-
-
Save sbogomolov/708eba479c61b0bc0ada18aad5b2c544 to your computer and use it in GitHub Desktop.
| import json | |
| import requests | |
| from authentik.sources.plex.models import UserPlexSourceConnection | |
| connection = UserPlexSourceConnection.objects.filter(user=request.user).first() | |
| if not connection: | |
| ak_logger.info("Overseer: No Plex connection found") | |
| return {} | |
| base_url = "http://overseerr:5055" | |
| end_point = "/api/v1/auth/plex" | |
| headers = { | |
| "Content-Type": "application/json", | |
| } | |
| data = { | |
| "authToken": connection.plex_token | |
| } | |
| try: | |
| response = requests.post(base_url + end_point, headers=headers, data=json.dumps(data), timeout=5) | |
| if response.status_code == 200: | |
| sid_value = response.cookies.get("connect.sid") | |
| if not sid_value: | |
| ak_logger.error("Overseer: connect.sid cookie not present in response") | |
| return {} | |
| cookie_obj = f"connect.sid={sid_value}" | |
| ak_logger.info("Overseer: Successfully authenticated with Plex token") | |
| return { | |
| "ak_proxy": { | |
| "user_attributes": { | |
| "additionalHeaders": { | |
| "Cookie": cookie_obj | |
| } | |
| } | |
| } | |
| } | |
| else: | |
| ak_logger.error(f"Overseer: The request failed with: {response.text}") | |
| return {} | |
| except requests.Timeout: | |
| ak_logger.error("Overseer: Request to Overseerr timed out") | |
| return {} | |
| except requests.RequestException as e: | |
| ak_logger.error(f"Overseer: Request exception: {e}") | |
| return {} | |
| except Exception as e: | |
| ak_logger.error(f"Overseer: Unexpected error: {e}") | |
| return {} |
Have you modified the
base_urlin the script to match your Overseerr URL? When you test your custom scope mapping (third icon in the Actions column), do you get something like this?{ "ak_proxy": { "user_attributes": { "additionalHeaders": { "Cookie": "connect.sid=<token>" } } } }
Hi there! I've created the Source connection for Plex and I've created the mapping but I don't get that same output when I test it with a user who has an email address that's used in my Plex account.
Does the username AND email need to match? Other than this part I'm asking for I don't see what could be wrong to be honest, so I am a little lost. I don't get any error, nothing. Just a reply saying the test was successfully sent.
@imightbelosthere you need to explicitly link authentik account to Plex account.
When logged in to authentik, go to settings (cogwheel in the top right), then Connected Services. You should see Plex there. You can click Connect and log in with the Plex account that will be associated with the currently logged in authentik user.
When logged in to authentik, go to settings (cogwheel in the top right), then Connected Services. You should see Plex there. You can click Connect and log in with the Plex account that will be associated with the currently logged in authentik user.
Thank you so much for that! :) Makes much more sense and I can now see the output that is expected!
@imightbelosthere I’m glad it worked for you :)
Well... sort'a worked... I'm having the same situation as others which is the fact that I get to the overseerr page and it prompts me for the login instead of SSO'ing using the connected service.
On my overseerr.yml file I have the following:
Then on the Proxy Provider I have:
What am I doing wrong here?
Do you have that custom scope selected?
custom scope... ??? Pardon my ignorance... Where exactly?
You should’ve created a custom scope mapping (code in the first post). Then you need to use this custom scope mapping in your proxy provider. You should see it in the right list Selected Scopes.
You should’ve created a custom scope mapping (code in the first post). Then you need to use this custom scope mapping in your proxy provider. You should see it in the right list
Selected Scopes.
🤦 That's just it... I've created the Scope Mapping as a Plex Source Mapping!
I have it now on the Proxy Provider, still I land on the login page... hmmmm...
Try incognito tab. If it works there - clear browsing history.
Try incognito tab. If it works there - clear browsing history.
Damn... Right on the money! It works perfectly now! Thanks!!!! :)
You’re most welcome.
