OIDC Support - Attempt 2

[lenaxia]

Description

This PR rebases the oidc changes to the current Overseerr mainline (develop), and fixes some improper OIDC implementation. Because of this, it now works with authelia. Changes have also been revalidated to work with a basic configuration of Authentik. I have not tested this with other OIDC providers.

Fixes include:

• Adding support for scope and error parameters in the oidc-callback endpoint (these are all optional parameters)
• fixing callback redirect_uri protocol generation to base on the initiating protocol, as opposed to assumping https, which is what it did previously
• add support for the aud (audience) callback parameter being an array. the OIDC spec allows aud to be either a string, or an array of strings. Previous implementation here only allowed string when doing a oidc validation. This is now fixed to support both string and array
• Added improved logging and error handling to make future debugging easier.
• change default logging level to be info if LOG_LEVEL env variable is not defined (previously was debug)
• Improved JWT token validation robustness

Bug Fix:

• Plex New Login button was incorrectly tied to the localLogin settings flag. It also was disabled unnecessarily and did not match the formatting of the local login (and now OIDC) buttons. This has been fixed.

Screenshot (if UI-related)

To-Dos

• Successful build yarn build
• Translation keys yarn i18n:extract
• [-] Database migration (if required)

Issues Fixed or Closed

• Fixes: feat: oidc support #2792

[lenaxia]

@sct Let's try this again, this should only include the OIDC changes now, plus some small bug fixes.

[lenaxia]

Okay, addressed eslint and logging injection attack. Further, improved middleware logging to scrub sensitive data from log messages and sanitize against injection attacks.

ES Lint output:

/home/ubuntu/workspace/overseerr-oidc/server/api/rating/imdbRadarrProxy.ts
   20:20  error  Unexpected any. Specify a different type  @typescript-eslint/no-explicit-any
   30:11  error  Unexpected any. Specify a different type  @typescript-eslint/no-explicit-any
  137:11  error  Unexpected any. Specify a different type  @typescript-eslint/no-explicit-any
  138:13  error  Unexpected any. Specify a different type  @typescript-eslint/no-explicit-any
  139:17  error  Unexpected any. Specify a different type  @typescript-eslint/no-explicit-any
  140:10  error  Unexpected any. Specify a different type  @typescript-eslint/no-explicit-any

✖ 6 problems (6 errors, 0 warnings)

yarn build output:

ubuntu@terraform:~/workspace/overseerr-oidc(⎈|prod:networking)$ docker build --build-arg COMMIT_TAG=b4256043424658626e02bd002de1d4369f541bdb -t overseerr-oidc .
[+] Building 596.0s (18/18) FINISHED                                                                                                                               docker:default
 => [internal] load build definition from Dockerfile                                                                                                                         0.1s
 => => transferring dockerfile: 996B                                                                                                                                         0.0s
 => [internal] load .dockerignore                                                                                                                                            0.1s
 => => transferring context: 392B                                                                                                                                            0.0s
 => [internal] load metadata for docker.io/library/node:18.18-alpine                                                                                                         1.2s
 => [internal] load build context                                                                                                                                            0.2s
 => => transferring context: 53.21kB                                                                                                                                         0.2s
 => [build_image  1/11] FROM docker.io/library/node:18.18-alpine@sha256:16b46e5ea9fb5c2d13dda36f0feb670fa89de6a412725007555f2eee9a126b60                                     0.0s
 => CACHED [build_image  2/11] WORKDIR /app                                                                                                                                  0.0s
 => CACHED [build_image  3/11] RUN   case "linux/amd64" in   'linux/arm64' | 'linux/arm/v7')   apk update &&   apk add --no-cache python3 make g++ gcc libc6-compat bash &&  0.0s
 => CACHED [build_image  4/11] COPY package.json yarn.lock ./                                                                                                                0.0s
 => CACHED [build_image  5/11] RUN CYPRESS_INSTALL_BINARY=0 yarn install --frozen-lockfile --network-timeout 1000000                                                         0.0s
 => [build_image  6/11] COPY . ./                                                                                                                                            0.6s
 => [build_image  7/11] RUN yarn build                                                                                                                                     483.0s
 => [build_image  8/11] RUN yarn install --production --ignore-scripts --prefer-offline                                                                                     21.8s
 => [build_image  9/11] RUN rm -rf src server .next/cache                                                                                                                    0.7s
 => [build_image 10/11] RUN touch config/DOCKER                                                                                                                              0.7s
 => [build_image 11/11] RUN echo "{"commitTag": "b4256043424658626e02bd002de1d4369f541bdb"}" > committag.json                                                                0.6s
 => CACHED [stage-1 3/4] RUN apk add --no-cache tzdata tini && rm -rf /tmp/*                                                                                                 0.0s
 => [stage-1 4/4] COPY --from=BUILD_IMAGE /app ./                                                                                                                           33.3s
 => exporting to image                                                                                                                                                      24.2s
 => => exporting layers                                                                                                                                                     24.1s
 => => writing image sha256:bc03784e0d0e1914db7968888b72233a1e81cd9ac9ca2672cf4fec8a41631865                                                                                 0.0s
 => => naming to docker.io/library/overseerr-oidc                                                                                                                            0.0s
ubuntu@terraform:~/workspace/overseerr-oidc(⎈|prod:networking)$

[lenaxia]

@sct got eslint passing (for code I touched) and addressed log injection risk.

