Incident: Jellyseerr OIDC Login Fails Silently¶
Date: 2026-01-11 Severity: P3 Duration: ~2 hours (investigation/setup) Status: Resolved
Summary¶
Configuring Jellyseerr with Authentik OIDC failed silently when an existing Jellyfin-synced user had the same email as the OIDC user. No error logs appeared in Jellyseerr despite the token exchange succeeding on Authentik's side.
Timeline¶
| Time (EST) | Event |
|---|---|
| 12:00 | Started Jellyseerr OIDC integration with Authentik |
| 12:15 | Updated docker-compose to use preview-OIDC image tag |
| 12:30 | Created OAuth2 provider in Authentik |
| 12:45 | Configured Jellyseerr OIDC settings in UI |
| 13:00 | First login attempt - failed with generic error, no logs |
| 13:15 | Discovered forward auth was intercepting callback, removed annotations |
| 13:20 | Still failing - Authentik logs showed successful token + userinfo exchange |
| 13:25 | Found existing user with same email in Jellyseerr DB (synced from Jellyfin) |
| 13:30 | Manually inserted linked_accounts record to link OIDC identity |
| 13:32 | OIDC login successful |
Impact¶
- No service outage (forward auth was still working)
- ~2 hours investigation time
- New OIDC users would have been unable to log in if email matched existing Jellyfin user
Root Cause¶
Two issues combined:
-
Forward auth intercepting OIDC callback: K8s ingress had
auth-urlannotations that validated ALL requests through Authentik forward auth, including the OIDC callback URL. This prevented the callback from reaching Jellyseerr's OIDC handler. -
Existing user conflict: Jellyseerr's OIDC implementation silently fails when trying to link an OIDC identity to an existing user with the same email. The
linked_accountstable was empty, meaning no OIDC <-> user mappings existed. When Jellyseerr received userinfo withjakecelentano@gmail.com, it found user ID 4 (imported from Jellyfin) but couldn't automatically link them.
The lack of error logging made diagnosis difficult - Authentik logs showed success (200 on token and userinfo endpoints), but Jellyseerr produced no output.
Resolution¶
-
Removed forward auth annotations from jellyseerr ingress:
-
Manually linked OIDC identity to existing user:
# Get Authentik user UUID kubectl exec -n authentik deploy/authentik-server -- python3 -c " import os, sys sys.path.insert(0, '/authentik') os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'authentik.root.settings') import django; django.setup() from authentik.core.models import User u = User.objects.get(username='jake') print('UUID:', u.uid) " # Output: 992d329fb277e4ce0bd93868d62c905d0e4080cd78d83a8c26dc191f2f24e94d # Insert linked_accounts record ssh root@10.89.97.50 'sqlite3 /opt/arr-stack/configs/jellyseerr/db/db.sqlite3 " INSERT INTO linked_accounts (provider, sub, username, userId) VALUES (\"authentik\", \"992d329fb277e4ce0bd93868d62c905d0e4080cd78d83a8c26dc191f2f24e94d\", \"jake\", 4); "'
Lessons Learned¶
-
OIDC requires preview tag: Jellyseerr OIDC support is not in stable release. Must use
fallenbagel/jellyseerr:preview-OIDCDocker image. -
Forward auth conflicts with native OIDC: Can't use both simultaneously. When switching to native OIDC, remove forward auth annotations.
-
Proxy support is required: Enable "Proxy Support" in Jellyseerr settings when behind reverse proxy, otherwise redirect URIs use
http://instead ofhttps://. -
Existing users require manual linking: If users were synced from Jellyfin before enabling OIDC, they won't be automatically linked. Must manually insert into
linked_accountstable. -
Debug logging helps: Set
LOG_LEVEL=debugin docker-compose for Jellyseerr when troubleshooting auth issues (though in this case even debug didn't log the conflict).
Follow-up Actions¶
- [x] Document Jellyseerr OIDC setup in applications/jellyseerr.md
- [ ] Consider filing upstream issue about silent failure on user conflict
- [ ] Add pre-flight check script for OIDC migrations (detect existing users with matching emails)