OID start action only works when already logged in

[Joker9944]

Describe the bug
OID start action only works when already logged in.

When trying to login with OIDC without being logged in no request reaches my OIDC provider and this shows in the logs :

[14:25:27] [ERR] [65] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL GET /sso/OID/redirect/kanidm.
System.ArgumentNullException: Value cannot be null. (Parameter 'key')
   at System.Collections.Generic.Dictionary`2.FindValue(TKey key)
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Jellyfin.Plugin.SSO_Auth.Api.SSOController.OidPost(String provider, String state)
   at lambda_method2227(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

When doing the same while logged in the whole flow works out and I see this in the logs:

[2024-08-29 13:39:27.017 +00:00] [INF] [79] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-29 13:39:27.154 +00:00] [INF] [79] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Is request linking: True
[2024-08-29 13:39:27.878 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO Controller initialized
[2024-08-29 13:39:27.878 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO user redacted doesn't exist, creating...
[2024-08-29 13:39:28.049 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: SSO user link doesn't exist, creating...
[2024-08-29 13:39:28.058 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Auth request created...
[2024-08-29 13:39:28.063 +00:00] [INF] [43] Jellyfin.Plugin.SSO_Auth.Api.SSOController: Set default login provider to Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider
[2024-08-29 13:39:28.063 +00:00] [INF] [43] Emby.Server.Implementations.Session.SessionManager: Current/Max sessions for user "redacted": 0/0
[2024-08-29 13:39:28.064 +00:00] [INF] [43] Emby.Server.Implementations.Session.SessionManager: Creating new access token for user 632f5773-dcbd-40ba-9c98-320e05cd641c

Also I can see this in the logs, not sure if related:

[2024-08-29 13:38:12.013 +00:00] [INF] [83] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.013 +00:00] [INF] [83] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.014 +00:00] [INF] [83] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2024-08-29 13:38:12.014 +00:00] [INF] [41] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.014 +00:00] [INF] [41] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:12.014 +00:00] [INF] [41] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2024-08-29 13:38:13.048 +00:00] [INF] [49] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:13.048 +00:00] [INF] [49] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:13.048 +00:00] [INF] [49] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.
[2024-08-29 13:38:15.076 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:15.077 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:15.077 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.

To Reproduce
Steps to reproduce the behavior:

1. Log out
2. Go to https://jellyfin.vonarx.online/sso/OID/start/kanidm
3. Leads to "Error processing request."
4. Log in with the default provider (username/password)
5. Go to https://jellyfin.vonarx.online/sso/OID/start/kanidm
6. SSO login works

Expected behavior
Being able to sign in with SSO without having to sign in normally first.

Screenshots
N/A

Configuration

<?xml version="1.0" encoding="utf-8"?>
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SamlConfigs />
  <OidConfigs>
    <item>
      <key>
        <string>kanidm</string>
      </key>
      <value>
        <PluginConfiguration>
          <OidEndpoint>https://idm.vonarx.online/oauth2/openid/jellyfin/</OidEndpoint>
          <OidClientId>jellyfin</OidClientId>
          <OidSecret>redacted</OidSecret>
          <Enabled>true</Enabled>
          <EnableAuthorization>true</EnableAuthorization>
          <EnableAllFolders>true</EnableAllFolders>
          <EnabledFolders />
          <AdminRoles>
            <string>admin</string>
          </AdminRoles>
          <Roles>
            <string>user</string>
          </Roles>
          <EnableFolderRoles>false</EnableFolderRoles>
          <EnableLiveTvRoles>false</EnableLiveTvRoles>
          <EnableLiveTv>false</EnableLiveTv>
          <EnableLiveTvManagement>false</EnableLiveTvManagement>
          <LiveTvRoles />
          <LiveTvManagementRoles />
          <FolderRoleMappings />
          <RoleClaim>role</RoleClaim>
          <OidScopes />
          <DefaultProvider>Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider</DefaultProvider>
          <NewPath>false</NewPath>
          <CanonicalLinks>
            <item>
              <key>
                <string>redacted</string>
              </key>
              <value>
                <guid>redacted</guid>
              </value>
            </item>
            <item>
              <key>
                <string>redacted</string>
              </key>
              <value>
                <guid>redacted</guid>
              </value>
            </item>
          </CanonicalLinks>
          <DefaultUsernameClaim>preferred_username</DefaultUsernameClaim>
          <DisableHttps>false</DisableHttps>
          <DoNotValidateEndpoints>false</DoNotValidateEndpoints>
          <DoNotValidateIssuerName>false</DoNotValidateIssuerName>
        </PluginConfiguration>
      </value>
    </item>
  </OidConfigs>
</PluginConfiguration>

Versions (please complete the following information):

• OS: Linux 6.9.3-76060903-generic #202405300957172117465722.04~abb7c06 SMP PREEMPT_DYNAMIC Wed J x86_64 x86_64 x86_64 GNU/Linux (uname -srvmpio)
• Browser: Firefox 129.0.2 (64-bit)
• Jellyfin Version: 10.9.10@sha256:79fb3d73a3e995a3960b41d7d1e16ca6a06fb0b9938404ba38c0072a7e5f358c
• Plugin Version: 3.5.2.4

Additional context
I'm using kanidm as the OIDC provider which is not in the "Tested Providers" list.

[9p4]

What is your preferred_username set to in kanidm?

[Joker9944]

It is {{ kanidm_username }}@{{ kanidm_domain }} in my case joker9944@idm.vonarx.online.

For testing I changed it to the name claim which is the kanidm_display_name in my case Joker9944 which yielded the same result.

[Joker9944]

My personal hypothesis is that the plugin cannot authenticate itself to Jellyfin, but that's just speculation.

My speculation is based on this log message:

[2024-08-29 13:38:15.076 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:15.077 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: "CustomAuthentication" was not authenticated. Failure message: "Invalid token."
[2024-08-29 13:38:15.077 +00:00] [INF] [43] Jellyfin.Api.Auth.CustomAuthenticationHandler: AuthenticationScheme: "CustomAuthentication" was challenged.

Since these log messages don't show up when being logged in. I can try to gather some more logs.