You authorized the Roku TV with the right credentials.
It was you who did that, not someone else who doesn’t have your plex credentials.
i.e. someone else wouldn’t be able to re-authenticate the Roku after you have kicked it out of your account.
1 Like
You authorized the Roku TV with the right credentials.
It was you who did that, not someone else who doesn’t have your plex credentials.
i.e. someone else wouldn’t be able to re-authenticate the Roku after you have kicked it out of your account.
You are missing my point here. The point is that Plex should NOT allow Roku to authenticate every device on the account. Especially when there is MFA on the Plex account. Every device should have to be authenticated. This is what I am stating is a security hole/issue. Plex is allowing Roku to blanket authorize all devices and not forcing each individual device to authenticate.
To give an example, this would be like if by logging in to my Microsoft M365 email from a Mac it gave all Apple devices on my Apple account the ability to open my M365 account/email. Microsoft definitely does not allow that. Apple doesn’t either in the reverse. For every single device I open Microsoft M365 on I am prompted for credentials and MFA (and not even getting in to Conditional Access or other policies).
This seems to be “how Roku does things” in a way that Plex has no control over and has to go with to have a presence on the Roku app ecosystem. I asked about this a few months back and also found it kinda concerning. Looking back at my post then I noticed that I was unable to actually remove the Roku auth at all. I removed the Roku from my Authorized devices screen at the time, yet didn’t have to sign in on the new Roku. Even if the “Roku Auth” is for the whole Roku Account it should have been deauthorized then.
At least with the recent security breach and password reset I can confirm that did remove the auth then, as I had to reauthorize the device this time.
1 Like
That only removes the authentication temporarily. If you open the Plex channel on the Roku, it will automatically re-authenticate through the Roku account. You have to remove it from your Roku account to make sure it doesn’t come back.
And yes, this is a Roku design. You should see the same for other Roku channels, not just Plex.
That doesn’t make any sense given how my understanding of Plex’s authentication system works. If I, as a server owner, revoke a token on my server, it should be gone. No “until we meet again”.
The device is listed individually on my Authorized devices screen.
If the authentication is for the entire Roku account, why isn’t there a tile for (Roku User Account) that I can revoke permanently?
We only have one Roku here, and when the other services get signed out it seems to be an action by the other service’s owner so we have to sign in to reauth them… like should be needed when I remove the authentication.
I could be wrong or thing changed, but this is what I knew from the last time I looked. Roku has 2 types of authentications, account level and device level. When you install a channel, this is remembered across your account, allowing you to easily install the same channel on other Roku devices. When you sign into the channel, it remembers this so any other Roku device that also has the channel installed will automatically sign in. If you sign out on a specific device, that info is saved at the device level so that particular device will stay signed out, but the account level info stays for other devices. These types of authentication can only be done from within the Roku ecosystem (i.e. on device). When removing a Roku device from your Plex account, it invalidates the Plex token but doesn’t affect the Roku authentications that were already created since this is being done outside of Roku. Why Plex even allows this, I have no idea. It practice it really doesn’t do anything.
It has changed in some way in the last four months, as when I had to reauthorize the Roku after this recent security breach, I was presented with a Link Code (!), instead of having to manually type the login info. But at this point I’m not clear what it is I actually authenticated. The Roku device or a Roku account.
That is to link the Plex channel to your Roku account. I don’t think that’s new.
It was removed two years ago and people were complaining as they blamed Plex. I don’t know when it got readded.
