Fair, but self hosting stuff has that part of self. It is difficult to make it easy for everyone since everyone has a different setup, as such it is mostly directed towards people who are expert in doing this kinds of things or who will dedicate the time to learn how to do it.
The good thing is after you spent a couple days trying to figure out how to make it work, it will work in the future and you already know how to setup more stuff.
It’s not directed towards people who are experts. I’m an expert and can’t secure Jellyfin properly because Jellyfin doesn’t support proper secure authentication.
I would rather just properly secure it like every other selfhosted service I have, and not have to manage a VPN client for every user who wants to connect to Jellyfin.
A security focused authentication service would be the most successful, straightforward, and simple to implement solution.
Unfortunately Jellyfin, nearly alone amongst its FOSS peers has not implemented support for these services. It’s the only one of my many dozens of selfhosted services that I can’t properly secure.
There are plugins for SSO.
There are 3rd party plugins for OIDC and I think LDAP is even first party.
The issue comes when intercepting the signin-progress with 1st party clients. Jellyfin (to my knowledge) doesnt support redirects/callbacks like a homeassistant companion app does.
And how many media servers are there? The 2 other major offerings (Plex and Emby) don’t support OIDC either.
Plex does it’s own sauce and Emby doesnt support it. Authentik has a guide to implement it via LDAP.
And Jellyfin has a tech-debt history being forked from emby.
Stark contrast to newly developed projects which were started when SSO and OIDC wasbstarting to become popular.
Yeah, natively Jellyfin supports LDAP (1st party plug-in anyway), which means I can use my personal IdP to centrally manage accounts and it works across all their apps I’ve tried (as oppose to the OIDC plugin which seems to still break their apps).
I actually love when I run into an issue like that get an error. Researching that stuff is fun for me, but I think trying to get the average person to do it is a non-starter
Fair, but self hosting stuff has that part of self. It is difficult to make it easy for everyone since everyone has a different setup, as such it is mostly directed towards people who are expert in doing this kinds of things or who will dedicate the time to learn how to do it.
The good thing is after you spent a couple days trying to figure out how to make it work, it will work in the future and you already know how to setup more stuff.
It’s not directed towards people who are experts. I’m an expert and can’t secure Jellyfin properly because Jellyfin doesn’t support proper secure authentication.
Which authentication method are you wanting for it? I wouldn’t call myself an expert but my job stuck senior in front of my title a few years back.
Native OIDC/SSO support, allowing users to offload the authentication to a purpose built software.
Then don’t and do VPN?
I would rather just properly secure it like every other selfhosted service I have, and not have to manage a VPN client for every user who wants to connect to Jellyfin.
A security focused service vs a media consumption service competing for max security…
I wonder what would be the most successful at this task…
A security focused authentication service would be the most successful, straightforward, and simple to implement solution.
Unfortunately Jellyfin, nearly alone amongst its FOSS peers has not implemented support for these services. It’s the only one of my many dozens of selfhosted services that I can’t properly secure.
There are plugins for SSO.
There are 3rd party plugins for OIDC and I think LDAP is even first party.
The issue comes when intercepting the signin-progress with 1st party clients. Jellyfin (to my knowledge) doesnt support redirects/callbacks like a homeassistant companion app does.
And how many media servers are there? The 2 other major offerings (Plex and Emby) don’t support OIDC either.
Plex does it’s own sauce and Emby doesnt support it. Authentik has a guide to implement it via LDAP.
And Jellyfin has a tech-debt history being forked from emby. Stark contrast to newly developed projects which were started when SSO and OIDC wasbstarting to become popular.
Yeah, natively Jellyfin supports LDAP (1st party plug-in anyway), which means I can use my personal IdP to centrally manage accounts and it works across all their apps I’ve tried (as oppose to the OIDC plugin which seems to still break their apps).
Plugins for SSO and OIDC are not a solution as they will only work with the web clients, so that’s a non-starter.
Jellyfin can blame it on the tech debt all they want but implementing it really wouldn’t be that hard, they just haven’t prioritized it, simple as.
This sounds lile you are very knowledgable about it.
Why not propose a dev-draft or propose a feature on their feature voting website?
I actually love when I run into an issue like that get an error. Researching that stuff is fun for me, but I think trying to get the average person to do it is a non-starter