diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix
index 804afac..bd8a347 100644
--- a/modules/services/jellyfin.nix
+++ b/modules/services/jellyfin.nix
@@ -311,7 +311,7 @@ in
false
false
uid=admin,ou=people,${cfg.ldap.dcdomain}
- %LDAP_PASSWORD%
+ %SECRET_LDAP_PASSWORD%
ou=people,${cfg.ldap.dcdomain}
(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})
ou=people,${cfg.ldap.dcdomain}
@@ -344,7 +344,7 @@ in
${cfg.sso.endpoint}
${cfg.sso.clientID}
- %SSO_SECRET%
+ %SECRET_SSO_SECRET%
true
true
true
@@ -420,7 +420,7 @@ in
resultPath = "/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml";
replacements = [
{
- name = [ "%LDAP_PASSWORD%" ];
+ name = [ "LDAP_PASSWORD" ];
source = cfg.ldap.adminPassword.result.path;
}
];
@@ -430,7 +430,7 @@ in
resultPath = "/var/lib/jellyfin/plugins/configurations/SSO-Auth.xml";
replacements = [
{
- name = [ "%SSO_SECRET%" ];
+ name = [ "SSO_SECRET" ];
source = cfg.sso.sharedSecret.result.path;
}
];
@@ -449,7 +449,14 @@ in
client_secret.source = cfg.sso.sharedSecretForAuthelia.result.path;
public = false;
authorization_policy = cfg.sso.authorization_policy;
- redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];
+ redirect_uris = [
+ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}"
+ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/redirect/${cfg.sso.provider}"
+ ];
+ require_pkce = true;
+ pkce_challenge_method = "S256";
+ userinfo_signed_response_alg = "none";
+ token_endpoint_auth_method = "client_secret_post";
}
];
};