v2.5.11 — OIDC email auto-fill, disable-password login, email password recovery
An OIDC/SSO and account-recovery release. In-place upgrade from any 2.5.x — no schema or data migration.
New
- Disable password sign-in (#69). A master toggle (Settings → Security) refuses username+password sign-in so users go through your identity provider or Quick Connect — ideal for OIDC-only deployments. The login page hides the password fields, leaving a discreet "Sign in with a password instead" link. OIDC sign-in and Quick Connect are never blocked. Three independently-toggleable escape hatches keep a failed IdP from locking everyone out: administrators may always use a password, LAN clients may always use a password (i.e. "disable for remote users only"), and an explicit exempt-CIDR list. The plugin's own
/TwoFactorAuth/Loginpage also keeps working regardless. - Customisable provider login button (#69). Per-provider button text and icon/logo URL (https or
data:image) — e.g. show your IdP's name and logo instead of the generic "Sign in with …". - Password recovery by email (#71). Optional "Forgot password?" link on the login page. The user enters their username or email and is sent a one-time, 30-minute, single-use reset link to set a new password. SMTP-gated, rate-limited per IP and per identifier, and responses are always generic so it can't be used to discover which accounts exist. Off by default.
- Configurable OIDC email claim (#70). Per-provider override for the email claim name (default
email) — for IdPs that expose the address under a custom claim such asinternal_email.
Fixed
- IdP email now populates the user's email field (#70). On OIDC sign-in the email claim is written to the Jellyfin user's plugin email (used for email OTP and shown in the admin Users tab) when it isn't already set — previously it was only kept on the SSO link, so the Users-tab field stayed blank. An email entered manually is never overwritten. Per-provider toggle, on by default.
- A deleted account no longer blocks OIDC sign-in for the surviving user. A stale per-user email record left behind by a deleted Jellyfin account was counted as a duplicate, tripping the ambiguous-email guard and refusing sign-in for the real user who shared that address. The match now ignores records whose user no longer exists.
- Failed OIDC sign-ins now explain why instead of silently bouncing. A refused sign-in (no matching account, ambiguous email, not in an allowed group, MFA required at the IdP, expired session) now shows a clear, actionable message on the login page — surfaced on whatever screen the web client lands on, including the user-select grid. Sensitive token/validation details still stay server-side.
Notes
- Supports Jellyfin 10.11.x (10.11.9 and newer).
- 266/266 tests pass on .NET 9 / Jellyfin 10.11.x. Sigstore-signed + SLSA build-provenance attested.