From 4154414adf2137eb8b6b1d23817da3278014ecbb Mon Sep 17 00:00:00 2001
From: ta264 <ta264@users.noreply.github.com>
Date: Sun, 19 Jun 2022 10:29:29 +0100
Subject: [PATCH] Add OIDC and Plex authentication methods

(cherry picked from commit 3ff3de6b90704fba266833115cd9d03ace99aae9)
---
 .../SelectMovie/ImportMovieSelectMovie.js     |   3 +-
 .../src/Components/Form/FormInputButton.js    |  26 +--
 .../src/Components/Form/FormInputGroup.css    |   1 -
 .../src/Components/Form/FormInputGroup.js     |   4 +
 frontend/src/Components/Form/OAuthInput.js    |  23 +--
 .../src/Components/Form/PlexMachineInput.js   |  44 +++++
 .../Form/PlexMachineInputConnector.js         | 115 +++++++++++++
 frontend/src/Components/Form/SelectInput.css  |   4 +
 frontend/src/Components/Form/SelectInput.js   |   3 +
 .../Page/Header/PageHeaderActionsMenu.js      |  34 ++--
 .../Header/PageHeaderActionsMenuConnector.js  |   2 +-
 .../AuthenticationRequiredModalContent.js     | 153 +++++++++++++++---
 ...enticationRequiredModalContentConnector.js |   6 +-
 frontend/src/Helpers/Props/inputTypes.js      |   2 +
 .../src/Settings/General/GeneralSettings.js   |   3 +
 .../General/GeneralSettingsConnector.js       |   4 +-
 .../src/Settings/General/SecuritySettings.js  | 153 +++++++++++++++---
 frontend/src/Store/Actions/Settings/plex.js   |  48 ++++++
 frontend/src/Store/Actions/settingsActions.js |   5 +
 frontend/src/login.html                       |  60 ++++---
 .../Authentication/AuthenticationType.cs      |   4 +-
 .../Configuration/ConfigService.cs            |  10 ++
 .../Configuration/IConfigService.cs           |  10 ++
 src/NzbDrone.Core/Localization/Core/en.json   |   5 +
 .../Notifications/Plex/PlexTv/PlexTvProxy.cs  |  20 ++-
 .../Plex/PlexTv/PlexTvResource.cs             |  13 ++
 .../Plex/PlexTv/PlexTvService.cs              |   8 +
 src/NzbDrone.Host/Startup.cs                  |   1 -
 .../AuthenticationController.cs               |  28 ++++
 .../Config/HostConfigController.cs            |  11 +-
 .../Config/HostConfigResource.cs              |  10 ++
 .../Authentication/ApiKeyRequirement.cs       |   2 +-
 .../AuthenticationBuilderExtensions.cs        |  41 ++++-
 .../AuthenticationController.cs               |  41 ++++-
 ...leDenyAnonymousAuthorizationRequirement.cs |   2 +-
 .../OpenIdConnect/ConfigureOidcOptions.cs     |  34 ++++
 .../Authentication/Plex/PlexConstants.cs      |   9 ++
 .../Authentication/Plex/PlexDefaults.cs       |  17 ++
 .../Authentication/Plex/PlexExtensions.cs     |  16 ++
 .../Authentication/Plex/PlexHandler.cs        | 135 ++++++++++++++++
 .../Authentication/Plex/PlexOptions.cs        |  20 +++
 .../Plex/PlexServerRequirement.cs             |  52 ++++++
 .../Authentication/UiAuthorizationHandler.cs  |   2 +-
 .../UiAuthorizationPolicyProvider.cs          |  13 +-
 .../Frontend/Mappers/LoginHtmlMapper.cs       |  33 ++++
 .../Frontend/StaticResourceController.cs      |   5 +-
 src/Radarr.Http/Radarr.Http.csproj            |   1 +
 47 files changed, 1077 insertions(+), 159 deletions(-)
 create mode 100644 frontend/src/Components/Form/PlexMachineInput.js
 create mode 100644 frontend/src/Components/Form/PlexMachineInputConnector.js
 create mode 100644 frontend/src/Store/Actions/Settings/plex.js
 create mode 100644 src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvResource.cs
 create mode 100644 src/Radarr.Api.V4/Authentication/AuthenticationController.cs
 create mode 100644 src/Radarr.Http/Authentication/OpenIdConnect/ConfigureOidcOptions.cs
 create mode 100644 src/Radarr.Http/Authentication/Plex/PlexConstants.cs
 create mode 100644 src/Radarr.Http/Authentication/Plex/PlexDefaults.cs
 create mode 100644 src/Radarr.Http/Authentication/Plex/PlexExtensions.cs
 create mode 100644 src/Radarr.Http/Authentication/Plex/PlexHandler.cs
 create mode 100644 src/Radarr.Http/Authentication/Plex/PlexOptions.cs
 create mode 100644 src/Radarr.Http/Authentication/Plex/PlexServerRequirement.cs

