Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO Linking creates new account instead of linking with existing local account #209

Open
Dleewee opened this issue Sep 16, 2024 · 14 comments
Open

SSO Linking creates new account instead of linking with existing local account #209

Dleewee opened this issue Sep 16, 2024 · 14 comments
Labels
bug Something isn't working

Comments

@Dleewee
Copy link

Dleewee commented Sep 16, 2024

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

  1. Log in with a traditional "local account"'
  2. Append /SSOViews/linking to the end of your instance URL
  3. Select the "+" button next to your authentication provider
  4. A whole new account is created, rather than establishing a link to the "local account"

Expected behavior
The existing local account should be linked to an SSO provider, allowing the user to use either their local credentials or the SSO login process.

Screenshots
"testuser" is logged in with local account
image

Navigate to linking page and select plus button
image

"test.user" account is logged in and is not connected to original "testuser" - instead a whole new account has been created
image

image

Configuration
All settings below "OID Secret" have been left blank/default. I only completed the top 4 lines and checked the box for "enabled."

Versions (please complete the following information):

  • OS: Official Jellyfin Docker container
  • Browser: Firefox
  • Jellyfin Version: 10.9.11
  • Plugin Version: 3.5.2.4

Additional context
I am able to complete successful SSO login, however I cannot seem to tie/link SSO into an existing "local account" i.e. an account created directly in Jellyfin. I would like to link accounts so that previous watched status can be retained.
@Dleewee Dleewee added the bug Something isn't working label Sep 16, 2024
@9p4
Copy link
Owner

9p4 commented Sep 23, 2024

I can't reproduce this on my end, can you upload a screencast of the steps you are taking?

@Dleewee
Copy link
Author

Dleewee commented Sep 25, 2024

Screencast: https://imgur.com/a/AAbPHfL
Login with local user "test"
Go to SSO Linking page and click +
Sign in to SSO account "test.user"
When returned to Jellyfin, am loged in with different, new account "test.user" not connected to original account "test"

@Dleewee
Copy link
Author

Dleewee commented Sep 28, 2024

Bump in hopes the screen recording helps. Seems likely I am doing something wrong and would love to get this working!

@9p4
Copy link
Owner

9p4 commented Sep 29, 2024

Sorry, but I've been busy with classes. I'll take a look this week.

@Yersi88
Copy link

Yersi88 commented Oct 12, 2024

+1 exactly the same issue on my end (as seen in the video)
Upon clicking + in self-service page and authenticating with Authentik a new user account is created instead of linking to the account that was already logged in on Jellyfin.

@9p4
Copy link
Owner

9p4 commented Oct 14, 2024

@strazto any thoughts?

@Codixer
Copy link

Codixer commented Oct 27, 2024

Same issue, here is another video:
https://github.com/user-attachments/assets/3c2a0487-89aa-4c20-a359-e73c1447068a

@terinjokes
Copy link

I'm noticing that there is never an XHR to the sso/{mode}/Link/{provider} endpoint, despite the returned HTML containing if (true) await link(request);. There's a few early returns, but Firefox is making it difficult to set breakpoints on an inline script, so I'm not sure which path is being taken.

If in a linking flow, any errors to link, either the current early returns or the XHR onerror function being called, should cause an error to be shown, rather than continuing forward with the call to sso/{mode}/Auth/{provider}, as this creates a new user if one is not already linked.

@Codixer
Copy link

Codixer commented Nov 3, 2024

@Dleewee so my guess here, the plugin currently uses the username of the sso. Not the fact it wants to link to an account. So yes, it works. But it does it by returning to the endpoint used for logging in instead of a seperate endpoint for linking.

@Dleewee
Copy link
Author

Dleewee commented Nov 3, 2024

@Dleewee so my guess here, the plugin currently uses the username of the sso. Not the fact it wants to link to an account. So yes, it works. But it does it by returning to the endpoint used for logging in instead of a seperate endpoint for linking.

I see, so it requires that the SSO username exactly match the existing Jellyfin user name in order to create a linkage, otherwise it creates a new user.

I will suggest this is an opportunity for enhancement, by allowing me to link any existing user with any SSO ID that I am able to authenticate with. For comparison, you may look at Bookstack as well as NextCloud Social. Both of these projects allow linking a SSO account with an existing local account and have no requirement that the usernames be the same.

Thanks!

@Yersi88
Copy link

Yersi88 commented Nov 3, 2024

@Dleewee so my guess here, the plugin currently uses the username of the sso. Not the fact it wants to link to an account. So yes, it works. But it does it by returning to the endpoint used for logging in instead of a seperate endpoint for linking.

I see, so it requires that the SSO username exactly match the existing Jellyfin user name in order to create a linkage, otherwise it creates a new user.

I will suggest this is an opportunity for enhancement, by allowing me to link any existing user with any SSO ID that I am able to authenticate with. For comparison, you may look at Bookstack as well as NextCloud Social. Both of these projects allow linking a SSO account with an existing local account and have no requirement that the usernames be the same.

Thanks!

+1 for the enhancement, I also had no idea that the SSO username had to match the Jellyfin username exactly. I just assumed it will link the Jellyfin account that's currently logged in, to the SSO account that gets authenticated during the linking process.

@terinjokes
Copy link

I think it's supposed to, but due to the bug I mentioned in #209 (comment) it no longer does so.

@Mavyre
Copy link

Mavyre commented Nov 17, 2024
edited
Loading

Same issue here. Here is what I got in the logs:

[2024-11-17 18:58:31.071 +01:00] [INF] [11] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Is request linking: True                                                  
[2024-11-17 18:58:31.820 +01:00] [INF] [11] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized                                                
[2024-11-17 18:58:31.821 +01:00] [INF] [11] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO user [email protected] doesn't exist, creating...               
[2024-11-17 18:58:32.449 +01:00] [INF] [11] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO user link doesn't exist, creating...                                  
[2024-11-17 18:58:32.470 +01:00] [INF] [11] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Auth request created...                                                   
[2024-11-17 18:58:32.485 +01:00] [INF] [11] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Set default login provider to Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin

@9p4
Copy link
Owner

9p4 commented Dec 16, 2024

I think you are passing the username claim in as an email address instead of the exact value that Jellyfin wants?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@terinjokes @Mavyre @9p4 @Codixer @Dleewee @Yersi88