Invalid redirect URI with Authentik SSO

[crazyelectron-io]

Jellyfin 10.10.7 runs in a container (as does Authentik) on the same host and network. Both accessible via Traefik reverse proxy on their public URL.
When trying to login by clicking the 'SSO Button' as created in the Branding section the following error is displayed by Authentik:

Redirect URI Error
The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).

The Jellyfin log shows only:

[INF] [63] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized

The Authentik server log shows:

{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/application/o/jellyfin/.well-known/openid-configuration", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 170471, "remote": "10.0.0.1", "request_id": "085c654c6be0454a9bede4cef64bd20a", "runtime": 47, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-04-08T05:50:22.899366", "user": "", "user_agent": ""}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/application/o/jellyfin/jwks/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 170471, "remote": "10.0.0.1", "request_id": "272ed9a6c793436bab932d6d6c746c79", "runtime": 17, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-04-08T05:50:22.944729", "user": "", "user_agent": ""}
{"auth_via": "session", "domain_url": "auth.example.com", "event": "The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).", "host": "auth.example.com", "level": "warning", "logger": "authentik.providers.oauth2.views.authorize", "pid": 170471, "request_id": "dd4c9a1c2f8e4b5287baa06b43fdb0b7", "schema_name": "public", "timestamp": "2025-04-08T05:50:23.005788"}
{"auth_via": "session", "domain_url": "auth.example.com", "event": "/application/o/authorize/?response_type=code&state=8b74r0IcAOc95zbz-dGdGQ&code_challenge=aYibqCQh-OoQh6-VJlxSVYP_SpVIK7BMT-Z3OBAC1hM&code_challenge_method=S256&client_id=gB8vQkNaoMhQO98vBpSPtFY1Wb9F7agMvxvjm7a9&scope=openid%20profile&redirect_uri=http%3A%2F%2Fmedia.example.com%2Fsso%2FOID%2Fredirect%2Fauthentik", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 170471, "remote": "10.10.2.156", "request_id": "dd4c9a1c2f8e4b5287baa06b43fdb0b7", "runtime": 21, "schema_name": "public", "scheme": "https", "status": 400, "timestamp": "2025-04-08T05:50:23.009343", "user": "me@example.com", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.4 Safari/605.1.15"}

The Jellyfin plugin is configured for Authentik with the ClientID and ClientSecret copied from Authentik, the SSO button is specified as:

<form action="https://media.example.com/sso/OID/start/authentik">
  <button class="raised block emby-button button-submit">
    Sign in with Authentik SSO
  </button>
</form>

In Authentik the application is created with start URL https://media.example.com/sso/OID/start/authentik. The provider is configured with redirect URI https://media.example.com/sso/OID/redirect/authentik.

What am I missing?

[scoudibou]

Hello I get the same issue with Jellyfin update.
If I use Jellyfin docker 10.10.6. It's working.
Could you confirm that with 10.10.6 it's working ? (I'm using 3.5.2.4 SSO-Auth)

[crazyelectron-io]

I can confirm that Jellyfin 10.10.6 works fine.
So, the question is: what kind of misconfiguration do I have in the reverse proxy?

[scoudibou]

I've resolved the "issue" by adding the ip of reverse proxy in the known proxies field of Jellyfin (Dashboard>Network>Known Proxies).
https://forum.jellyfin.org/t-new-jellyfin-server-web-release-10-10-7

[yourfate]

Sadly that is already correctly set up on my setup. I can see the real IPs of the clients in the Jellyfin logs.

[crazyelectron-io]

Adding the Traefik reverse proxy to the Jellyfin config solved the issue for me.

[yourfate]

I use Pocket ID, I only set it up after 10.10.7 was released, so it never worked for me, but I also get an "invalid callback" error, see here: #253

[9p4]

Jellyfin 10.10.7 fixed a security vulnerability with incorrectly trusted forward headers: this means your reverse proxy is misconfigured but it didn't become a problem until Jellyfin tightened the rules due to a vuln.

[crazyelectron-io]

Can you give a hint about the changes?

[yourfate]

@9p4

I use the nginx config from the jellyfin documentation. Could the problem be that my jellyfin is hosted at my.domain.org/jellyfin, not at the root?

[crazyelectron-io]

I use a domain without path prefix, so it must be something else. Unfortunately there is nothing in the Jellyfin logfiles to help with troubleshooting.
The configuration in Traefik is straightforward without any header customisation.

[9p4]

It is not a problem with that. Subpath support was added to the plugin many years ago.

[thedeadparrot]

I just ran into this today, and it's most likely that the plugin was returning an http redirect url when your Authentik setup was expecting https. There's a "Scheme Override" field to force the plugin to use https redirect urls instead.

[isidebisi]

Thank you so much !

I spent way too much time deleting and reinstalling the configuations on jellyfin and Authentik without luck.

This did the trick !

[urbaman]

Hi, I have Authentik 2025.6 and Jellyfin 10.10.7, both behind traefik 3.4.1

I'm hitting this error: the authentik logs where showing a http redirect uri, now with @thedeadparrot's hint it is showing a https redirect uri, but the error persists even if the provider has the very same redirect uri set.

Is there something I can try to properly debug/solve?

Thank you very much

[caplam]

I also have authentik 2025.6 and jellyfin 10.10.7 but behind caddy reverse proxy.
For me the fix was to use the local address of jellyfin instead of published one:
http://jellyfin.local:8096/sso/OID/redirect/authentik
i let the the public address in redirect uri also:
https://media.mydomain.tld/sso/OID/redirect/authentik
the difference is the first one doesn't redirect to caddy.
I don't know what to change in caddy config to make it work with published address. Caddy, by default, forwards many headers. My others apps using authentik as oidc provider also need that (immich, linkwarden, nextcloud, jellyseer) except paperless which works well using published address.