For people asking for a way to run 2fa on jellyfin i have a solution. I will elaborate more if people are interested as not writing a guide for no reason. This method allows users to simply use their login credentials into the default jellyfin login page, and 1 second later your DUO app on your phone will buzz for a confirmation to sign-in. (meaning no redirects and this method 100% compatible with all clients)

install the LDAP plugin on jellyfin. install Authentik in your server with docker. create a DUO security account. in short, jellyfin query's your Authentik LDAP server for ther user login, then LDAP will query DUO.

Unfortunately, DUO only allows 10 users with the free account, then you have to pay extra. of course with this method you are not bound to only use DUO, you could you a web-auth with your phones bio-metrics to sign-in instead of DUO. there are many ways you could query the users phone through Authentik, but DUO is the most continent.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 1 year ago (1 children)

Nice - does it work with the Android App, Chromecast etc? Currently using Authelia and NGINX proxy manager for 2FA, but that's limited to browsers

[–] [email protected] 4 points 1 year ago (1 children)

This is a crosspost of a post in a self-hosted community that isn't mine. You'll either have to at-mention OP to get their attention here, or comment in the other post they made.

But I can cover this particular question as well. The "trick" duo uses, is that is sends the 2fa request out of band to the duo app. So the flow goes like this:

Android app tries to connect to Jellyfin, gets a login prompt.
Android app collects username and password from user and sends it to Jellyfin as normal.
Jellyfin takes the username and password and forwards them to the ldap server to find out if the user is authorized.
The ldap server checks the username and password against it's local DB and they check out... but it doesn't respond to Jellyfin yet.
The LDAP server asks the Duo API for 2fa verification.
The DUO service sends a push notification to the DUO app, which prompts the user to see if they really are currently trying to log into Jellyfin or not. User taps "yeah, lemme in to Jellyfin"
Duo app tells duo service it's go time.
Duo API tells LDAP server that 2fa check passed.
LDAP server tells Jellyfin the username/password lookup was successful.
Jellyfin tells the app the login was successful and things go normally from here.

So the trick with DUO, unlike say TOTP codes... is that the app is none the wiser that 2fa is happening. It thinks it just sent a regular username and password to the slowest damn Jellyfin server in the world that takes 30s to decide if the login is good. But as long as it doesn't timeout the login, the 2fa happens completely transparently to Jellyfin and the app... with the verification happening in a separate app and being a manger by the LDAP server, DUO servers, and DUO app.

So yeah, apps should work as long as they can handle very slow logins.

[–] [email protected] 2 points 1 year ago

Thank you for the explanation. Before Authelia I used Cloudflare ZeroTrust email-autentification, but switched, because I wanted full self hosting. Relying on DUO instead would bring me back to that dependant situation. In other words, I'll probably stick with my Authelia solution for now