diff --git a/frontend/src/AddMovie/ImportMovie/Import/SelectMovie/ImportMovieSelectMovie.js b/frontend/src/AddMovie/ImportMovie/Import/SelectMovie/ImportMovieSelectMovie.js
index 6ec718b034..3a41cb6e12 100644
--- a/frontend/src/AddMovie/ImportMovie/Import/SelectMovie/ImportMovieSelectMovie.js
+++ b/frontend/src/AddMovie/ImportMovie/Import/SelectMovie/ImportMovieSelectMovie.js
@@ -5,6 +5,7 @@ import FormInputButton from 'Components/Form/FormInputButton';
 import TextInput from 'Components/Form/TextInput';
 import Icon from 'Components/Icon';
 import Link from 'Components/Link/Link';
+import SpinnerButton from 'Components/Link/SpinnerButton';
 import LoadingIndicator from 'Components/Loading/LoadingIndicator';
 import Portal from 'Components/Portal';
 import { icons, kinds } from 'Helpers/Props';
@@ -242,7 +243,7 @@ class ImportMovieSelectMovie extends Component {
                           <FormInputButton
                             kind={kinds.DEFAULT}
                             spinnerIcon={icons.REFRESH}
-                            canSpin={true}
+                            ButtonComponent={SpinnerButton}
                             isSpinning={isFetching}
                             onPress={this.onRefreshPress}
                           >
diff --git a/frontend/src/Components/Form/FormInputButton.js b/frontend/src/Components/Form/FormInputButton.js
index a7145363af..fe16fae6a6 100644
--- a/frontend/src/Components/Form/FormInputButton.js
+++ b/frontend/src/Components/Form/FormInputButton.js
@@ -2,33 +2,19 @@ import classNames from 'classnames';
 import PropTypes from 'prop-types';
 import React from 'react';
 import Button from 'Components/Link/Button';
-import SpinnerButton from 'Components/Link/SpinnerButton';
 import { kinds } from 'Helpers/Props';
 import styles from './FormInputButton.css';
 
 function FormInputButton(props) {
   const {
     className,
-    canSpin,
+    ButtonComponent,
     isLastButton,
     ...otherProps
   } = props;
 
-  if (canSpin) {
-    return (
-      <SpinnerButton
-        className={classNames(
-          className,
-          !isLastButton && styles.middleButton
-        )}
-        kind={kinds.PRIMARY}
-        {...otherProps}
-      />
-    );
-  }
-
   return (
-    <Button
+    <ButtonComponent
       className={classNames(
         className,
         !isLastButton && styles.middleButton
@@ -41,14 +27,14 @@ function FormInputButton(props) {
 
 FormInputButton.propTypes = {
   className: PropTypes.string.isRequired,
-  isLastButton: PropTypes.bool.isRequired,
-  canSpin: PropTypes.bool.isRequired
+  ButtonComponent: PropTypes.elementType.isRequired,
+  isLastButton: PropTypes.bool.isRequired
 };
 
 FormInputButton.defaultProps = {
   className: styles.button,
-  isLastButton: true,
-  canSpin: false
+  ButtonComponent: Button,
+  isLastButton: true
 };
 
 export default FormInputButton;
diff --git a/frontend/src/Components/Form/FormInputGroup.css b/frontend/src/Components/Form/FormInputGroup.css
index 32d91e29b9..4e6d6c4e09 100644
--- a/frontend/src/Components/Form/FormInputGroup.css
+++ b/frontend/src/Components/Form/FormInputGroup.css
@@ -6,7 +6,6 @@
 .inputGroup {
   display: flex;
   flex: 1 1 auto;
-  flex-wrap: wrap;
 }
 