[lenaxia]

Not stale

@sct can we get someone to look at this?

[lenaxia]

merged latest develop into the branch.

[tenfourty]

I've just tested this fork with my Authelia setup, and it works; thank you, @lenaxia, for the docker image and for keeping this PR up to date.

Some quick thoughts after using this:

• The setting "Enable New Plex Sign-In (Allow Plex users to sign in without first being imported)" could be changed to include OIDC users that log in.
• I would love it if there was a way to disable sign-in via Plex to only allow OIDC logins, just like there is an option to disable local logins. (The logic could allow admins to disable sign-in methods like local, Plex, and OIDC as long as one method is enabled).

@sct is there any reason why this PR isn't being accepted?

[Edit: I realised you might be waiting for #3015 to be merged before accepting this one - thanks for your work on this cool project. I recognise you are doing this in your spare time, so please don't take my comment as an attempt to hassle you. More to understand the logic/sequence you had in mind.]

[nebb00]

Has this pull request stalled as well?

[xTerm1nus]

This would be an amazing feature. Why does this keep getting ignored?

[alexsalex]

Hello owner!!! Please review!!!

[alexsalex]

@sct @samwiseg0 @OwsleyJr @danshilm @TheCatLady Please, help to merge.

[alexsalex]

@lenaxia This branch is out-of-date with the base branch

[Flight777]

@lenaxia Will this still be updated?

[edbourque0]

@sct This would be an awesome feature

[scoobydoofus]

I've just tested this fork with my Authelia setup, and it works; thank you, @lenaxia, for the docker image and for keeping this PR up to date.

I can't get it working with Authelia. I click the "sign in with Authelia" option, I get the consent request popup, I accept, and it loads a blank page with error "{"message":"Unexpected token < in JSON at position 0"}" at the top.

I've tried all sorts of changes to the Authelia config but nothing gets me any further than this. Could you share your Authelia client config for Overseerr? And I assume my OIDC domain in the Overseerr settings is just overseer.domain.com?

[jkossis]

Seconding this, @sct could we get some eyes/approval on this?

[lenaxia]

@scoobydoofus

I've just tested this fork with my Authelia setup, and it works; thank you, @lenaxia, for the docker image and for keeping this PR up to date.

I can't get it working with Authelia. I click the "sign in with Authelia" option, I get the consent request popup, I accept, and it loads a blank page with error "{"message":"Unexpected token < in JSON at position 0"}" at the top.

I've tried all sorts of changes to the Authelia config but nothing gets me any further than this. Could you share your Authelia client config for Overseerr? And I assume my OIDC domain in the Overseerr settings is just overseer.domain.com?

      #- id: overseerr
      #  description: overseerr
      #  secret: ${SECRET_OVERSEERR_OAUTH_CLIENT_SECRET_HASHED}
      #  public: false
      #  authorization_policy: one_factor
      #  consent_mode: implicit
      #  pre_configured_consent_duration: 1y
      #  scopes: ["openid", "profile", "email"]
      #  redirect_uris:
      #    - "https://request.${SECRET_DEV_DOMAIN}/api/v1/auth/oidc-callback"
      #  userinfo_signing_algorithm: none

[gnome161]

I'm having exactly the same issue. My client setup in Authelia is basically identical to yours but I'm receiving the below error when trying to sign in on Overseerr.

{"message":"Unexpected token < in JSON at position 0"}

[h3mmy]

I'm having exactly the same issue. My client setup in Authelia is basically identical to yours but I'm receiving the below error when trying to sign in on Overseerr.

{"message":"Unexpected token < in JSON at position 0"}

Sounds like it's getting an html response instead of json. I see these with 401s in my work but getting a look at the underlying message would probably help pinpoint what is wrong

[scoobydoofus]

Yeah my Authelia config is in a slightly different format than lenanxia's example but it matches closely (I'm confident my format is valid, it works with another application), and I'm still getting that error.

Sounds like it's getting an html response instead of json. I see these with 401s in my work but getting a look at the underlying message would probably help pinpoint what is wrong

What do you mean by "the underlying message"? When I check the console the error it's returning is "Failed to load resource: the server responded with a status of 500 ()". The URL is "https://overseerr.mydomain.com/api/v1/auth/oidc-callback?code=authelia_ac_[REDACTED]&iss=https%3A%2F%2Fauth.mydomain.com&scope=openid+profile+email&state=[REDACTED]".

[gnome161]

I did a bit more digging on this today. As scoobydoofus mentions I'm also getting a 500 response from the https://overseerr.{MYDOMAIN}/api/v1/auth/oidc-login endpoint which is presumably what's causing the problem.

Looking at the logs in authelia it seems it's not getting passed the correct information as all the logs are suggesting the requests are coming from a source that isn't authenticated with the correct credentials but I'm definitely logged into Authelia. The below is what I get in my Authelia logs whenever I try to login.

"Access to https://overseer.{MYDOMAIN}.app/{...} (method GET) is not authorized to user , responding with status code 401"

Unless there is something special about Overseerr, I don't think anything is off in my configuration, as it works fine for OIDC login to all my other services like Komga, Immich, etc.

[shelldandy]

I tried using the ghcr.io/lenaxia/overseerr-oidc:oidc-support with authentik but im also getting the error:

{"message":"Unexpected token < in JSON at position 4"}

The logs from the docker container are:

2024-12-02T04:35:09.852Z [error]: Failed to initiate OIDC login {"path":"/oidc-login","error":"Unexpected token < in JSON at position 4"}

So not super helpful, maybe we're doing something very wrong?

[shelldandy]

I actually got it working, so for future reference this is how i got it working with Authentik:

Some placeholders:
auth.company => FQDN of your authentik install
overseer.company => FQDN of your overseerr install

Authentik

• Create a new Oauth2 provider, call it overseerr and set the redirect URI to: https://overseer.company/api/v1/auth/oidc-callback
• Take note of the client_id and client_secret
• Now create an application that uses the overseerr provider and call it overseerr as well with a slug of overseerr and give it a Launch URL of: https://overseer.company (this may not be optimal but it works, lol)

Overseerr

• Go to Settings / General and click enable proxy support click save and restart the server
• Got to Settings / Users and set the following:
• Enable OIDC Signin (checked)
• OIDC Provider Name: Authentik
• OIDC Domain: auth.company/application/o/overseerr
• Then add the client id and client secret from the authentik provider

Save and enjoy!

[BerserkeR-Git]

This feature seems to be highly anticipated. It would be a shame if it went stale or outdated on the main branch again. @sct

[Nuuki9]

@scoobydoofus @gnome161 Are you still having issues? I do have it working with Authelia so I can share my config if that might help.

[gnome161]

@Nuuki9 thanks, I did actually get this working in the end - should have commented when I did.

It turned out for me it was nothing to do with OIDC config itself, either in Authelia or Overseerr. It seems it was because I was behind a reverse proxy, but did not have the "Enable Proxy Support" option turned on in the general Overseerr settings.

[LeaderbotX400]

Bump @sct

[RomRider]

I've tested it with authentik, it works well, thanks !!

There's one thing I've encountered: The default Overseerr behavior (with only Plex or local) when the option "Enable New Plex Sign-In" is disabled and local login is disabled too is to still show the "Plex" login option so that imported users can connect. This is the expected behaviour: I want only allowed plex users to access my system.

With this PR, disabling all the authentication options (appart from OIDC) will not allow Plex Login at all. In the end if you disable everything, you're welcomed with an empty login screen where you can't do anything.

I'd like to be able to keep both OIDC + Plex (but only with imported users, not any random user)

I think this might require a new option to disable plex login altogether if that's what a user want when they have OIDC enabled.

[thomaswilliams123]

Could someone look into this, I think lots of us would appreciate the feature

[enieuwy]

Could someone look into this, I think lots of us would appreciate the feature

I recommend swapping to Jellyfin (image: fallenbagel/jellyseerr:preview-OIDC)—great implementation that allows circumventing the login screen altogether (true SSO).

[slimshizn]

Bump @sct

[meerumschlungen]

I confirmed this works with Pocket ID identity provider. I second this is a highly anticipated feature, as it highly improves UX for our target user persona.
@sct Is there anything the community can do to support the maintainers getting this PR merged? Please share your thoughts with us and thank you so much for your effort in this cool project.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[BerserkeR-Git]

Lol

[edbourque0]

Gave up a month ago... Switched to Jellyseerr, the OIDC integration works very well

[Nuuki9]

Gave up a month ago... Switched to Jellyseerr, the OIDC integration works very well

I'm just waiting for the OIDC functionality to come out of preview on Jellyseerr. Hopefully won't be too long.

[MannyLama]

+1. Community needs this feature. Please implement OIDC support. Thank you.
Feel free to reach out if any other support/development is needed regarding this feature.

[th3cube]

Did anyone try Seerr and does this already support OIDC?
https://github.com/seerr-team/seerr

Anyway I think we're finally getting a unified repository

[gauthier-th]

Did anyone try Seerr and does this already support OIDC? https://github.com/seerr-team/seerr

Anyway I think we're finally getting a unified repository

No support for OIDC in Seerr yet. But there is also a WIP for it.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.