v2.5.17 — App-password follow-up fixes, self-hosted ntfy, Keycloak roles & verified-email OIDC linking
In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.
Fixed
- App-password sessions on native clients no longer get blocked mid-use (#107, DarkJackal87). After v2.5.16 made the app-password login succeed, some native clients (e.g. Symfonium) still failed on the very next request ("Can't retrieve Media Info / Version") with a 403 "Two-factor authentication required". This happened when the client's device id on the follow-up request differed from the one on the login request, so the session wasn't recognised as already-verified. The app-password login now marks the resulting session as 2FA-satisfied regardless of that device-id mismatch, and that one-shot is consumed by exactly the session it was issued for so it can never carry over to an unrelated later login.
- Self-hosted ntfy / Gotify / webhooks on a LAN address now deliver (#116, Arson31). A self-hosted ntfy behind a reverse proxy usually resolves to a private LAN IP (e.g.
ntfy.mydomain.com → 192.168.x.x), which the SSRF egress guard refused — so the test notification (and every real one) was silently dropped with "resolves to private address … refusing to dispatch". A new "Allow notifications to private/LAN addresses" toggle (Settings → Push Notifications, off by default) lets you opt into private/loopback notification targets. Link-local and cloud-metadata addresses (169.254.x,fe80::) stay blocked even when it's on. The ntfy publish URL is also now built correctly as{server}/{topic}(the topic is a path segment, not a header), which some instances require. - OIDC verified-email account linking (#95a, chrisbehectik). A boolean
email_verified: truein the id_token was being read as "unverified", so first-time OIDC sign-ins were not matched to an existing Jellyfin user by their verified email (leading to "no email account match" / a duplicate account). Verified-email matching now works regardless of how the IdP encodes the boolean.
Added
- Keycloak realm/client roles now drive group rules and admin elevation (#95b, BoBeR182). Keycloak nests roles under
realm_access.rolesandresource_access.{client}.rolesrather than a flatgroups/rolesclaim, so "Allowed groups", "Admin groups", and role→library mapping previously matched nothing on Keycloak. These nested roles are now read from both the id_token and/userinfo. To use it on Keycloak, request the built-inrolesscope on the provider and enable "Add to ID token" on the realm-roles mapper (Keycloak has nogroupsscope).
Translations
- Added and translated the new "Allow notifications to private/LAN addresses" setting (label, badge, and help text) across all eight languages (en, de, es, fr, it, ja, pt, zh).
Thanks
Reports and detail from DarkJackal87, Arson31, chrisbehectik, and BoBeR182 — thank you. 🙏