Skip to content

v2.5.19

Latest

Choose a tag to compare

@github-actions github-actions released this 13 Jul 17:19

v2.5.19 — Authentik-friendly OIDC + clearer discovery errors

In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.

Added

  • "Don't force re-authentication (omit prompt=login)" toggle, per OIDC provider (bug #119, vasmarfas) — the plugin normally sends prompt=login on the step-up and account-link flows so the IdP always re-authenticates the user (a security measure: it stops a hijacked IdP session being silently confirmed). A few IdPs mishandle the parameter — notably Authentik, whose upstream bug goauthentik/authentik#18507 returns a bare 404 on the sign-in redirect. The new toggle (Sign-in Methods → your provider) omits prompt=login for that provider only. Off by default — turn it on only if sign-in fails with such an IdP; it trades the forced fresh-login for compatibility. Fully localized in all eight languages.

Fixed

  • Clear error when the OIDC Discovery URL is wrong (feature #120, MysaaJava) — pasting an issuer / realm root (e.g. Keycloak's .../realms/master) instead of the discovery document used to surface a bare KeyNotFoundException in the logs. The plugin now (a) reports exactly which field is missing and reminds you the URL usually ends in /.well-known/openid-configuration, and (b) auto-retries with that suffix appended — so pasting the realm root now just works.

Notes

  • prompt=login is unchanged for every provider that doesn't opt in — existing setups keep the forced-fresh-auth security behaviour.
  • 266/266 tests pass. Verified against Keycloak and a live Authentik instance.