Plex OAuth (Authenticate with Plex) Broken after Plex Web Update v4.152.0

It would seem that Plex OAuth functionality is broken for 3rd Party apps/services. Users, like myself, are unable to login to our apps/services via Plex OAuth.

When attempting to login, we authenticate successfully with Plex, receive the, “…you can close this window…” message and when returning to the app/service we are attempting to login to, are presented with the same login with Plex prompt.

In my Plex account, I can see these login attempts in the “Authorized Devices” section.

About 5 hours ago, a Plex Web update (v4.152.0) was posted in the Plex Web Announcements Topic: Plex Web - #465 by bengeorge
Maybe there is some correlation…

Same here - any plex oauth says successful but never passes the auth to the app.

Same here. Both Tautulli and Overseerr are broken.

Same on my end both Tautulli and Overseerr

Same issue here, unlucky timing for me as went to setup Overseerr today for the first time and was unable to move past the plex login at setup. Same issue when trying to setup Jellyseerr.

The Plex login is successful, I can see the authorized device, but the 3rd party app does not receive the authentication and there is no user added to the Overseerr database.

Same issue here. Happening with all the arrs

Ahh, so it isn’t just me. Someone please post when it is fixed

Just chiming in that I’m having the same issue as well!

Also having the same issue. I’ve been pulling my hair out all night trying to figure out whats going on.

+1, having same issue

+1 @dane22 @bengeorge thank you team Plex for looking into this!

I just need a Plex employee to confirm that the login page now sets Cross-Origin-Opener-Policy: same-origin. I assume this was intentional to prevent cross-site attacks on the login page.

Thanks all for reporting! We should have this fixed shortly.

Yes this is related to a Cross-Origin-Opener-Policy change.

Breaking auth on 3rd party apps was not intentional. Unfortunately testing 3rd party apps isn’t easy in our test environments so this issue has slipped through.

For those concerned, our auth screen makes it very clear when you are authenticating a 3rd party app (with or without that COOP). There is a prominent informative warning.

@bengeorge thank you for the quick reply and for the fix! We greatly appreciate it

Plex OAuth isn’t broken, it’s working perfectly fine. What is causing the problem is my code to manipulate the popup window (detecting if it is open/closed and automatically closing it). Because of the cross-origin policy, my code thinks the popup window is closed and cancels the authentication even though the popup is still open. I just need to change the way the authentication is handled in the background without relying on the popup. I already have a local commit to change the behaviour, but I won’t push it unless a Plex Employee says I need to.

Since I was the one that originally wrote the Plex OAuth popup code which was then used by many other apps, they all ended up with the same issue…

Hi @SwiftPanda16,
Thanks for surfacing the nuances of this issue and for clarifying what’s actually going on!
We’d need all developers to make similar changes to their projects as well, correct? Assuming the issues is centered around the cross-origin policy.

haha thats funny isn’t it. I was also able to fix this in Agregarr by just polling for the auth token rather than relying on popup.closed

Thank you for getting back to us so quickly @bengeorge

I am having this issue, but only with Organizr, Tautulli, and Ombi. All my other applications use Authentik, which seems to be unaffected.

They all just need to copy my code again.