I had feedback from a user today after a recent post about exposing various app APIs without SSO, pointing out that that SSO was applied a little inconsistently across our apps. For example, Jellyseerr was exposed publically (it has strong auth and is used to share media requests), but Overseerr (of which Jellyseer is a fork) was not!
This is now fixed
To clarify, here's how SSO is applied, based on the intended audience / purpose of an app:
- Apps that only you (the user) would use, are behind SSO without any native auth, where possible. This includes download clients, apps without auth (openbooks), Arrs, etc (although these can be optionally exposed to a limited degree)
- Apps which you might want to share (Plex, Navidrome, Kavita, Overseer, etc) and which provide their own trusted auth, are exposed without SSO, since their entire purpose is to share media / content with a wider audience than just yourself!