Thanks for sharing your code, I was able to use to integrate authentik/traefik/overseerr, just added a few exception handlers to remove some noise in logs for your consideration:
import json
import requests
connection = UserPlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
ak_logger.info("Overseer: No Plex connection found")
return {}
base_url = "http://overseerr:5055"
end_point = "/api/v1/auth/plex"
headers = {
"Content-Type": "application/json",
}
data = {
"authToken": connection.plex_token
}
try:
response = requests.post(base_url + end_point, headers=headers, data=json.dumps(data), timeout=5)
if response.status_code == 200:
sid_value = response.cookies.get("connect.sid")
if not sid_value:
ak_logger.error("Overseer: connect.sid cookie not present in response")
return {}
cookie_obj = f"connect.sid={sid_value}"
ak_logger.info("Overseer: Successfully authenticated with Plex token")
return {
"ak_proxy": {
"user_attributes": {
"additionalHeaders": {
"Cookie": cookie_obj
}
}
}
}
else:
ak_logger.error(f"Overseer: The request failed with: {response.text}")
return {}
except requests.Timeout:
ak_logger.error("Overseer: Request to Overseerr timed out")
return {}
except requests.RequestException as e:
ak_logger.error(f"Overseer: Request exception: {e}")
return {}
except Exception as e:
ak_logger.error(f"Overseer: Unexpected error: {e}")
return {}
Hey @pparedes1, I like It! I've updated the gist to include your changes. Thank you!
Any time! For anyone reading latest code http://overseerr:5055, would need to be replaced to your docker-compose hostname or IP where overseer resides...
Would I need to change the information I put in the NPM. I see you all use Traefik and thus I'm not sure if I'm missing anything. I'm using the default NPM config from Authentik.
@RemiEthereal the only relevant part that comes to mind is the list of allowed headers:
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- X-Plex-Token
- Authorization
- Cookie
Hmm, I got all of those. I'm having issues forwarding the cookie "connect.sid". See below:
{
"message": "cookie 'connect.sid' required",
"errors": [
{
"path": "/api/v1/auth/me",
"message": "cookie 'connect.sid' required"
}
]
}
I do however get "Overseer: Successfully authenticated with Plex token" logs coming from the property mapping.
@RemiEthereal when you test the property mapping, do you see the token there?
@sbogomolov Yeah, I've gotten as far as that I've realized it is only the browser itself not getting the cookie. According to GPT it's most likely due to the fact that I have authentik on "auth.domain.xyz" and overseer on "www.domian.xyz". Hence the samsite=lax attribute gets weird.
But yeah, no clue how to solve it easily.
I also have (well had, I switched to Jellyfin / Jellyseerr) both on subdomains of the same domains. That should not be an issue. When you click that test button next to the property mapping and select your user, it prints some Json, right? Do you see your token there?
As a sanity check:
- Have you enabled Plex integration in Authentik?
- Does you user have linked Plex account?
- Have you enabled this custom property mapping for your Overseerr provider?
When I was debugging this, I used traefik/whoami image (make sure to enable this custom property mapping for it). With this you will be able to see exactly which headers are being sent to Overseerr.
Have you enabled Plex integration in Authentik? Yes
Does you user have linked Plex account? Yes
Have you enabled this custom property mapping for your Overseerr provider? Yes
When I click the test button it only send me a notification that the test succeeded is that intended?
It should print JSON. I did have this issue when it would quickly close the window with the result. I thought ot was a Safari issue because it worked fine before. In any case, I recorder my screen when doing test to capture the result. Maybe you can try that :)
The test gives me a connect.sids cookie. This just tells me it must be the NPM (Nginx Proxy Manager) not passing the cookie correctly?
Hm. Where do you see the error about it being missing? Try the whoami image and verify which headers are being passed. Even though it’s called Cookie, it’s actually a header :)
I ended up getting it to work. Here's the config for NPM if anyone in the future needs it!
# Buffers for large Authentik headers
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Don’t redirect with port 4443
port_in_redirect off;
location / {
proxy_pass $forward_scheme://$server:$port;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
##############################
# Authentik forward auth
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
# Forward the connect.sid cookie as a header
auth_request_set $auth_cookie $upstream_http_cookie;
proxy_set_header Cookie $auth_cookie;
# Translate Authentik headers
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# All requests to /outpost.goauthentik.io must bypass auth
location /outpost.goauthentik.io {
proxy_pass http://authentik:9000/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Redirect 401s to Authentik login
location @goauthentik_proxy_signin {
internal;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
Thanks for the fyi @mil1i.