Ombi: How does user authentication work?
Ombi build Version:
V 3.0.3587
Update Branch:
Master
Media Sever:
Plex
Media Server Version:
n/a
Operating System:
Raspbian Stretch Lite
Ombi Applicable Logs (from /logs/ directory or the Admin page):
N/a
Problem Description:
This is not an issue as such, I just need some information to pass on to one of my Plex users.
I have only just recently installed Ombi and have invited my small band of Plex users. One of them was concerned that they were able to logon user their Plex credentials and that they might be out there allowing someone else to access his Plex server and services. I couldn't find anywhere in the Wiki that explains user authentication. I found the Authentication settings in Ombi where there are just two checkboxes. Both I have left unchecked at the moment. But even though the Enable Plex OAuth box is unchecked all my users can sign on using their Plex credentials. How does this work and more importantly where is the password stored?
Reproduction Steps:
N/a
TonyTheTechie
All 3 comments
Hi,
So this is what happens (the code is all available to see, I can point you at the part of the code if you wish).
When the user types into their username and password, we have all the users that are allowed to authenticate in our database (You can see on the user management screen) and we know what type of user they are.
If we dectect they are a Plex user then we forward the username and password onto Plex.tv (https://plex.tv/users/sign_in.json POST Request) and then Plex.tv responds with if the authentication was successful or not.
If it was successful then we log the user in, otherwise we give them an error.
With local users, we know they are a local user so we use the .Net Core Identity framework to validate the users password is correct (Ombi doesn't do this) and then the Identity Framework tells Ombi if the credentails are correct and then we log them in.
So to conclude, when authenticating with Plex we do not store the password anywhere (we store the username since we need to know if they are a plex user or ombi user).
Does that answer your question?
tidusjar
on 28 Aug 2018
Yes thanks, that’s exactly what I needed to know.
Many thanks
Tony Self
p.s. Do I need to close the issue off or have you done that already?
On 28 Aug 2018, at 17:05, Jamie notifications@github.com wrote:
Hi,
So this is what happens (the code is all available to see, I can point you at the part of the code if you wish).
When the user types into their username and password, we have all the users that are allowed to authenticate in our database (You can see on the user management screen) and we know what type of user they are.
If we dectect they are a Plex user then we forward the username and password onto Plex.tv (https://plex.tv/users/sign_in.json https://plex.tv/users/sign_in.json POST Request) and then Plex.tv responds with if the authentication was successful or not.
If it was successful then we log the user in, otherwise we give them an error.
With local users, we know they are a local user so we use the .Net Core Identity framework to validate the users password is correct (Ombi doesn't do this) and then the Identity Framework tells Ombi if the credentails are correct and then we log them in.
So to conclude, when authenticating with Plex we do not store the password anywhere (we store the username since we need to know if they are a plex user or ombi user).
Does that answer your question?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/tidusjar/Ombi/issues/2472#issuecomment-416526783, or mute the thread https://github.com/notifications/unsubscribe-auth/AUXW5n5Za-fDJPB9r3b69by-ZdnGR8U3ks5uVRXTgaJpZM4WPKnm.
TonyTheTechie
on 28 Aug 2018
Closed!
tidusjar
on 28 Aug 2018
Related issues
tidusjar
·
5Comments
CBers
·
5Comments
theg1nger
·
3Comments
PotatoQuality
·
3Comments
Thurman86
·
5Comments