Skip to content

Instantly share code, notes, and snippets.

@sbogomolov

sbogomolov/authentik-overseerr-auth

Last active October 31, 2025 15:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sbogomolov/708eba479c61b0bc0ada18aad5b2c544 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sbogomolov/708eba479c61b0bc0ada18aad5b2c544 to your computer and use it in GitHub Desktop.
Download ZIP
Property Mapping for authentik: Overseerr authentication using Plex SSO token
Raw
authentik-overseerr-auth
import json
import requests
from authentik.sources.plex.models import UserPlexSourceConnection
connection = UserPlexSourceConnection.objects.filter(user=request.user).first()
if not connection:
ak_logger.info("Overseer: No Plex connection found")
return {}
base_url = "http://overseerr:5055"
end_point = "/api/v1/auth/plex"
headers = {
"Content-Type": "application/json",
}
data = {
"authToken": connection.plex_token
}
try:
response = requests.post(base_url + end_point, headers=headers, data=json.dumps(data), timeout=5)
if response.status_code == 200:
sid_value = response.cookies.get("connect.sid")
if not sid_value:
ak_logger.error("Overseer: connect.sid cookie not present in response")
return {}
cookie_obj = f"connect.sid={sid_value}"
ak_logger.info("Overseer: Successfully authenticated with Plex token")
return {
"ak_proxy": {
"user_attributes": {
"additionalHeaders": {
"Cookie": cookie_obj
}
}
}
}
else:
ak_logger.error(f"Overseer: The request failed with: {response.text}")
return {}
except requests.Timeout:
ak_logger.error("Overseer: Request to Overseerr timed out")
return {}
except requests.RequestException as e:
ak_logger.error(f"Overseer: Request exception: {e}")
return {}
except Exception as e:
ak_logger.error(f"Overseer: Unexpected error: {e}")
return {}
@RemiEthereal
Copy link

RemiEthereal commented Sep 26, 2025

I ended up getting it to work. Here's the config for NPM if anyone in the future needs it!

# Buffers for large Authentik headers
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Don’t redirect with port 4443
port_in_redirect off;

location / {
    proxy_pass          $forward_scheme://$server:$port;
    proxy_set_header    Host $host;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto $scheme;

    ##############################
    # Authentik forward auth
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;

    # Forward the connect.sid cookie as a header
    auth_request_set $auth_cookie $upstream_http_cookie;
    proxy_set_header Cookie $auth_cookie;

    # Translate Authentik headers
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# All requests to /outpost.goauthentik.io must bypass auth
location /outpost.goauthentik.io {
    proxy_pass              http://authentik:9000/outpost.goauthentik.io;
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;

    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Redirect 401s to Authentik login
location @goauthentik_proxy_signin {
    internal;
    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

@RemiEthereal
Copy link

RemiEthereal commented Sep 26, 2025

Hm. Where do you see the error about it being missing? Try the whoami image and verify which headers are being passed. Even though it’s called Cookie, it’s actually a header :)

You telling me it's actually a header saved the day ^^

@sbogomolov
Copy link
Author

sbogomolov commented Sep 26, 2025

Great that it works for you!

@RemiEthereal
Copy link

RemiEthereal commented Oct 30, 2025

Did anyone else have any issues after upgrading to Authentik version 2025.10.0? This doesn't seem to work at all anymore.

@lmaced0
Copy link

lmaced0 commented Oct 30, 2025

Did anyone else have any issues after upgrading to Authentik version 2025.10.0? This doesn't seem to work at all anymore.

Good to know. Holding off on the upgrade.

@sbogomolov
Copy link
Author

sbogomolov commented Oct 30, 2025

I have stopped using this some time ago (switched to Jellyseerr). If you figure out what's wrong - let me know and I'll update the snippet.

@RemiEthereal
Copy link

RemiEthereal commented Oct 31, 2025

I have stopped using this some time ago (switched to Jellyseerr). If you figure out what's wrong - let me know and I'll update the snippet.

Does jellyseerr have better support for SSO or why did you end up not using this anymore?

@sbogomolov
Copy link
Author

sbogomolov commented Oct 31, 2025
edited
Loading

Does jellyseerr have better support for SSO or why did you end up not using this anymore?

It does. There is a PR (not yet merged) that adds a proper OIDC support. Even though it is not merged - the preview image built with it works just fine.

The image in question:

docker.io/fallenbagel/jellyseerr:preview-OIDC

P.S. I’ve also moved away from Plex to Jellyfin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment