RoleClaims parser failure on authelia's OIDC setup

[grapemix]

Describe the bug
jellyfin-plugin-sso is unable to parse/handle from authelia openId result because of different format (JSON key pair vs str array). I just use very basic setup. See below.

To Reproduce
Use SSO btn to login after setup.

Expected behavior
Error from console:

Jellyfin.Plugin.SSO_Auth.Api.SSOController: OpenID user 538f10fb-6d0e-4c42-b636-b329a8cf928b has one or more incorrect role claims: [{"Type": "amr", "Value": "pwd"}, {"Type": "azp", "Value": "jellyfin"}, {"Type": "client_id", "Value": "jellyfin"}, {"Type": "groups", "Value": "admin"}, {"Type": "groups", "Value": "user"} ... Skip.... ]. Expected any one of: ["user", "admin"]

Based on OpenID's result, we would like to find something like '{"Type": "groups", "Value": "user"}' instead of just "user". I've tried to put '{"Type": "groups", "Value": "user"}' in the Roles field, but I have no luck. The Role Claim seems not support this JSON key pair case since the JSON is not like {"groups": ["user", "admin"]}.

I've seen a few post's cfg is like mine, but they seems have no problem...
#23
#88

Configuration
Authelia cfg:

      - client_id: jellyfin
        client_name: jellyfin
        client_secret: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        consent_mode: 'implicit'
        public: false
        require_pkce: true
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
        scopes:
          - openid
          - profile
          - groups
        redirect_uris:
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/start/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/p/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/redirect/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/r/authelia

Plugin cfg:

  OidEndpoint: https://authelia.example.com/.well-known/openid-configuration/
  OidClientId: jellyfin
  OidSecret: <omitted>
  Enabled: true
  EnableAuthorization: true
  EnableAllFolders: true
  EnabledFolders: []
  Roles: [user,admin]
  Admin Roles: [admin]
  EnableFolderRoles: false
  FolderRoleMapping: []
  # As the UI page suggested
  RoleClaim: groups
  Request Additional Scopes: groups

Versions (please complete the following information):

• OS: Linux (k8s)
• Browser: Firefox
• Jellyfin Version: 10.9.11@sha256:fc1b51f4be3fba725e42dae2022d9c6a5b069acce01bef04d32fdee025dc511e
• Plugin Version: 3.5.2.4

Additional context
Add any other context about the problem here. Was the plugin built from source?

[9p4]

Can you upload the configuration as a .XML ?

[taiwan-king]

not work with authelia
gg
There is no unified configuration at all.
Even the official example is wrong

https://www.authelia.com/integration/openid-connect/jellyfin/

[9p4]

Unfortunately, I don't control Authelia's docs.

[grapemix]

Sorry for the late reply. I can't find the XML file in my volume. So I manually copy and replace the settings from my UI.

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>authelia</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://authelia.example.com/.well-known/openid-configuration</OidEndpoint>
          <OidClientId>jellyfin</OidClientId>
          <OidSecret>insecure_secret</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>true</EnableAllFolders>
          <EnabledFolders />
          <EnableFolderRoles>false</EnableFolderRoles>
          <EnableLiveTvRoles>false</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles />
          <LiveTvManagementRoles />
          <FolderRoleMappings />
          <RoleClaim>groups</RoleClaim>
          <OidScopes>
            <string>groups</string>
          </OidScopes>
          <CanonicalLinks></CanonicalLinks>
          <DisableHttps>false</DisableHttps>
          <DoNotValidateEndpoints>false</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>false</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

Basically, my settings are pretty standard. I noticed lots of ppl have very similar settings. My jellyfin+OIDC does work, but only roles part fails. So I have to temporary remove the part below to work. I would expect the following settings are legit.

          <AdminRoles>
            <string>admin</string>
          </AdminRoles>
          <Roles>
            <string>user</string>
            <string>admin</string>
          </Roles>

Anyway, thanks for the detail logs, I think I am close to the bug. Unfortunately, I am not a C# dev. I can only tell the datastructure comparison fails because the two data types are simply not matched. (Dict/Hashmap/JSON object vs str). Let me know if you need more information. Thanks for your quick reply.

[9p4]

I'm not sure what's going on. It should work as-is. The array that is being returned is not how it's checked, but just a way to debug it easily, so it's not a type issue. I'll try reproducing the issue, but so far I cannot.

[hendrik1120]

First of all, the authelia docs are supported by the community. If you notice anything wrong, feel free to reach out.
However, I just verified them to be completely correct!

