-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration OpenID Connect
OpenID Connect (OIDC) is the recommended protocol. It can be configured entirely through the admin UI.
| Field | Description |
|---|---|
| Provider Name | Unique identifier for this provider. Used in redirect URIs and API paths. No spaces. |
| OpenID Endpoint | Base URL of the provider. Must expose /.well-known/openid-configuration. |
| Client ID | The client ID registered in your identity provider. |
| Client Secret | The client secret registered in your identity provider. |
| Field | Description |
|---|---|
| Enabled | Activates the provider. Disable to temporarily block logins without deleting config. |
| Enable Authorization by Plugin | When checked, the plugin manages user permissions on every login. When unchecked, permissions must be set manually in Jellyfin. |
| Enable All Folders | Grants access to all Jellyfin libraries. When unchecked, only folders listed below are accessible. |
| Enabled Folders | Specific libraries accessible to users logging in through this provider. |
| Field | Description |
|---|---|
| Roles | Roles (one per line) that a user must have to be allowed to log in. Leave empty to allow all users. |
| Admin Roles | Roles that grant Jellyfin administrator privileges. |
| Preserve Existing Admin Permissions | When enabled, OIDC can grant administrator access from matching admin roles but will not revoke administrator access from accounts that already have it. Disabled by default, so OIDC admin roles are the strict source of truth. |
| Enable Role-Based Folder Access | Maps specific roles to specific libraries (see RBAC). |
| Folder Role Mapping | List of role → folder mappings. |
| Enable Live TV RBAC | Controls Live TV access per role. |
| Live TV Roles | Roles that grant Live TV viewing access. |
| Live TV Management Roles | Roles that grant Live TV management (scheduling, etc.). |
| Enable Live TV Access by Default | Grants Live TV viewing to all users of this provider regardless of roles. |
| Enable Live TV Management by Default | Grants Live TV management to all users regardless of roles. |
| Field | Description | Example |
|---|---|---|
| Role Claim | Dot-separated path to the roles array in the ID token or UserInfo response. Use \. to escape a literal dot. |
realm_access.roles (Keycloak), groups (Authelia) |
| Request Additional Scopes | Extra OAuth2 scopes to request (one per line). Useful for fetching group claims. | groups |
| Default Username Claim | Claim used as the Jellyfin username. |
preferred_username (default) |
| Avatar URL Format | Template for the user's avatar URL. Use @{claim_name} to substitute a claim value. |
https://gravatar.com/avatar/@{email} |
These options weaken security. Only enable them when required by your provider.
| Field | When to use |
|---|---|
| Disable OpenID HTTPS Discovery | Provider discovery endpoint is on HTTP (not recommended in production). |
| Disable Pushed Authorization | Required for Authelia, which does not support PAR. |
| Do Not Validate OpenID Endpoints | Required for Google, which uses different endpoint authority. |
| Do Not Validate OpenID Issuer Name | Use when the issuer name in the token does not match the discovery URL. |
| Do Not Load Profile Information | Skip the UserInfo endpoint call. Required for some providers like Cloudflare. |
| Scheme Override | Override the URL scheme for the redirect URI (e.g., https if Jellyfin is behind a reverse proxy on HTTP). |
| Port Override | Override the port in the redirect URI (e.g., if Jellyfin is behind a reverse proxy). |
The redirect URI that must be registered in your identity provider is:
https://<your-jellyfin-domain>/sso/OID/redirect/<provider-name>
You can add multiple OIDC providers. Each must have a unique Provider Name. Users can then choose which provider to log in with.
After saving, a Jellyfin server restart is required for changes to take effect.
When Enable Authorization by Plugin is enabled, administrator status is managed from Admin Roles by default. If an existing administrator logs in and does not match an admin role, the plugin can revoke the administrator flag.
Enable Preserve Existing Admin Permissions if you want OIDC logins to elevate matching users to administrator but never demote accounts that are already administrators. This is useful when role claims can be missing or parsed differently across providers, but it means OIDC is no longer the strict source of truth for administrator removal.
Getting Started
Configuration
Providers
Reference
Development