 .inputContainer {
diff --git a/frontend/src/Components/Form/FormInputGroup.js b/frontend/src/Components/Form/FormInputGroup.js
index 5327fe616a..e75b22ac47 100644
--- a/frontend/src/Components/Form/FormInputGroup.js
+++ b/frontend/src/Components/Form/FormInputGroup.js
@@ -20,6 +20,7 @@ import NumberInput from './NumberInput';
 import OAuthInputConnector from './OAuthInputConnector';
 import PasswordInput from './PasswordInput';
 import PathInputConnector from './PathInputConnector';
+import PlexMachineInputConnector from './PlexMachineInputConnector';
 import QualityProfileSelectInputConnector from './QualityProfileSelectInputConnector';
 import RootFolderSelectInputConnector from './RootFolderSelectInputConnector';
 import TagInputConnector from './TagInputConnector';
@@ -62,6 +63,9 @@ function getComponent(type) {
     case inputTypes.PATH:
       return PathInputConnector;
 
+    case inputTypes.PLEX_MACHINE_SELECT:
+      return PlexMachineInputConnector;
+
     case inputTypes.QUALITY_PROFILE_SELECT:
       return QualityProfileSelectInputConnector;
 
diff --git a/frontend/src/Components/Form/OAuthInput.js b/frontend/src/Components/Form/OAuthInput.js
index 4ecd625bc7..8b39176084 100644
--- a/frontend/src/Components/Form/OAuthInput.js
+++ b/frontend/src/Components/Form/OAuthInput.js
@@ -5,6 +5,7 @@ import { kinds } from 'Helpers/Props';
 
 function OAuthInput(props) {
   const {
+    className,
     label,
     authorizing,
     error,
@@ -12,21 +13,21 @@ function OAuthInput(props) {
   } = props;
 
   return (
-    <div>
-      <SpinnerErrorButton
-        kind={kinds.PRIMARY}
-        isSpinning={authorizing}
-        error={error}
-        onPress={onPress}
-      >
-        {label}
-      </SpinnerErrorButton>
-    </div>
+    <SpinnerErrorButton
+      className={className}
+      kind={kinds.PRIMARY}
+      isSpinning={authorizing}
+      error={error}
+      onPress={onPress}
+    >
+      {label}
+    </SpinnerErrorButton>
   );
 }
 
