Jellyseerr - Media Request Management¶
Jellyseerr is a media request management app for Jellyfin. Users can browse and request movies/TV shows, which are then automatically added to Sonarr/Radarr.
Overview¶
| Property | Value |
|---|---|
| URL | https://jellyseerr.bogocat.com, https://requests.bogocat.com |
| Location | VM 100 (arr-stack) at 10.89.97.50:5056 |
| Auth | Authentik OIDC (native) |
| Image | fallenbagel/jellyseerr:preview-OIDC |
| Source | GitHub - fallenbagel/jellyseerr |
Architecture¶
Authentication¶
Jellyseerr uses native OIDC with Authentik (not forward auth). This allows proper user session management and request tracking.
Docker Image Requirement¶
OIDC support requires the preview-OIDC tag:
jellyseerr:
image: fallenbagel/jellyseerr:preview-OIDC
environment:
- LOG_LEVEL=debug # Optional, for troubleshooting
Authentik Configuration¶
Provider Settings:
- Type: OAuth2/OIDC
- Name: Jellyseerr OAuth
- Client type: Confidential
- Redirect URI: https://jellyseerr.bogocat.com/login?provider=authentik&callback=true
- Scopes: openid profile email
Application Settings:
- Slug: jellyseerr-oauth
- Bound to tier groups: tier-friends, tier-family, tier-owner
Jellyseerr OIDC Settings¶
In Jellyseerr UI → Settings → Users → Enable OpenID Connect:
| Field | Value |
|---|---|
| Provider Name | Authentik |
| Issuer URL | https://auth.bogocat.com/application/o/jellyseerr-oauth/ |
| Client ID | (from Authentik provider) |
| Client Secret | (from Authentik provider) |
| Provider Slug | authentik |
| Scopes | openid profile email |
| Allow New Users | ✓ |
Important: Enable "Proxy Support" in Jellyseerr settings if behind a reverse proxy, otherwise redirect URIs will use http:// instead of https://.
Troubleshooting¶
OIDC Login Fails with Existing User¶
Symptom: OIDC login shows "An error occurred" but no logs appear in Jellyseerr.
Cause: Jellyseerr can't link OIDC identity to an existing user with the same email (e.g., user synced from Jellyfin).
Solution: Manually link the accounts in SQLite:
# Get user's Authentik UUID (sub claim)
kubectl exec -n authentik deploy/authentik-server -- python3 -c "
import os, sys
sys.path.insert(0, '/authentik')
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'authentik.root.settings')
import django; django.setup()
from authentik.core.models import User
u = User.objects.get(username='USERNAME')
print('UUID:', u.uid)
"
# Link in Jellyseerr database
ssh root@10.89.97.50 'sqlite3 /opt/arr-stack/configs/jellyseerr/db/db.sqlite3 "
INSERT INTO linked_accounts (provider, sub, username, userId)
VALUES (\"authentik\", \"UUID_FROM_ABOVE\", \"username\", USER_ID);
"'
Redirect URI Mismatch¶
Symptom: Authentik rejects the redirect URI.
Solution:
1. Enable "Proxy Support" in Jellyseerr settings
2. Ensure redirect URI in Authentik matches exactly: https://jellyseerr.bogocat.com/login?provider=authentik&callback=true
Related¶
- arr-stack.md - Parent VM configuration
- Incident: Jellyseerr OIDC Setup