-
Notifications
You must be signed in to change notification settings - Fork 1
Configuration OpenID Connect
Kolin edited this page Jun 13, 2026
·
2 revisions
OpenID Connect (OIDC) is the recommended protocol. It can be configured entirely through the admin UI.
| Field | Description |
|---|---|
| Provider Name | Unique identifier for this provider. Used in redirect URIs and API paths. No spaces. |
| OpenID Endpoint | Base URL of the provider. Must expose /.well-known/openid-configuration. |
| Client ID | The client ID registered in your identity provider. |
| Client Secret | The client secret registered in your identity provider. |
| Field | Description |
|---|---|
| Enabled | Activates the provider. Disable to temporarily block logins without deleting config. |
| Enable Authorization by Plugin | When checked, the plugin manages user permissions on every login. When unchecked, permissions must be set manually in Jellyfin. |
| Enable All Folders | Grants access to all Jellyfin libraries. When unchecked, only folders listed below are accessible. |
| Enabled Folders | Specific libraries accessible to users logging in through this provider. |
| Field | Description |
|---|---|
| Roles | Roles (one per line) that a user must have to be allowed to log in. Leave empty to allow all users. |
| Admin Roles | Roles that grant Jellyfin administrator privileges. |
| Enable Role-Based Folder Access | Maps specific roles to specific libraries (see RBAC). |
| Folder Role Mapping | List of role → folder mappings. |
| Enable Live TV RBAC | Controls Live TV access per role. |
| Live TV Roles | Roles that grant Live TV viewing access. |
| Live TV Management Roles | Roles that grant Live TV management (scheduling, etc.). |
| Enable Live TV Access by Default | Grants Live TV viewing to all users of this provider regardless of roles. |
| Enable Live TV Management by Default | Grants Live TV management to all users regardless of roles. |
| Field | Description | Example |
|---|---|---|
| Role Claim | Dot-separated path to the roles array in the ID token or UserInfo response. Use \. to escape a literal dot. |
realm_access.roles (Keycloak), groups (Authelia) |
| Request Additional Scopes | Extra OAuth2 scopes to request (one per line). Useful for fetching group claims. | groups |
| Default Username Claim | Claim used as the Jellyfin username. |
preferred_username (default) |
| Avatar URL Format | Template for the user's avatar URL. Use @{claim_name} to substitute a claim value. |
https://gravatar.com/avatar/@{email} |
These options weaken security. Only enable them when required by your provider.
| Field | When to use |
|---|---|
| Disable OpenID HTTPS Discovery | Provider discovery endpoint is on HTTP (not recommended in production). |
| Disable Pushed Authorization | Required for Authelia, which does not support PAR. |
| Do Not Validate OpenID Endpoints | Required for Google, which uses different endpoint authority. |
| Do Not Validate OpenID Issuer Name | Use when the issuer name in the token does not match the discovery URL. |
| Do Not Load Profile Information | Skip the UserInfo endpoint call. Required for some providers like Cloudflare. |
| Scheme Override | Override the URL scheme for the redirect URI (e.g., https if Jellyfin is behind a reverse proxy on HTTP). |
| Port Override | Override the port in the redirect URI (e.g., if Jellyfin is behind a reverse proxy). |
The redirect URI that must be registered in your identity provider is:
https://<your-jellyfin-domain>/sso/OID/redirect/<provider-name>
You can add multiple OIDC providers. Each must have a unique Provider Name. Users can then choose which provider to log in with.
After saving, a Jellyfin server restart is required for changes to take effect.
Getting Started
Configuration
Providers
Reference
Development