 OAuthInput.propTypes = {
-  label: PropTypes.string.isRequired,
+  className: PropTypes.string,
+  label: PropTypes.oneOfType([PropTypes.string, PropTypes.object]).isRequired,
   authorizing: PropTypes.bool.isRequired,
   error: PropTypes.object,
   onPress: PropTypes.func.isRequired
diff --git a/frontend/src/Components/Form/PlexMachineInput.js b/frontend/src/Components/Form/PlexMachineInput.js
new file mode 100644
index 0000000000..cf816dcda8
--- /dev/null
+++ b/frontend/src/Components/Form/PlexMachineInput.js
@@ -0,0 +1,44 @@
+import PropTypes from 'prop-types';
+import React from 'react';
+import LoadingIndicator from 'Components/Loading/LoadingIndicator';
+import SelectInput from './SelectInput';
+
+function PlexMachineInput(props) {
+  const {
+    isFetching,
+    isDisabled,
+    value,
+    values,
+    onChange,
+    ...otherProps
+  } = props;
+
+  const helpText = 'Authenticate with plex.tv to show servers to use for authentication';
+
+  return (
+    <>
+      {
+        isFetching ?
+          <LoadingIndicator /> :
+          <SelectInput
+            value={value}
+            values={values}
+            isDisabled={isDisabled}
+            onChange={onChange}
+            helpText={helpText}
+            {...otherProps}
+          />
+      }
+    </>
+  );
+}
+
+PlexMachineInput.propTypes = {
+  isFetching: PropTypes.bool.isRequired,
+  isDisabled: PropTypes.bool.isRequired,
+  value: PropTypes.string,
+  values: PropTypes.arrayOf(PropTypes.object).isRequired,
+  onChange: PropTypes.func.isRequired
+};
+
+export default PlexMachineInput;
diff --git a/frontend/src/Components/Form/PlexMachineInputConnector.js b/frontend/src/Components/Form/PlexMachineInputConnector.js
new file mode 100644
index 0000000000..aeac611d88
--- /dev/null
+++ b/frontend/src/Components/Form/PlexMachineInputConnector.js
@@ -0,0 +1,115 @@
+import PropTypes from 'prop-types';
+import React, { Component } from 'react';
+import { connect } from 'react-redux';
+import { createSelector } from 'reselect';
+import { fetchPlexResources } from 'Store/Actions/settingsActions';
+import PlexMachineInput from './PlexMachineInput';
+
+function createMapStateToProps() {
+  return createSelector(
+    (state, { value }) => value,
+    (state) => state.oAuth,
+    (state) => state.settings.plex,
+    (value, oAuth, plex) => {
+
+      let values = [{ key: value, value }];
+      let isDisabled = true;
+
+      if (plex.isPopulated) {
+        const serverValues = plex.items.filter((item) => item.provides.includes('server')).map((item) => {
+          return ({
+            key: item.clientIdentifier,
+            value: `${item.name} / ${item.owned ? 'Owner' : 'User'} / ${item.clientIdentifier}`
+          });
+        });
+
+        if (serverValues.find((item) => item.key === value)) {
+          values = serverValues;
+        } else {
+          values = values.concat(serverValues);
+        }
+
+        isDisabled = false;
+      }
+
+      return ({
+        accessToken: oAuth.result?.accessToken,
+        values,
+        isDisabled,
+        ...plex
+      });
+    }
+  );
+}
+
+const mapDispatchToProps = {
+  dispatchFetchPlexResources: fetchPlexResources
+};
+
+class PlexMachineInputConnector extends Component {
+
+  //
+  // Lifecycle
+  componentDidMount = () => {
+    const {
+      accessToken,
+      dispatchFetchPlexResources
+    } = this.props;
+
+    if (accessToken) {
+      dispatchFetchPlexResources({ accessToken });
+    }
+
+  };
+
+  componentDidUpdate(prevProps) {
+    const {
+      accessToken,
+      dispatchFetchPlexResources
+    } = this.props;
+
+    const oldToken = prevProps.accessToken;
+    if (accessToken && accessToken !== oldToken) {
+      dispatchFetchPlexResources({ accessToken });
+    }
+  }
+
+  render() {
+    const {
+      isFetching,
+      isPopulated,
+      isDisabled,
+      value,
+      values,
+      onChange
+    } = this.props;
+
+    return (
+      <PlexMachineInput
+        isFetching={isFetching}
+        isPopulated={isPopulated}
+        isDisabled={isDisabled}
+        value={value}
+        values={values}
+        onChange={onChange}
+        {...this.props}
+      />
+    );
+  }
+}
+
+PlexMachineInputConnector.propTypes = {
+  dispatchFetchPlexResources: PropTypes.func.isRequired,
+  name: PropTypes.string.isRequired,
+  value: PropTypes.string.isRequired,
+  values: PropTypes.arrayOf(PropTypes.object).isRequired,
+  isFetching: PropTypes.bool.isRequired,
+  isPopulated: PropTypes.bool.isRequired,
+  isDisabled: PropTypes.bool.isRequired,
+  error: PropTypes.object,
+  oAuth: PropTypes.object,
+  accessToken: PropTypes.string,
+  onChange: PropTypes.func.isRequired
+};
+
+export default connect(createMapStateToProps, mapDispatchToProps)(PlexMachineInputConnector);
diff --git a/frontend/src/Components/Form/SelectInput.css b/frontend/src/Components/Form/SelectInput.css
index aa1dfc79be..ce41843ec0 100644
--- a/frontend/src/Components/Form/SelectInput.css
+++ b/frontend/src/Components/Form/SelectInput.css
@@ -12,6 +12,10 @@
   composes: hasWarning from '~Components/Form/Input.css';
 }
 
