Scope Mapping

[mscreations]

This is an awesome repo and has greatly helped me with understanding setting up Traefik with Authentik. I was curious whether you could post the scope mapping scripts that you are using for the various services like Overseerr and Tautulli. I had Authentik working with Overseerr before switching to Traefik from Nginx Proxy Manager, but have never had much luck with Tautulli.

[ToaHartor]

I looked at how it was made in Organizr (in this file), since it was able to login to those services. To be honest, sometimes it doesn't work much (Tautulli can be a bit bothering and Plex requires to accept the domain at least once, if you're using a subdomain).

The main thing those functions do is to generate the login cookie based on the Plex token of the user, if they have linked their account to Plex in Authentik, by doing the request on behalf of the user to the service. The request URIs are internal and use the Docker host:port since the containers are in the same network.

I had to use two different middlewares in Traefik to be able to transmit the generated cookies. The services using Plex Auth use their separated middleware, while the other services have their own. The only addition in the authentik-plex-mw is in the authResponseHeaders field where I added the Cookie header for the Plex/Tautulli/Overseer authentication, and the Authorization header for Organizr iirc. Though I believe it may be possible to use the same middleware for all services, but it may be better not to touch the Cookie or the Authorization headers if not needed.

I think the following scope mappings may be further improved, like with cookie validity checks (depending on the cookie duration for instance), and I didn't check if some additional stuff were added to the SSO functions in Organizr to further improve that, but it works in most cases.

Overseerr

from authentik.sources.plex.models import PlexSourceConnection
from datetime import datetime, timedelta
import json

connection = PlexSourceConnection.objects.filter(user=request.user).first()

if not connection:
     return {}

overseerr_url = "http://overseerr:5055/api/v1/auth/plex"

headers = {
    "Content-Type": "application/json",
    "X-Forwarded-For": request.http_request.META['REMOTE_ADDR']
}

data = {
    "email": "",
    "password": "",
    "authToken": connection.plex_token
}

response = requests.post(overseerr_url, headers=headers, data=json.dumps(data), verify=False, timeout=60, allow_redirects=True)

if (response.status_code != 200):
    return {}
token = response.cookies['connect.sid']

return {
    "ak_proxy": {
        "user_attributes": {
            "additionalHeaders": {
                "Cookie": f"connect.sid={token}; expires={(datetime.now() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S')} GMT; Path=/"
            }
        }
    }
}

Tautulli

from authentik.sources.plex.models import PlexSourceConnection
import json
from datetime import datetime, timedelta

connection = PlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
    return {}

tautulli_url = "http://tautulli:8181/auth/signin"

headers = {
    "Accept": "application/json",
    "Content-Type": "application/x-www-form-urlencoded",
    "User-Agent": request.http_request.META['HTTP_USER_AGENT'],
    "X-Forwarded-For": request.http_request.META['REMOTE_ADDR']
}

data = {
    "username": "",
    "password": "",
    "token": connection.plex_token
}

response = requests.post(tautulli_url, headers=headers, data=data, verify=False, timeout=60, allow_redirects=True)

if (response.status_code != 200):
    return {}

uuid = response.json().get('uuid')
token = response.json().get('token')

return {
    "ak_proxy": {
        "user_attributes": {
            "additionalHeaders": {
                "Cookie": f"tautulli_token_{uuid}={token}; expires={(datetime.now() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S')} GMT; Path=/"
            }
        }
    }
}

Plex

from authentik.sources.plex.models import PlexSourceConnection
from datetime import datetime, timedelta

connection = PlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
    return {}

return {
    "ak_proxy": {
        "user_attributes": {
            "additionalHeaders": {
                "Cookie": f"mpt={connection.plex_token}; expires={(datetime.now() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S')} GMT; path=/; SameSite=None; Secure"
            }
        }
    }
}

[morganorix]

Hello,

thx for the good job.
I use authentik + nginx proxy manager + plex sso
I've an error with the scope mapping for tautulli when i login me:

Traceback (most recent call last):
File "Tautulli", line 42, in
File "Tautulli", line 16, in handler
builtins.KeyError: 'REMOTE_ADDR'

Are you a specific conf nginx ?
An idea ?

[morganorix]

I've found a solution :

def get_client_ip(request):
    x_forwarded_for = request.http_request.META['HTTP_X_FORWARDED_FOR']
    if x_forwarded_for:
        ip = x_forwarded_for.split(',')[0]
    else:
        ip = http_request.META['REMOTE_ADDR']
    return ip

Maintenant j'ai une erreur sur Now I have an error on the post request. It return 200 but the content is error

[morganorix]

It's OK, I tried with the local url, so it was coming from nginx.
However, a new problem: it won't connect to tautulli even though it returns what it should.
Maybe a conf in authentik. I look this ;-)

[morganorix]

I've adapt the code for petio :

from authentik.sources.plex.models import PlexSourceConnection
import json
from datetime import datetime, timedelta

connection = PlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
    return {}

petio_url = "http://petio:7777/api/login/plex_login"

def get_client_ip(request):
    x_forwarded_for = request.http_request.META['HTTP_X_FORWARDED_FOR']
    if x_forwarded_for:
        ip = x_forwarded_for.split(',')[0]
    else:
        ip = http_request.META['REMOTE_ADDR']
    return ip

headers = {
    "Accept": "application/json",
    "X-Forwarded-For": get_client_ip(request)
}

data = {
    "user": {
	"username": "",
	"password": "",
	"type": 1,
    },
    "authToken": False,
    "token": connection.plex_token
}

response = requests.post(petio_url, headers=headers, data=data, verify=False, timeout=60, allow_redirects=True)

if (response.status_code != 200):
    return {}

token = response.json().get('token')

return {
    "ak_proxy": {
        "user_attributes": {
            "additionalHeaders": {
                "Cookie": f"petio_jwt={token}; expires={(datetime.now() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S')} GMT; Path=/"
            }
        }
    }
}