-
-
Notifications
You must be signed in to change notification settings - Fork 5
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add custom scheme handler / intent handler to accomodate single-sign-on via browser #28
Comments
Hi - This is migrated from the Jf-dev matrix channel @thornbill @nielsvanvelzen |
Thanks, I've looked at some other apps (mainly Element) to see how they add a similar feature. One change I'd like to make is to use a temporary login token that needs to be exchanged by the Jellyfin app for an access token. So you get a flow similar to this:
Login implementation for Element: https://github.com/vector-im/element-android/blob/afaa89ad42e1803b53c4610169646fedef4c0f68/docs/signin.md#login-with-sso The sign in activity in the app will likely show a popup to confirm if the user wants to sign in. Maybe an endpoint to introspect the login token can be used to add more details to this popup (name of the user to sign in with for example). |
Awesome, glad to hear you're on-board with the use case!
Seems reasonable - it'd be nice to make this optional, just for UX, since it's one extra click/touch, though I don't really know how configuring that could work (the point of an explicit login-consent flow is to ensure the user wants this, so we can't trust the query string to toggle it for example)
Yep, this occurred to me too- It might be slightly more complex to implement (And I think I'll have to touch other aspects of the architecture?) but I do understand why you're requesting this. it's kind of like a "reverse quick-connect" - From an authenticated session, generate a one-time code & a client consumes that. Do you anticipate that I'll have to make changes to jellyfin-server to accomodate the I don't think this is a bad thing- This being a general feature of jellyfin-server is probably a good thing, and will likely service use-cases beyond my specific one (Once it's generally available, i might even be able to use it to simplify my plugin) Projected Overall architectual scopeMy suspicion is that I'll be exposing the following API endpoints: (These are just sketches of what it might look like so i understand the components) jellyfin-server:
my plugin:This is pretty straightforward from my end
clients:
Versioning concernAssuming we need to change the jellyfin server's API - which I think is likely: for a client to use this functionality, they will need to call:
This will fail (404 probably) on jf server versions that predate this feature. We have a few options to handle this version dependency -
|
Yeah definitely, the server should always have the API available and just do nothing when there is no plugin using it.
The API changes seem fine to me, the generateExchangeToken operation might not be needed. The paths and exact parameters will probably change when the actual PR for the server is made. I think most requests will be POST instead of GET.
I think just
Assuming all server changes are merged for 10.9 the official clients will only start supporting the feature in 10.9. They will likely read the public system info first ( |
(Moved to jellyfin-meta since this repository makes more sense for discussing organization wide changes) |
This comment was marked as off-topic.
This comment was marked as off-topic.
To give my view: A flow this way would not be safe. Oauth2 standard requires PKCE for mobile apps, bc otherwise other (malicious) apps could receive the login code. A safe flow (see also https://datatracker.ietf.org/doc/html/rfc8252 ):
The SSO provider checks in a flow beginning with a code_challenge if verifier matches the code, if not the code cannot be used. A malicious app cannot unhash the verifier and as such it is safe. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Request
Basically, I'd like to be able to open a link with a custom schema to the app that supplies:
To an intent handler (or whatever we call it in ios), that stores that information in the web client to initiate a session, and skips the login.
This would intend to accomodate single-sign-on via plugin, eg the popular
https://github.com/9p4/jellyfin-plugin-sso
Here is a demonstration of the current flow on the android client (behaves similarly)
Screen_Recording_20220717-200505_Firefox.Beta.mp4
Take note that although we can get a via single sign on, the new session is in the browser, rather than the jellyfin app.
From a technical perspective, this is not too hard to implement, both Android and iOS have APIs for using custom links open apps with some kind of data payload https://developer.apple.com/documentation/xcode/defining-a-custom-url-scheme-for-your-app
Background
I am one of the maintainers of a plugin that provides single-sign-on to jellyfin servers
https://github.com/9p4/jellyfin-plugin-sso
The plugin is now at a stage of development where its functionality is quite mature, but its main limitation is that it only supports the web-client.
Flows
Assume the jellyfin server lives at
https://myjellyfin.com
The plugin can serve a page that initiates the SSO flow (either oauth or saml, I'm mainly going to talk about oauth), this page is at
https://myjellyfin.com/SSO/OID/p/<provider_name>
.The plugin also serves a callback page for completing SSO flows, eg
https://myjellyfin.com/SSO/OID/r/<provider_name>
.For example, you might use Google as your provider, so you'd use
https://myjellyfin.com/SSO/OID/p/google
, andhttps://myjellyfin.com/SSO/OID/r/google
On the web-client, the SSO flow from login-page to signed in dashboard is straightforward.
User perspective (Web client):
Actual flow (Web client)
https://myjellyfin.com/SSO/OID/p/google
with a javascript client that initiates an OAuth flowhttps://accounts.google.com/o/oauth2/v2/auth
https://myjellyfin.com/SSO/OID/r/google
with the oauth state requiredhttps://myjellyfin.com
) and is now logged inThis flow works reliably. An important note, however, is that a lot of the oauth client-handling is done using javascript clients in web pages server directly by the plugin.
Limitations
Because the above flow relies on a browser oauth client, it effectively establishes a valid session within the browser
https://github.com/9p4/jellyfin-plugin-sso/blob/fad5a62e07e44c84bc94d5962b8b79e80c102ee8/SSO-Auth/WebResponse.cs#L449-L458
It literally stores all the state the web-app needs in order to resume a session.
The problem is, that we can't use this to log-into the android or ios app
Additional context
Discussion migrated from Matrix - Pretty long but included for posterity
Matthew Strasiotto: (July 6ish)
...
Matthew Strasiottio:
Matthew Strasiotto July 17:
July 21
https://matrix.to/#/!YOoxJKhsHoXZiIHyBG:matrix.org/$qn4tvt0GXVlDnBYIGgM0wCuO0C2SO2AAUyAI9xiQHlc?via=bonifacelabs.ca&via=t2bot.io&via=matrix.org
The text was updated successfully, but these errors were encountered: