Error: issuer name does not match authority // Redirect URI Error

[DesertCookie]

Having had the plugin set up successfully in the past, I now got a user complaint that the login doesn't work anymore. I suspect a Jellyfin, Jellyfin SSO, or Authentik update broke the auth flow at some point without me noticing.

Clicking the Log in with SSO button I added to the home screen redirects me to this address: https://stream.myurl.com/sso/OID/start/authentik? and displays Error processing request. There's no F12-console log in the browser.
However, looking at my Docker log I get this:

[13:51:10] [INF] [229] Emby.Server.Implementations.HttpServer.WebSocketManager: WS 10.1.1.200 closed
[13:53:25] [INF] [224] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[13:53:25] [ERR] [116] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL GET /sso/OID/start/authentik.
System.InvalidOperationException: Error loading discovery document: Issuer name does not match authority: https://10.1.1.200:9433/application/o/jellyfinthf/
   at IdentityModel.OidcClient.OidcClient.EnsureProviderInformationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 410
   at IdentityModel.OidcClient.OidcClient.EnsureConfigurationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 371
   at IdentityModel.OidcClient.OidcClient.PrepareLoginAsync(Parameters frontChannelParameters, CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 111
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidChallenge(String provider, Boolean isLinking)
   at lambda_method1156(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)
[13:54:27] [INF] [116] Emby.Server.Implementations.HttpServer.WebSocketManager: WS 10.1.1.200 request
[13:54:32] [WRN] [116] Emby.Server.Implementations.HttpServer.WebSocketConnection: WS 10.1.1.200 error receiving data: The remote party closed the WebSocket connection without completing the close handshake.

Even with the security options disabled, I get this same behavior.

I have attempted to restart Jellyfin, reinstall the plugin, and restore the relevant containers from my backups. However, going back 30 days worth of backups, the error keeps happening the same way, indicating it is older than my latest kept backups.

I am running Docker in unRAID with Nginx Proxy Manager and Cloudflare (no proxying/tunneling).

---

This my plugin config:

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>authentik</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://auth.myurl.com/application/o/jellyfinthf/</OidEndpoint>
          <OidClientId>A CLIENT ID</OidClientId>
          <OidSecret>A SECRET</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>false</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>jf-admin</string>
          </AdminRoles>
          <Roles>
            <string>jf</string>
            <string>jf-all</string>
          </Roles>
          <EnableFolderRoles>true</EnableFolderRoles>
          <EnableLiveTvRoles>false</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles />
          <LiveTvManagementRoles />
          <FolderRoleMappings>
            <FolderRoleMappings>
              <Role>all</Role>
              <Folders>
                <string>A STRING</string>
                <string>A STRING</string>
              </Folders>
            </FolderRoleMappings>
         <RoleClaim>groups</RoleClaim>
          <OidScopes />
          <DefaultProvider>authentik</DefaultProvider>
          <NewPath>true</NewPath>
          <CanonicalLinks>
            <item>
              <key>
                <string>A USER</string>
              </key>
              <value>
                <guid>A GUID</guid>
              </value>
         </CanonicalLinks>
          <DisableHttps>true</DisableHttps>
          <DoNotValidateEndpoints>true</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>true</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

[DesertCookie]

Just as I finished writing the question, I got some progress. It seems to have been the proxy that didn't correctly forward headers. Now I get a step further and get a Redirect URI Error - The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri). by Authentik.
These are my Provider settings. I assume there is an issue somewhere with the redirect URI.

All the Jellyfin log ever says is Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized.

---

I added this to my NPM config, if anyone ever encounters this issue:

proxy_set_header   X-Forwarded-Host   $http_host;
proxy_cookie_path  /                  "/; Secure";

[9p4]

This points to another issue with your reverse proxy not sending the right headers to Jellyfin, much like the problem you had with Authentik earlier. Make sure you send x-forwarded-host and x-forwarded-proto and x-forwarded-port

[DesertCookie]

Alright, adding below code to my Nginx Proxy Manager at least now gets me the correct redirect URL, I think: https%3A%2F%2Fstream.myurl.com%2Fsso%2FOID%2Fr%2Fauthentik.

However, I still get a Redirect URI Error . The Jellyfin container log only shows Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized. Authentik simply logs this:

{"auth_via": "session", "domain_url": "auth.myurl.com", "event": "/application/o/authorize/?response_type=code&state=LONG_STRING&code_challenge=LONG_STRING&code_challenge_method=S256&client_id=LONG_STRING&scope=openid%20profile&redirect_uri=https%3A%2F%2Fstream.myurl.com%2Fsso%2FOID%2Fr%2Fauthentik", "host": "auth.myurl.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 54, "remote": "79.254.12.100", "request_id": "9fa889b3cfcd4f4ab88a32a747505442", "runtime": 20, "schema_name": "public", "scheme": "https", "status": 400, "timestamp": "2025-01-15T18:24:00.314498", "user": "MYUSER", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"}

location / {
    proxy_pass $forward_scheme://$server:$port;

    # Preserve forwarding headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;

    # WebSocket support (in case it's needed for Jellyfin)
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Disable buffering for real-time streaming
    proxy_buffering off;

    # Pass through large file uploads without limitations
    client_max_body_size 0;

    # Pass through error codes so Jellyfin handles errors
    proxy_intercept_errors off;
}

[9p4]

You seem to be starting the flow with /p/ URLs instead of the /start/ URL. If you aren't, add the /r/ redirect path to Authentik.

[DesertCookie]

You are absolutely right. I must have changed that for testing at some point and didn't change it back. Changing the URL the button on that login page points to to use /start/ it works for one of my instances. Now I only have to find out why the second instance is still erroring, despite having the same settings as far as my last checks concluded. The only difference I found was the non-functioning one having /.well-known/openid-configuration, but that definitely isn't the issue. Proxy settings are the same, Authentik and plugin settings are the same. Perhaps it's caching something somewhere...

[DesertCookie]

It turns out it was me setting the redirect URI in authentic to be http://... instead of https://... that caused the second instance to be not log in.

I had to resolve a further error with both getting stuck on Logging in... with an x-frame-options denial caused by Authentik. Adding this to my reverse proxy finally solved all issues I had so far.