v2.5.19 — Authentik-friendly OIDC + clearer discovery errors
In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.
Added
- "Don't force re-authentication (omit
prompt=login)" toggle, per OIDC provider (bug #119, vasmarfas) — the plugin normally sendsprompt=loginon the step-up and account-link flows so the IdP always re-authenticates the user (a security measure: it stops a hijacked IdP session being silently confirmed). A few IdPs mishandle the parameter — notably Authentik, whose upstream bug goauthentik/authentik#18507 returns a bare 404 on the sign-in redirect. The new toggle (Sign-in Methods → your provider) omitsprompt=loginfor that provider only. Off by default — turn it on only if sign-in fails with such an IdP; it trades the forced fresh-login for compatibility. Fully localized in all eight languages.
Fixed
- Clear error when the OIDC Discovery URL is wrong (feature #120, MysaaJava) — pasting an issuer / realm root (e.g. Keycloak's
.../realms/master) instead of the discovery document used to surface a bareKeyNotFoundExceptionin the logs. The plugin now (a) reports exactly which field is missing and reminds you the URL usually ends in/.well-known/openid-configuration, and (b) auto-retries with that suffix appended — so pasting the realm root now just works.
Notes
prompt=loginis unchanged for every provider that doesn't opt in — existing setups keep the forced-fresh-auth security behaviour.- 266/266 tests pass. Verified against Keycloak and a live Authentik instance.