SSO login not working after changing username

[mardom1]

Describe the bug
I have an existing Jellyfin user account and an Authentik account. Jellyfin SSO plugin is setup for OpenID. The usernames are different. Two (probably related) issues:

1. When I go to the self service page and try to link the accounts, the authentication succeeds, but creates a new user instead of linking it to my existing one.
2. If I change my Jellyfin username to match the one in Authentik, the linking works as expected. However, if I then change the username in Jellyfin back and try to login via SSO again, a new user gets created, even though the self service page still shows the SSO account as linked.

To Reproduce
Steps to reproduce the behavior:

1. Set Jellyfin username to match OID one.
2. Link accounts using self-service page.
3. Change Jellyfin username to something different.
4. Logout
5. Login via SSO
6. You are now logged in as a newly created user matching the SSO username.

Expected behavior
Be logged in as the already linked user.

Screenshots
Not needed.

Configuration
Not needed.

Versions (please complete the following information):

• OS: Linux
• Browser: chrome
• Jellyfin Version: 10.8.10
• Plugin Version: 3.5.2.0

[9p4]

#75

[9p4]

If you set the preferred claim to "sub", it'll work automatically. It will make the usernames in Jellyfin ugly, though.

[9p4]

Perhaps linking can be expanded so that it maps sub to a username.

[mardom1]

That does not solve it for me. Still unlinks once the Jellyfin username gets changed by an admin. I thought that this was possible:

If users are registered using this plugin using a provider that doesnt support friendly names, such as a google, the username of the new account will still be numeric, however, an admin can now change the username to something better manually afterwards, and the linking will be intact (#34)

Is the SSO user mapped to the Jellyfin username or to the Jellyfin UID?

[9p4]

When linking, the SSO username claim is mapped to Jellyfin's user UID.

[9p4]

Ideally, we can switch to using sub internally and use the linking logic everywhere

[mardom1]

After looking into the code, it seems this line is the culprit:

jellyfin-plugin-sso/SSO-Auth/Api/SSOController.cs

Line 718 in 1b6761b

user = _userManager.GetUserByName(canonicalName);

As I understand it, it only works when the canonicalName is equal to the Jellyfin username, regardless of any CanonicalLinks. Shouldn't the canonicalName be mapped to the Jellyfin user UID using the CanonicalLinks and that UID looked up using GetUserById?

[9p4]

Yes, that is on the roadmap. It isn't implemented quite yet.

[Dark3clipse]

I have accidentally renamed my user account, and then a new user with the old name was created by this plugin. I removed that user. Now my sso is no longer working.

[22:09:33] [ERR] [41] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL POST /sso/OID/Auth/keycloak.
System.NullReferenceException: Object reference not set to an instance of an object.
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.Authenticate(Guid userId, Boolean isAdmin, Boolean enableAuthorization, Boolean enableAllFolders, String[] enabledFolders, Boolean enableLiveTv, Boolean enableLiveTvAdmin, AuthResponse authResponse, String defaultProvider)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidAuth(String provider, AuthResponse response)
   at lambda_method1128(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Prometheus.HttpMetrics.HttpRequestDurationMiddleware.Invoke(HttpContext context)
   at Prometheus.HttpMetrics.HttpRequestCountMiddleware.Invoke(HttpContext context)
   at Prometheus.HttpMetrics.HttpInProgressMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

How can I make it working again?

[9p4]

Stop Jellyfin, and edit the SSO-Auth.xml configuration file. Change the username in the linked accounts section, and start Jellyfin.