Nice - does it work with the Android App, Chromecast etc? Currently using Authelia and NGINX proxy manager for 2FA, but that's limited to browsers
Jellyfin: The Free Software Media System
Current stable release: 10.10.2
Matrix (General Information & Help)
Matrix (Off-Topic) - Come get to know the team and blow off steam!
Matrix Space - List of all the available rooms on Matrix.
Discord - Bridged to our Matrix rooms
This is a crosspost of a post in a self-hosted community that isn't mine. You'll either have to at-mention OP to get their attention here, or comment in the other post they made.
But I can cover this particular question as well. The "trick" duo uses, is that is sends the 2fa request out of band to the duo app. So the flow goes like this:
- Android app tries to connect to Jellyfin, gets a login prompt.
- Android app collects username and password from user and sends it to Jellyfin as normal.
- Jellyfin takes the username and password and forwards them to the ldap server to find out if the user is authorized.
- The ldap server checks the username and password against it's local DB and they check out... but it doesn't respond to Jellyfin yet.
- The LDAP server asks the Duo API for 2fa verification.
- The DUO service sends a push notification to the DUO app, which prompts the user to see if they really are currently trying to log into Jellyfin or not. User taps "yeah, lemme in to Jellyfin"
- Duo app tells duo service it's go time.
- Duo API tells LDAP server that 2fa check passed.
- LDAP server tells Jellyfin the username/password lookup was successful.
- Jellyfin tells the app the login was successful and things go normally from here.
So the trick with DUO, unlike say TOTP codes... is that the app is none the wiser that 2fa is happening. It thinks it just sent a regular username and password to the slowest damn Jellyfin server in the world that takes 30s to decide if the login is good. But as long as it doesn't timeout the login, the 2fa happens completely transparently to Jellyfin and the app... with the verification happening in a separate app and being a manger by the LDAP server, DUO servers, and DUO app.
So yeah, apps should work as long as they can handle very slow logins.
Thank you for the explanation. Before Authelia I used Cloudflare ZeroTrust email-autentification, but switched, because I wanted full self hosting. Relying on DUO instead would bring me back to that dependant situation. In other words, I'll probably stick with my Authelia solution for now