eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Authentik SSO integration for Jellyfin #239

Merged
eblume merged 1 commit from feature/jellyfin-authentik-sso into main 2026-02-21 20:05:45 -08:00
Conversation 2 Commits 1 Files changed 8 +142
eblume commented 2026-02-21 19:52:52 -08:00
Owner
Copy link

Summary

  • Add Authentik OIDC provider + application for Jellyfin via blueprint (all authenticated users allowed, no policy binding)
  • Wire jellyfin-client-secret through ExternalSecret and Authentik worker deployment
  • Install jellyfin-plugin-sso v4.0.0.3 via Ansible, with OIDC config template
  • Authentik admins group maps to Jellyfin administrator role
  • Local login left enabled; SSO is additive

Deployment and Testing

  • Sync ArgoCD authentik app on branch — verify provider + application appear in Authentik admin
  • mise run provision-indri -- --tags jellyfin --check --diff (dry run)
  • mise run provision-indri -- --tags jellyfin (deploy plugin + config)
  • Test SSO flow: https://jellyfin.ops.eblu.me/sso/OID/start/authentik
  • Verify eblume account auto-links via preferred_username match
  • Verify admins group → Jellyfin admin
  • Reset ArgoCD app revision to main after merge

🤖 Generated with Claude Code

## Summary - Add Authentik OIDC provider + application for Jellyfin via blueprint (all authenticated users allowed, no policy binding) - Wire `jellyfin-client-secret` through ExternalSecret and Authentik worker deployment - Install [jellyfin-plugin-sso](https://github.com/9p4/jellyfin-plugin-sso) v4.0.0.3 via Ansible, with OIDC config template - Authentik `admins` group maps to Jellyfin administrator role - Local login left enabled; SSO is additive ## Deployment and Testing - [ ] Sync ArgoCD `authentik` app on branch — verify provider + application appear in Authentik admin - [ ] `mise run provision-indri -- --tags jellyfin --check --diff` (dry run) - [ ] `mise run provision-indri -- --tags jellyfin` (deploy plugin + config) - [ ] Test SSO flow: `https://jellyfin.ops.eblu.me/sso/OID/start/authentik` - [ ] Verify `eblume` account auto-links via `preferred_username` match - [ ] Verify admins group → Jellyfin admin - [ ] Reset ArgoCD app revision to main after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Wire up OIDC authentication via jellyfin-plugin-sso so all Authentik
users can access Jellyfin, with admins group mapped to Jellyfin admin.

- Authentik blueprint: OAuth2 provider + application (no policy binding)
- ExternalSecret + worker env var for client secret
- Ansible: fetch client secret, install SSO-Auth plugin, deploy config
- Local login left enabled (no branding override)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume reviewed 2026-02-21 19:54:08 -08:00
ansible/roles/jellyfin/defaults/main.yml
@ -23,1 +23,4 @@
jellyfin_log_dir: "{{ ansible_env.HOME }}/Library/Logs"
# SSO plugin configuration
jellyfin_sso_plugin_version: "4.0.0.3"
eblume commented 2026-02-21 19:53:34 -08:00
Author
Owner
Copy link

please check this is the most recent version

please check this is the most recent version
eblume commented 2026-02-21 19:54:55 -08:00
Author
Owner
Copy link

Confirmed: v4.0.0.3 is the latest release, targeting Jellyfin 10.11. Indri is running 10.11.6, so it's the correct version.

Confirmed: v4.0.0.3 is the latest release, targeting Jellyfin 10.11. Indri is running 10.11.6, so it's the correct version.
eblume merged commit 07fb48626d into main 2026-02-21 20:05:45 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!239
No description provided.