Property Mapping for authentik: Overseerr authentication using Plex SSO token

authentik-overseerr-auth

import json
import requests
from authentik.sources.plex.models import UserPlexSourceConnection

connection = UserPlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
    ak_logger.info("Overseer: No Plex connection found")
    return {}

base_url = "http://overseerr:5055"
end_point = "/api/v1/auth/plex"

headers = {
    "Content-Type": "application/json",
}

data = {
    "authToken": connection.plex_token
}

try:
    response = requests.post(base_url + end_point, headers=headers, data=json.dumps(data), timeout=5)
    if response.status_code == 200:
        sid_value = response.cookies.get("connect.sid")
        if not sid_value:
            ak_logger.error("Overseer: connect.sid cookie not present in response")
            return {}

        cookie_obj = f"connect.sid={sid_value}"
        ak_logger.info("Overseer: Successfully authenticated with Plex token")
        return {
            "ak_proxy": {
                "user_attributes": {
                    "additionalHeaders": {
                        "Cookie": cookie_obj
                    }
                }
            }
        }
    else:
        ak_logger.error(f"Overseer: The request failed with: {response.text}")
        return {}

except requests.Timeout:
    ak_logger.error("Overseer: Request to Overseerr timed out")
    return {}

except requests.RequestException as e:
    ak_logger.error(f"Overseer: Request exception: {e}")
    return {}

except Exception as e:
    ak_logger.error(f"Overseer: Unexpected error: {e}")
    return {}

I’ve seen this issue when Plex token was outdated. What helped in my case was removing Plex integration for the authentik user, then adding it again (which required me to login via Plex SSO again). This refreshed the token. Then I had to thoroughly clear my browser’s cache. After that - things started working again.

Token is correct. The cookie is not getting to Overseerr. You mentioned you use Traefik... Do you have any special header configs to allow cookies to be set?

I do not think I have anything related to that in my Traefik config. Only this is somewhat related:

allowCrossNamespace: true

Here is my authentik middleware (allowed headers are configured here):

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik
  namespace: authentik
  labels:
    app.kubernetes.io/name: authentik
spec:
  forwardAuth:
    address: http://authentik-server.authentik/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
    - X-authentik-username
    - X-authentik-groups
    - X-authentik-email
    - X-authentik-name
    - X-authentik-uid
    - X-authentik-jwt
    - X-authentik-meta-jwks
    - X-authentik-meta-outpost
    - X-authentik-meta-provider
    - X-authentik-meta-app
    - X-authentik-meta-version
    - X-Plex-Token
    - Authorization
    - Cookie

Here is the Overseerr’s ingress route:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: overseerr
  namespace: apps
  annotations:
    kubernetes.io/ingress.class: ingress-public
  labels:
    app.kubernetes.io/name: overseerr
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: Host(`overseerr.domain.tld`)
    middlewares:
    - name: authentik
      namespace: authentik
    services:
    - name: overseerr
      port: http
  - kind: Rule
    match: Host(`overseerr.domain.tld`) && PathPrefix(`/outpost.goauthentik.io/`)
    services:
    - name: authentik-server
      namespace: authentik
      port: http
      nativeLB: true

PERFECT. I have it working now.

Mine was missing - Cookie on the headers. THANK YOU

Nice, I’m glad it works for you @lmaced0!

Found that having this setting enabled will break this; fyi. Disabling Enable CSRF Protection allowed setup to work for me.

Thanks for the fyi @mil1i.

Have you modified the base_url in the script to match your Overseerr URL? When you test your custom scope mapping (third icon in the Actions column), do you get something like this?

{
    "ak_proxy": {
        "user_attributes": {
            "additionalHeaders": {
                "Cookie": "connect.sid=<token>"
            }
        }
    }
}

Hi there! I've created the Source connection for Plex and I've created the mapping but I don't get that same output when I test it with a user who has an email address that's used in my Plex account.
Does the username AND email need to match? Other than this part I'm asking for I don't see what could be wrong to be honest, so I am a little lost. I don't get any error, nothing. Just a reply saying the test was successfully sent.

@imightbelosthere you need to explicitly link authentik account to Plex account.

Hmmmm... I'm sorry, how do I do that exactly? Because when I create the Plex Source I do get the account logged in and I even specify the server that can be used and all... Is that it? Or is there another way to link the account for my user on Authentik to the Plex?

…

________________________________ From: Sergii Bogomolov ***@***.***> Sent: Monday, April 14, 2025 7:59:07 AM To: sbogomolov ***@***.***> Cc: Mention ***@***.***> Subject: Re: sbogomolov/authentik-overseerr-auth @sbogomolov commented on this gist.

________________________________ @imightbelosthere<https://github.com/imightbelosthere> you need to explicitly link authentik account to Plex account. — Reply to this email directly, view it on GitHub<https://gist.github.com/sbogomolov/708eba479c61b0bc0ada18aad5b2c544#gistcomment-5539346> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ARU5MBGL6SISCZWA74HNRU32ZNFCZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTENZWG43DONBVU52HE2LHM5SXFJTDOJSWC5DF>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

When logged in to authentik, go to settings (cogwheel in the top right), then Connected Services. You should see Plex there. You can click Connect and log in with the Plex account that will be associated with the currently logged in authentik user.

When logged in to authentik, go to settings (cogwheel in the top right), then Connected Services. You should see Plex there. You can click Connect and log in with the Plex account that will be associated with the currently logged in authentik user.

Thank you so much for that! :) Makes much more sense and I can now see the output that is expected!

@imightbelosthere I’m glad it worked for you :)

Well... sort'a worked... I'm having the same situation as others which is the fact that I get to the overseerr page and it prompts me for the login instead of SSO'ing using the connected service.

On my overseerr.yml file I have the following:

Then on the Proxy Provider I have:

What am I doing wrong here?

Do you have that custom scope selected?

custom scope... ??? Pardon my ignorance... Where exactly?

You should’ve created a custom scope mapping (code in the first post). Then you need to use this custom scope mapping in your proxy provider. You should see it in the right list Selected Scopes.

You should’ve created a custom scope mapping (code in the first post). Then you need to use this custom scope mapping in your proxy provider. You should see it in the right list Selected Scopes.

🤦 That's just it... I've created the Scope Mapping as a Plex Source Mapping!

I have it now on the Proxy Provider, still I land on the login page... hmmmm...

Try incognito tab. If it works there - clear browsing history.

Try incognito tab. If it works there - clear browsing history.

Damn... Right on the money! It works perfectly now! Thanks!!!! :)

You’re most welcome.

Thanks for sharing your code, I was able to use to integrate authentik/traefik/overseerr, just added a few exception handlers to remove some noise in logs for your consideration:

import json
import requests

connection = UserPlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
    ak_logger.info("Overseer: No Plex connection found")
    return {}

base_url = "http://overseerr:5055"
end_point = "/api/v1/auth/plex"

headers = {
    "Content-Type": "application/json",
}

data = {
    "authToken": connection.plex_token
}

try:
    response = requests.post(base_url + end_point, headers=headers, data=json.dumps(data), timeout=5)
    if response.status_code == 200:
        sid_value = response.cookies.get("connect.sid")
        if not sid_value:
            ak_logger.error("Overseer: connect.sid cookie not present in response")
            return {}

        cookie_obj = f"connect.sid={sid_value}"
        ak_logger.info("Overseer: Successfully authenticated with Plex token")
        return {
            "ak_proxy": {
                "user_attributes": {
                    "additionalHeaders": {
                        "Cookie": cookie_obj
                    }
                }
            }
        }
    else:
        ak_logger.error(f"Overseer: The request failed with: {response.text}")
        return {}

except requests.Timeout:
    ak_logger.error("Overseer: Request to Overseerr timed out")
    return {}

except requests.RequestException as e:
    ak_logger.error(f"Overseer: Request exception: {e}")
    return {}

except Exception as e:
    ak_logger.error(f"Overseer: Unexpected error: {e}")
    return {}

Hey @pparedes1, I like It! I've updated the gist to include your changes. Thank you!

Any time! For anyone reading latest code http://overseerr:5055, would need to be replaced to your docker-compose hostname or IP where overseer resides...

Would I need to change the information I put in the NPM. I see you all use Traefik and thus I'm not sure if I'm missing anything. I'm using the default NPM config from Authentik.

@RemiEthereal the only relevant part that comes to mind is the list of allowed headers:

    authResponseHeaders:
    - X-authentik-username
    - X-authentik-groups
    - X-authentik-email
    - X-authentik-name
    - X-authentik-uid
    - X-authentik-jwt
    - X-authentik-meta-jwks
    - X-authentik-meta-outpost
    - X-authentik-meta-provider
    - X-authentik-meta-app
    - X-authentik-meta-version
    - X-Plex-Token
    - Authorization
    - Cookie

Hmm, I got all of those. I'm having issues forwarding the cookie "connect.sid". See below:

{
"message": "cookie 'connect.sid' required",
"errors": [
{
"path": "/api/v1/auth/me",
"message": "cookie 'connect.sid' required"
}
]
}

I do however get "Overseer: Successfully authenticated with Plex token" logs coming from the property mapping.

@RemiEthereal when you test the property mapping, do you see the token there?

@sbogomolov Yeah, I've gotten as far as that I've realized it is only the browser itself not getting the cookie. According to GPT it's most likely due to the fact that I have authentik on "auth.domain.xyz" and overseer on "www.domian.xyz". Hence the samsite=lax attribute gets weird.

But yeah, no clue how to solve it easily.