@sbogomolov Yeah, I've gotten as far as that I've realized it is only the browser itself not getting the cookie. According to GPT it's most likely due to the fact that I have authentik on "auth.domain.xyz" and overseer on "www.domian.xyz". Hence the samsite=lax attribute gets weird.

But yeah, no clue how to solve it easily.

I also have (well had, I switched to Jellyfin / Jellyseerr) both on subdomains of the same domains. That should not be an issue. When you click that test button next to the property mapping and select your user, it prints some Json, right? Do you see your token there?

As a sanity check:

• Have you enabled Plex integration in Authentik?
• Does you user have linked Plex account?
• Have you enabled this custom property mapping for your Overseerr provider?

When I was debugging this, I used traefik/whoami image (make sure to enable this custom property mapping for it). With this you will be able to see exactly which headers are being sent to Overseerr.

Have you enabled Plex integration in Authentik? Yes
Does you user have linked Plex account? Yes
Have you enabled this custom property mapping for your Overseerr provider? Yes

When I click the test button it only send me a notification that the test succeeded is that intended?

It should print JSON. I did have this issue when it would quickly close the window with the result. I thought ot was a Safari issue because it worked fine before. In any case, I recorder my screen when doing test to capture the result. Maybe you can try that :)

The test gives me a connect.sids cookie. This just tells me it must be the NPM (Nginx Proxy Manager) not passing the cookie correctly?

Hm. Where do you see the error about it being missing? Try the whoami image and verify which headers are being passed. Even though it’s called Cookie, it’s actually a header :)

I ended up getting it to work. Here's the config for NPM if anyone in the future needs it!

# Buffers for large Authentik headers
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Don’t redirect with port 4443
port_in_redirect off;

location / {
    proxy_pass          $forward_scheme://$server:$port;
    proxy_set_header    Host $host;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto $scheme;

    ##############################
    # Authentik forward auth
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;

    # Forward the connect.sid cookie as a header
    auth_request_set $auth_cookie $upstream_http_cookie;
    proxy_set_header Cookie $auth_cookie;

    # Translate Authentik headers
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# All requests to /outpost.goauthentik.io must bypass auth
location /outpost.goauthentik.io {
    proxy_pass              http://authentik:9000/outpost.goauthentik.io;
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;

    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Redirect 401s to Authentik login
location @goauthentik_proxy_signin {
    internal;
    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Hm. Where do you see the error about it being missing? Try the whoami image and verify which headers are being passed. Even though it’s called Cookie, it’s actually a header :)

You telling me it's actually a header saved the day ^^

Great that it works for you!

Did anyone else have any issues after upgrading to Authentik version 2025.10.0? This doesn't seem to work at all anymore.

Did anyone else have any issues after upgrading to Authentik version 2025.10.0? This doesn't seem to work at all anymore.

Good to know. Holding off on the upgrade.

I have stopped using this some time ago (switched to Jellyseerr). If you figure out what's wrong - let me know and I'll update the snippet.

I have stopped using this some time ago (switched to Jellyseerr). If you figure out what's wrong - let me know and I'll update the snippet.

Does jellyseerr have better support for SSO or why did you end up not using this anymore?

Does jellyseerr have better support for SSO or why did you end up not using this anymore?

It does. There is a PR (not yet merged) that adds a proper OIDC support. Even though it is not merged - the preview image built with it works just fine.

The image in question:

docker.io/fallenbagel/jellyseerr:preview-OIDC

P.S. I’ve also moved away from Plex to Jellyfin.