Stuck at "Logging in..." using Authentik with web client, was working correctly previously.

[OmniBlade]

Describe the bug
When the SSO login is used through the web app it hangs on "Logging in...". Similar to #189
Jellyfin version 10.9.8
OIDC = Authentik.

To Reproduce
Steps to reproduce the behavior:

1. Open browser and go to jellyfin URL
2. Click on button to redirect to authentik
3. Log in.
4. get stuck at "Logging in..." message

Expected behavior
Log in correctly

Configuration

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmln>
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>Authentik</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://authentik.domain.name/application/o/jellyfin</OidEndpoint>
          <OidClientId>HASH</OidClientId>
          <OidSecret>HASH</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>false</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>jellyfin Admins</string>
          </AdminRoles>
          <Roles>
            <string>family Users</string>
          </Roles>
          <EnableFolderRoles>true</EnableFolderRoles>
          <EnableLiveTvRoles>false</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles />
          <LiveTvManagementRoles />
          <FolderRoleMappings>
            <FolderRoleMappings>
              <Role>family Users</Role>
              <Folders>
                <string>HASH</string>
                <string>HASH</string>
                <string>HASH</string>
              </Folders>
            </FolderRoleMappings>
            <FolderRoleMappings>
           <RoleClaim>groups</RoleClaim>
          <OidScopes />
          <NewPath>false</NewPath>
          <CanonicalLinks>
            <item>
              <key>
                <string>user</string>
              </key>
              <value>
                <guid>GUID</guid>
              </value>
            </item>
          </CanonicalLinks>
          <DefaultUsernameClaim>email</DefaultUsernameClaim>
          <DisableHttps>false</DisableHttps>
          <DoNotValidateEndpoints>false</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>false</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

Versions (please complete the following information):

• OS: Linux
• Browser: Tested in Firefox and Chrome on android, Firefox on Linux.
• Jellyfin Version: 1.9.8
• Plugin Version: 3.5.2.4

Additional context
I previously had this working, but it seems to have broken either by some inadvertent config change or due to a recent authentik update. Using web developer tools it appears there is a XHR failure on https://jellyfin.domain.name/sso/OID/Auth/Authentik.

[mpedziwiatr02]

I see the same for Jellyfin version 10.9.9, Plugin version 3.5.2.4.

Logs

[2024-08-17 13:33:46.659 +00:00] [INF] [86] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-17 13:33:46.660 +00:00] [ERR] [86] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/sso/OID/Auth/authentik".
System.NullReferenceException: Object reference not set to an instance of an object.
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.Authenticate(Guid userId, Boolean isAdmin, Boolean enableAuthorization, Boolean enableAllFolders, String[] enabledFolders, Boolean enableLiveTv, Boolean enableLiveTvAdmin, AuthResponse authResponse, String defaultProvider)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidAuth(String provider, AuthResponse response)
   at lambda_method1738(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

[9p4]

@OmniBlade Can you please upload the Jellyfin logs?

[OmniBlade]

This is the log from my instance for an SSO attempt:

[2024-08-19 10:00:13.586 +01:00] [INF] [4] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-19 10:00:14.019 +01:00] [INF] [4] Emby.Server.Implementations.ScheduledTasks.TaskManager: "Webhook Item Added Notifier" Completed after 0 minute(s) and 0 seconds
[2024-08-19 10:00:17.355 +01:00] [INF] [4] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-19 10:00:22.891 +01:00] [INF] [35] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Is request linking: False
[2024-08-19 10:00:24.349 +01:00] [INF] [27] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-19 10:00:24.352 +01:00] [ERR] [27] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/sso/OID/Auth/Authentik".
System.ArgumentException: Invalid username (Parameter 'name')
   at Jellyfin.Server.Implementations.Users.UserManager.GetUserByName(String name)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.CreateCanonicalLinkAndUserIfNotExist(String mode, String provider, String canonicalName)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidAuth(String provider, AuthResponse response)
   at lambda_method314(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

[9p4]

You two have different issues. @OmniBlade your issue is caused by Jellyfin's username sanitization. Because you are using the email field, which has an @ in it, it fails the Jellyfin username verification. You'll have to switch to using preferred_username or sub or something instead.

I have been thinking about how to best "normalize" the usernames to prevent this kind of issue (#199). There are two approaches to this: first is to strip out all special characters, but that would cause collisions (ie two different SSO users, one named user1@ and another named user1 would both share Jellyfin account user1 if the extraneous characters are stripped). Another option is to add an option to "hash" usernames, which would be much more secure and normalize into hexadecimal. A third option would be to create a complicated escaping system on the usernames to normalize them, but that would be difficult and likely open security vulnerabilities.

What do you think I should do?

[9p4]

I'm going to mark this as a duplicate of #199, we can continue the conversation there.

[9p4]

@mpedziwiatr02 can you open a new issue/discussion post, as your issue is likely not related.

[mpedziwiatr02]

@9p4 nevermind, I fixed it by removing the affected item in CanonicalLinks and restarting Jellyfin (it was working for other accounts and not for mine). Now it seems fine, I'll open an issue if I encounter any more problems.