/userinfo/",
  "end_session_endpoint": "https://auth.mydomain.tld/application/o/jellyfin/end-session/",
  "introspection_endpoint": "https://auth.mydomain.tld/application/o/introspect/",
  "revocation_endpoint": "https://auth.mydomain.tld/application/o/revoke/",
  "device_authorization_endpoint": "https://auth.mydomain.tld/application/o/device/",
  "response_types_supported": [
    "code",
    "id_token",
    "id_token token",
    "code token",
    "code id_token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "jwks_uri": "https://auth.mydomain.tld/application/o/jellyfin/jwks/",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit",
    "client_credentials",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "acr_values_supported": [
    "goauthentik.io/providers/oauth2/default"
  ],
  "scopes_supported": [
    "groups",
    "openid",
    "email",
    "profile"
  ],
  "request_parameter_supported": false,
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "amr",
    "nonce",
    "email",
    "email_verified",
    "name",
    "given_name",
    "preferred_username",
    "nickname",
    "groups"
  ],
  "claims_parameter_supported": false,
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}

They appear to all be replying with the public facing domain name (I've obfuscated the actual result but the FQDN was the same on all of them)

0 replies

9p4 · 2023-12-03T21:24:01Z

9p4
Dec 3, 2023
Maintainer

In the Jellyfin plugin configuration, there's a checkbox that says, "Do not validate endpoints (insecure)". Try enabling that. Ideally you shouldn't keep it enabled, but this kind of issue usually points to a hard-to-debug configuration issue with how your server is set up.

2 replies

M-Davies Dec 3, 2023
Author

I wonder if the issue is because I'm using a wildcard cert which is used by both jellyfin and authentik?

9p4 Dec 3, 2023
Maintainer

I doubt it (as I have a similar setup but with Keycloak instead of Authentik)

M-Davies · 2023-12-03T21:28:11Z

M-Davies
Dec 3, 2023
Author

In the Jellyfin plugin configuration, there's a checkbox that says, "Do not validate endpoints (insecure)". Try enabling that. Ideally you shouldn't keep it enabled, but this kind of issue usually points to a hard-to-debug configuration issue with how your server is set up.

That worked :) Thanks for that. Weird on what it could be, I'm using LetsEncrypt for certs everywhere that should be universally trusted

0 replies

9p4 · 2023-12-03T21:29:39Z

9p4
Dec 3, 2023
Maintainer

Usually this is an issue with how the reverse proxy is configured and how it might not be properly forwarding the relevant headers. Out of curiosity, what reverse proxy are you using and do you mind uploading the configuration here?

0 replies

M-Davies · 2023-12-03T21:34:40Z

M-Davies
Dec 3, 2023
Author

Usually this is an issue with how the reverse proxy is configured and how it might not be properly forwarding the relevant headers. Out of curiosity, what reverse proxy are you using and do you mind uploading the configuration here?

Nginx 1.18.0. Configuration is below:

log_format stripsecrets '$remote_addr $host - $remote_user [$time_local] '
    '"$secretfilter" $status $body_bytes_sent '
    '$request_length $request_time $upstream_response_time '
    '"$http_referer" "$http_user_agent"';

map $request $secretfilter {
    ~*^(?<prefix1>.*[\?&]api_key=)([^&]*)(?<suffix1>.*)$  "${prefix1}***$suffix1";
    default                                               $request;
}

# Uncomment the commented sections after you have acquired a SSL Certificate
server {
    listen 80;
    listen [::]:80;
    server_name jellyfin.mydomain.tld;

    # Uncomment to redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl http2;
    server_name jellyfin.mydomain.tld;

    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 20M;

    # Logfile
    access_log /var/log/nginx/access-jellyfin.log stripsecrets;

    ssl_certificate /etc/letsencrypt/live/mydomain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.tld/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl_trusted_certificate /etc/letsencrypt/live/mydomain.tld/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security / XSS Mitigation Headers
    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous

    # COOP/COEP. Disable if you use external plugins/images/assets
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;

    # Tell browsers to use per-origin process isolation
    add_header Origin-Agent-Cluster "?1" always;

    location = / {
        return 302 http://$host/web/;
        return 302 https://$host/web/;
    }

    location / {
        # Proxy main Jellyfin traffic
        proxy_pass http://127.0.0.1:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;

        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://127.0.0.1:8096/web/index.html;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://127.0.0.1:8096;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

0 replies

9p4 · 2023-12-03T21:37:45Z

9p4
Dec 3, 2023
Maintainer

I don't see anything wrong there. What about the Nginx config for Authentik?

3 replies

M-Davies Dec 3, 2023
Author

# Upstream where your authentik server is hosted.
upstream authentik {
    server 127.0.0.1:9443;
    # Improve performance by keeping some connections alive.
    keepalive 10;
}

# Upgrade WebSocket if requested, otherwise use keepalive
map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

server {
    # HTTP server config
    listen 80;
    server_name auth.mydomain.tld;

    # 301 redirect to HTTPS
    location / {
            return 301 https://$host$request_uri;
    }
}

server {
    # HTTPS server config
    listen 443 ssl http2;
    server_name auth.mydomain.tld;

    # TLS certificates
    ssl_certificate /etc/letsencrypt/live/mydomain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.tld/privkey.pem;

    # Proxy site
    location / {
        proxy_pass https://authentik;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade_keepalive;
    }
}

9p4 Dec 3, 2023
Maintainer

Yeah that looks good too. I do find it weird that the official docs have you set up SSL twice for some reason.

M-Davies Dec 3, 2023
Author

Yeah its odd, there doesn't seem to be a standard way of doing it.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authentik "Provider does not exist" OIDC Failure #154

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 12 comments 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Authentik "Provider does not exist" OIDC Failure #154

M-Davies Dec 3, 2023

Replies: 12 comments · 5 replies

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

9p4 Dec 3, 2023 Maintainer

M-Davies Dec 3, 2023 Author

M-Davies
Dec 3, 2023

Replies: 12 comments 5 replies

9p4
Dec 3, 2023
Maintainer

M-Davies
Dec 3, 2023
Author

M-Davies
Dec 3, 2023
Author

9p4
Dec 3, 2023
Maintainer

M-Davies
Dec 3, 2023
Author

9p4
Dec 3, 2023
Maintainer

M-Davies
Dec 3, 2023
Author

9p4
Dec 3, 2023
Maintainer

M-Davies Dec 3, 2023
Author

9p4 Dec 3, 2023
Maintainer

M-Davies
Dec 3, 2023
Author

9p4
Dec 3, 2023
Maintainer

M-Davies
Dec 3, 2023
Author

9p4
Dec 3, 2023
Maintainer

M-Davies Dec 3, 2023
Author

9p4 Dec 3, 2023
Maintainer

M-Davies Dec 3, 2023
Author