The only way I can reproduce this error is by deliberately ignoring the following instruction

A list of roles, one role per-line to look for in the OpenID response.

for the roles option in the jellyfin-sso plugin UI by comma or space separating them.

@grapemix The xml file is located in /plugins/configuration. Please don't copy anything manually as it doesn't at all replicate how the application is parsing the data.

Best example would be if you enter user,admin in the roles field of the UI it would translate to

<Roles>
  <string>user,admin</string>
</Roles>

instead of

<Roles>
  <string>user</string>
  <string>admin</string>
</Roles>

[grapemix]

@hendrik1120 , thanks for your help.

In short, I tried what you suggested, but the bug still exists.

Long story:

1. I did try all combinations (comma, space and CRLF) after reading your comment on the Roles field. All of them fails and yield the same err I posted above.
2. I did try to put only single group in Roles, but it stills yield the same err.
3. On the other hand, no matter what input is in AdminRoles. There has no err. I guess the plugin simply ignore this field. I even put non-exist grp with CRLF.
4. I did try to put

          <Roles>
            <item>
              <key>groups</key><value>user</value>
            </item>
          </Roles>

for science. The UI can't load the field and leave the field empty. So no error.
5. FYI, I use glauth+authelia to provide groups info. I have other apps which all works fine. I did see target groups name being shown in the err msg.
6. I did saw #211 (comment) and authelia/authelia#7472 (comment), but they are using authz instead of the regular endpoints. Ppl posted the same problem in various places: https://forum.jellyfin.org/t-trying-to-authenticate-and-authorize-through-authelia-group-problem, https://redlib.catsarch.com/r/selfhosted/comments/196lc83/authelia_oidc_and_jellyfin_with_jellyfinpluginsso.
7. From https://redlib.catsarch.com/r/selfhosted/comments/196lc83/authelia_oidc_and_jellyfin_with_jellyfinpluginsso, another one also suspected the root of the problem is because Authelia doesn't return group as list/arrary. @9p4 , would you mind check the data type returned from Authelia please? Or printing more debug information of the data and data type returned from Authelia and the data and data type this plugin want?

Here is the XML extracted from vol:

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>authelia</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://authelia.example.com/.well-known/openid-configuration</OidEndpoint>
          <OidClientId>jellyfin</OidClientId>
          <OidSecret>insecure_secret</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>true</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>non-exist-group-1</string>
            <string>non-exist-group-2</string>
          </AdminRoles>
          <Roles>
            <string>user</string>
          </Roles>
          <EnableFolderRoles>false</EnableFolderRoles>
          <EnableLiveTvRoles>false</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles />
          <LiveTvManagementRoles />
          <FolderRoleMappings />
          <RoleClaim>groups</RoleClaim>
          <OidScopes>
            <string>groups</string>
          </OidScopes>
          <SchemeOverride>https</SchemeOverride>
          <NewPath>false</NewPath>
          <CanonicalLinks>
            <item>
              <key>
                <string>MY_USER_NAME</string>
              </key>
              <value>
                <guid>SOME_GUID</guid>
              </value>
            </item>
          </CanonicalLinks>
          <DisableHttps>false</DisableHttps>
          <DoNotValidateEndpoints>false</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>false</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

Removing Roles field has no err and vice versa. AdminRoles field is neglected by this plugin.

[hendrik1120]

@grapemix Thank you for taking the time to troubleshoot this again.

Unfortunately, I am still unable to reproduce your issue with the information you provided. All I can say is that “it works on my machine” with any amount of groups. (docker, authelia 4.38.15, traefik 3.1.4, jellyfin 10.9.11)
Please don't forget to restart jellyfin and/or authelia for the configuration changes to take effect.

To reliably reproduce your issue, I at least need your authelia version + configuration.yml (redacted) and proxy config. I am still confident that the jellyfin plugin is working correctly and that it is likely a configuration issue. Also, the issues you listed were either caused by misconfiguration or are not related.

Edit: Please also set authelia logs to debug and provide those as well

[taiwan-king]

Are you sure authelia's documentation is correct?
I think maybe the document is no longer applicable to the current situation.
redirect_uris:
- 'https://jellyfin.example.com/sso/OID/redirect/authelia'
In fact, when I tested it, the page couldn't even come out. Instead, I looked at other cases and added relevant URIs before the page came out normally.

