HTTPS Required for .well-known/openid-configuration

[8321876218]

I'm am experiencing the exact same issue as laid out in #76 with a solution apparently present in #77, but I am not sure what that solution was/is. Is this not a typical issue to be running into? Details in the fix would be appreciated, but I'm open to comments on how the configuration should be avoided entirely as well.

[9p4]

This is not a typical issue to be running into. This usually means that your authentication provider is running over HTTP and not HTTPS (pretty insecure). Unless if this is for development, auth providers should be using HTTPS.

[8321876218]

My auth provider in this case is Authentik, running on a different machine but still on my local network. My ISP does not allow BYOD, and the provided one does not support NAT hairpinning/loopback addresses, so https://auth.domain.tld/application/o/jellyfin/.well-known/openid-configuration doesn't resolve for me. http://lan.ip.of.auth:9000/application/o/jellyfin/.well-known/openid-configuration does load as expected.

[8321876218]

I sure do

[9p4]

What do you mean by BYOD? I think you mean "bring your own domain", but that doesn't matter. You should be able to point a domain you own to any machine you want. The ISP handles PTR records (reverse DNS (IP address to DNS), but that's really only ever used when you are running your own mail server).

I don't exactly know what setup you are running, but let me throw a bunch of options out there (and hopefully one or more apply):

1. If you are behind carrier NAT (CGNAT), you're fresh out of luck doing everything locally. You can either try to talk to your ISP and complain that your video games aren't working or something and hopefully they give you your own IP address. Either that or you'll need to set up something in The Cloud™ to proxy your connections back. I recommend using Oracle Cloud free tier, spinning up an Ampere VM, and creating a Wireguard VPN with some firewall rules to perform NAT there and route the traffic to your internal machine.
2. You can place the server with your reverse proxy in your router's DMZ. This is dangerous because if you configure it wrong, then your server will be exposed to the internet. Use strong firewall rules on the server.
3. You can use split-horizon DNS (ideally you don't) to have DNS names resolve internally properly. If you have an SSL certificate, this would work.
4. Use your router to do NAT.
5. If you have IPv6, everything will work fine without NAT.

If you have questions, any at all, about your setup, feel free to ask

[8321876218]

Apologies, by BYOD I meant bring-your-own-device. I cannot replace the router that I have currently with one that allows for loopback addresses. Services that I have running on my network are not accessible from LAN devices via https://sub.domain.tld since the target IP is my own WAN IP.

[9p4]

In that case, you need to either use IPv6 (best solution) or set up split-horizon DNS (bad solution).

[8321876218]

Looks like that will be the rabbit hole I will be diving into next then. I really appreciate the guidance, especially as it doesn't even seem to be one about the project itself

[9p4]

No problem! Glad I could help.