Seerr + Moonfin integration with SSO-Auth enabled Jellyfin servers

[primeral]

I don't know how to wrap my head around this, I can't seem to figure it out.

• basic setup:
• Jellyfin 10.11.8 Server
• Seerr Dev branch with OIDC option
• SSO-Auth Plugin 4.0.0.4
• KeyCloak
• Moonfin 1.8.0.0 Plugin

I got Jellyfin and Seerr to log in using Google SSO through KeyCloak + SSO-Auth. Here's the flow:

1. NewUser goes to Jellyfin instance jellyfin.server.com on a web browser, clicks a button "SSO Login" which loads up KeyCloak and a Google Account sign-in
2. Keycloak authenticates NewUser@google.com, it creates a user within KeyCloak, and a new local user is created within Jellyfin
3. NewUser@google.com can access a Public Access Library with Public Domain media.
4. admin knows NewUser@google.com, goes into KeyCloak and adds jellyfin_fullaccess role to NewUser's KeyCloak account
5. Jellyfin understands this and NewUser@google.com now has access to all Libraries
6. NewUser now has access rights to go to seerr.server.com, which a special Dev Branch has an OpenID Connect (OIDC) login option, and KeyCloak allows authentication and Seerr creates a local Seerr account

All of this works well for now and nobody has to remember passwords. Very cool, I just got this working last week and I like this.

I want even easier and prettier for my folks, so I decided Moonfin would be ideal. The main draw was Seerr integration into the UI. I read in the github "Moonfin now uses a proxy-first Seerr integration: iframe and API traffic are routed through Jellyfin for seamless SSO" and I misunderstood the SSO part, thinking I'd be able to employ SSO with Moonfin also.

I'm not a dev so help me understand, Jellyfin local accounts are for Library permissions, the SSO-Auth + KeyCloak accounts are for authentication, and Jellyfin local accounts that are tied to an SSO login don't have passwords, correct?

In my schema, how can true SSO logins utilize Seerr integration through Moonfin? If it's not possible yet, how could it be implemented?

[RadicalMuffinMan]

so would that mean that the new local user created in jellyfin has no password? I would do 1 of 2 things:

• Install the plugin and create a test user through your keycloak sso.
• go to seerr and import jellyfin users
• attempt to log in via the plugin to seerr using jf username and blank password OR just assign one through jellyfin for that user and test

See how, if at all, it affects your keycloak SSO scenario. The current setup is more geared towards the regular users, your setup is a bit more customized.

[primeral]

Test user created thru keycloak sso, then went to seerr and imported it. Seerr gives a /!\ warning message:

Seerr > Users > testuserxxx@gmail.com > Password

This user account currently does not have a password set. Configure a password below to enable this account to sign in as a "local user."

Testing this login in Seerr 'Login with Jellyfin' gives

The Username of Password is Incorrect
in Seer 'Login with Seerr' gives
You must provide a password

In Moonfin > Settings
Jellyfin Account - Authentication failed: Unauthorized
Local Account - Please enter your password

I then reset the account's password in Seerr. Moonfin's Seerr login works with Local Account and a non-blank password