No description
.github | ||
Jellyfin.Plugin.Keycloak | ||
.editorconfig | ||
.gitignore | ||
build.yaml | ||
Jellyfin.Plugin.Keycloak.sln | ||
jellyfin.ruleset | ||
LICENSE | ||
README.md |
Keycloak Authentication Plugin
A simple plugin for Jellyfin to authenticate against a Keycloak instance.
Requirements
- Your keycloak client config needs to have
Direct Access Grants Enabled
enabled. - You need to add the following roles your defined client
administrator
,allowed_access
,allow_media_downloads
- Map at least
allowed_access
to the users you want to be able to access jellyfin (or map it to a group)
Limitations
-
This only provides a an authentication method against Keycloak, it does not handle token renewal/revoking.
eg: If you delete/invalidate/etc a users session/account in keycloak the session will remain active in Jellyfin.
(However if you remove theallowed_access
role and the user logs in again all sessions in Jellyfin are revoked.) -
It does not provide a true 'Single Sign On' as if the user is signed into the Realm already the user will still be prompted to authenticate to Jellyfin.
-
It does not follow oauth2 or oidc worflow, it mearly requests a token from keycloak with the username/password provided if we get a token we mark the authentication request as successfull.
Build/Installation
- Have .NET SDK 5.0
dotnet publish --configuration Release --output bin
- Make a directory called
keycloak
(or whatever you want) in your jellyfin keycloak directory
Windows:%localappdata%\jellyfin\plugins
Linux:/var/lib/jellyfin/plugins
Place the builtJellyfin.Plugin.Keycloak.dll
andJWT.dll
in the directory and restart Jellyfin - Configure the plugin in the webui
Admin Dashboard -> Advanced -> Plugins