#182

8.Roles: jellyfin-users

9.Admin Roles: jellyfin-admins

      <AdminRoles>
        <string>admins</string>
      </AdminRoles>
      <Roles>
        <string>users</string>
      </Roles>

Are these two the same settings?

I have used other methods to achieve my goal, just reporting back on the situation at that time.

[hendrik1120]

@taiwan-king Without any logs or configurations and only the description of “the page not coming out” I am sorry, but I can't help you. You didn't even specify the URIs you added to make it work for you.
All I can say is that https://jellyfin.example.com/sso/OID/redirect/authelia is working just fine for me on all platforms, including the mobile apps.
Please provide more info, and I am happy to update the documentation.

[grapemix]

ghcr.io/authelia/authelia:4.38.8
ghcr.io/onedr0p/glauth:v2.2.0-rc1
jellyfin/jellyfin:10.9.11
jellyfin-plugin-sso:3.5.2.4

Tailored authelia cfg:

authentication_backend:
  ldap:
    address: MY_LDAP_ADDR
    implementation: custom
    timeout: 5s
    start_tls: false
    base_dn: DEPENDS_ON_HOW_YOU_SETUP
    additional_users_dn: ou=users
    users_filter: 'DEPENDS_ON_HOW_YOU_SETUP'
    # The line below causes requests NOT returning users' grp (So I always disable it and all my other apps which used LDAP groups work fine)
    # ref: https://github.com/authelia/authelia/issues/508
    #additional_groups_dn: ou=groups
    groups_filter:  'DEPENDS_ON_HOW_YOU_SETUP'
    group_search_mode: filter
    user: "DEPENDS_ON_HOW_YOU_SETUP"
    password: "{{ .AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD }}"
    attributes:
      username: uid
      display_name: givenName
      mail: mail
      member_of: memberOf
      group_name: cn
identity_providers:
  oidc:
    hmac_secret: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
    cors:
      endpoints: ["authorization", "token", "revocation", "introspection"]
      allowed_origins_from_client_redirect_uris: true
    jwks:
      - key: |-
          {{- .AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY | nindent 10 }}
        algorithm: 'RS256'
    clients:
      - client_id: jellyfin
        client_name: jellyfin
        client_secret: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        consent_mode: 'implicit'
        public: false
        require_pkce: true
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'
        scopes:
          - openid
          - profile
          - groups
        redirect_uris:
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/start/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/p/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/redirect/authelia
          - https://jellyfin.{{ .SECRET_DOMAIN }}/sso/OID/r/authelia

authelia's log (log lvl=debug)

on client with id 'jellyfin' is being processed" method=GET path=/api/oidc/authorization remote_ip=y.y.y.y
on client with id 'jellyfin' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=y.y.y.y
on client with id 'jellyfin' is being processed" method=POST path=/api/oidc/token remote_ip=x.x.x.x
on client with id 'jellyfin' has successfully been processed" method=POST path=/api/oidc/token remote_ip=x.x.x.x
is being processed" method=GET path=/api/oidc/userinfo remote_ip=x.x.x.x
on client with id 'jellyfin' is being returned unsigned as per the registered client configuration" method=GET path=/api/oidc/userinfo remote_ip=x.x.x.x
on client with id 'jellyfin' was successfully processed" method=GET path=/api/oidc/userinfo remote_ip=x.x.x.x

I think as long as I saw LDAP groups info being returned from authelia (being shown in the SSO's err msg). I would considered the authelia+LDAP setup is correct. (I also have various apps which depends on my LDAP's group for permissions). I hope my info helps.

[hendrik1120]

@grapemix No idea, what's wrong with your setup.
At this point, I have added extra logging to the plugin, checked the types and tried to break the plugin in various ways, but I just can't replicate your issue.
With so much information withheld even in the original log message "... Skip...." I am not investing any more time in this.
Also, your initial assumption regarding the types is inaccurate, as it is impossible to infer types from a log message.
There is just different formatting applied to show all claims, as you can see here:

_logger.LogWarning(
    "OpenID user {Username} has one or more incorrect role claims: {@Claims}. Expected any one of: {@ExpectedClaims}",
    StateManager[state].Username,
    result.User.Claims.Select(o => new { o.Type, o.Value }),
    config.Roles);

I am confident someone who is running jelyfin in k8s can figure this out though :)

[ilbarone87]

I've posted something in this discussion #205, but although I'm using zitadel instead of authelia, seems I'm experiencing a similar issue.
Doesn't seem the roles are working correctly for me either.