OID start action only works when already logged in #207
Description
Describe the bug
OID start action only works when already logged in.
When trying to login with OIDC without being logged in no request reaches my OIDC provider and this shows in the logs :
[14:25:27] [ERR] [65] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL GET /sso/OID/redirect/kanidm.
System.ArgumentNullException: Value cannot be null. (Parameter 'key')
at System.Collections.Generic.Dictionary`2.FindValue(TKey key)
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidPost(String provider, String state)
at lambda_method2227(Closure, Object)
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)
When doing the same while logged in the whole flow works out and I see this in the logs:
[2024-08-29 13:39:27.017 +00:00] [INF] [79] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-29 13:39:27.154 +00:00] [INF] [79] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Is request linking: True
[2024-08-29 13:39:27.878 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-29 13:39:27.878 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO user redacted doesn't exist, creating...
[2024-08-29 13:39:28.049 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO user link doesn't exist, creating...
[2024-08-29 13:39:28.058 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Auth request created...
[2024-08-29 13:39:28.063 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Set default login provider to Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider
[2024-08-29 13:39:28.063 +00:00] [INF] [43] Emby.Server.Implementations.Session.SessionManager: Current/Max sessions for user "redacted": 0/0
[2024-08-29 13:39:28.064 +00:00] [INF] [43] Emby.Server.Implementations.Session.SessionManager: Creating new access token for user 632f5773-dcbd-40ba-9c98-320e05cd641c
Also I can see this in the logs, not sure if related:
[2024-08-29 13:38:12.013 +00:00] [INF] [83] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.013 +00:00] [INF] [83] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.014 +00:00] [INF] [83] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2024-08-29 13:38:12.014 +00:00] [INF] [41] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.014 +00:00] [INF] [41] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.014 +00:00] [INF] [41] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2024-08-29 13:38:13.048 +00:00] [INF] [49] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:13.048 +00:00] [INF] [49] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:13.048 +00:00] [INF] [49] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2024-08-29 13:38:15.076 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:15.077 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:15.077 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
To Reproduce
Steps to reproduce the behavior:
- Log out
- Go to https://jellyfin.vonarx.online/sso/OID/start/kanidm
- Leads to "Error processing request."
- Log in with the default provider (username/password)
- Go to https://jellyfin.vonarx.online/sso/OID/start/kanidm
- SSO login works
Expected behavior
Being able to sign in with SSO without having to sign in normally first.
Screenshots
N/A
Configuration
<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SamlConfigs />
<OidConfigs>
<item>
<key>
<string>kanidm</string>
</key>
<value>
<PluginConfiguration>
<OidEndpoint>https://idm.vonarx.online/oauth2/openid/jellyfin/</OidEndpoint>
<OidClientId>jellyfin</OidClientId>
<OidSecret>redacted</OidSecret>
<Enabled>true</Enabled>
<EnableAuthorization>true</EnableAuthorization>
<EnableAllFolders>true</EnableAllFolders>
<EnabledFolders />
<AdminRoles>
<string>admin</string>
</AdminRoles>
<Roles>
<string>user</string>
</Roles>
<EnableFolderRoles>false</EnableFolderRoles>
<EnableLiveTvRoles>false</EnableLiveTvRoles>
<EnableLiveTv>false</EnableLiveTv>
<EnableLiveTvManagement>false</EnableLiveTvManagement>
<LiveTvRoles />
<LiveTvManagementRoles />
<FolderRoleMappings />
<RoleClaim>role</RoleClaim>
<OidScopes />
<DefaultProvider>Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider</DefaultProvider>
<NewPath>false</NewPath>
<CanonicalLinks>
<item>
<key>
<string>redacted</string>
</key>
<value>
<guid>redacted</guid>
</value>
</item>
<item>
<key>
<string>redacted</string>
</key>
<value>
<guid>redacted</guid>
</value>
</item>
</CanonicalLinks>
<DefaultUsernameClaim>preferred_username</DefaultUsernameClaim>
<DisableHttps>false</DisableHttps>
<DoNotValidateEndpoints>false</DoNotValidateEndpoints>
<DoNotValidateIssuerName>false</DoNotValidateIssuerName>
</PluginConfiguration>
</value>
</item>
</OidConfigs>
</PluginConfiguration>
Versions (please complete the following information):
- OS: Linux 6.9.3-76060903-generic #202405300957
172117465722.04~abb7c06 SMP PREEMPT_DYNAMIC Wed J x86_64 x86_64 x86_64 GNU/Linux (uname -srvmpio) - Browser: Firefox 129.0.2 (64-bit)
- Jellyfin Version: 10.9.10@sha256:79fb3d73a3e995a3960b41d7d1e16ca6a06fb0b9938404ba38c0072a7e5f358c
- Plugin Version: 3.5.2.4
Additional context
I'm using kanidm as the OIDC provider which is not in the "Tested Providers" list.