+.hasButton {
+  composes: hasButton from '~Components/Form/Input.css';
+}
+
 .isDisabled {
   opacity: 0.7;
   cursor: not-allowed;
diff --git a/frontend/src/Components/Form/SelectInput.js b/frontend/src/Components/Form/SelectInput.js
index 0a60ffe1e0..89d7a2e862 100644
--- a/frontend/src/Components/Form/SelectInput.js
+++ b/frontend/src/Components/Form/SelectInput.js
@@ -28,6 +28,7 @@ class SelectInput extends Component {
       isDisabled,
       hasError,
       hasWarning,
+      hasButton,
       autoFocus,
       onBlur
     } = this.props;
@@ -38,6 +39,7 @@ class SelectInput extends Component {
           className,
           hasError && styles.hasError,
           hasWarning && styles.hasWarning,
+          hasButton && styles.hasButton,
           isDisabled && disabledClassName
         )}
         disabled={isDisabled}
@@ -80,6 +82,7 @@ SelectInput.propTypes = {
   isDisabled: PropTypes.bool,
   hasError: PropTypes.bool,
   hasWarning: PropTypes.bool,
+  hasButton: PropTypes.bool,
   autoFocus: PropTypes.bool.isRequired,
   onChange: PropTypes.func.isRequired,
   onBlur: PropTypes.func
diff --git a/frontend/src/Components/Page/Header/PageHeaderActionsMenu.js b/frontend/src/Components/Page/Header/PageHeaderActionsMenu.js
index 1ea9450f1b..35812a2fde 100644
--- a/frontend/src/Components/Page/Header/PageHeaderActionsMenu.js
+++ b/frontend/src/Components/Page/Header/PageHeaderActionsMenu.js
@@ -12,7 +12,7 @@ import styles from './PageHeaderActionsMenu.css';
 
 function PageHeaderActionsMenu(props) {
   const {
-    formsAuth,
+    cookieAuth,
     onKeyboardShortcutsPress,
     onRestartPress,
     onShutdownPress
@@ -56,22 +56,20 @@ function PageHeaderActionsMenu(props) {
           </MenuItem>
 
           {
-            formsAuth &&
-              <div className={styles.separator} />
-          }
-
-          {
-            formsAuth &&
-              <MenuItem
-                to={`${window.Radarr.urlBase}/logout`}
-                noRouter={true}
-              >
-                <Icon
-                  className={styles.itemIcon}
-                  name={icons.LOGOUT}
-                />
-                Logout
-              </MenuItem>
+            cookieAuth &&
+              <>
+                <div className={styles.separator} />
+                <MenuItem
+                  to={`${window.Radarr.urlBase}/logout?ReturnUrl=/`}
+                  noRouter={true}
+                >
+                  <Icon
+                    className={styles.itemIcon}
+                    name={icons.LOGOUT}
+                  />
+                  Logout
+                </MenuItem>
+              </>
           }
         </MenuContent>
       </Menu>
@@ -80,7 +78,7 @@ function PageHeaderActionsMenu(props) {
 }
 
 PageHeaderActionsMenu.propTypes = {
-  formsAuth: PropTypes.bool.isRequired,
+  cookieAuth: PropTypes.bool.isRequired,
   onKeyboardShortcutsPress: PropTypes.func.isRequired,
   onRestartPress: PropTypes.func.isRequired,
   onShutdownPress: PropTypes.func.isRequired
diff --git a/frontend/src/Components/Page/Header/PageHeaderActionsMenuConnector.js b/frontend/src/Components/Page/Header/PageHeaderActionsMenuConnector.js
index 3aba95065b..86234943d3 100644
--- a/frontend/src/Components/Page/Header/PageHeaderActionsMenuConnector.js
+++ b/frontend/src/Components/Page/Header/PageHeaderActionsMenuConnector.js
@@ -10,7 +10,7 @@ function createMapStateToProps() {
     (state) => state.system.status,
     (status) => {
       return {
-        formsAuth: status.item.authentication === 'forms'
+        cookieAuth: ['forms', 'oidc', 'plex'].includes(status.item.authentication)
       };
     }
   );
diff --git a/frontend/src/FirstRun/AuthenticationRequiredModalContent.js b/frontend/src/FirstRun/AuthenticationRequiredModalContent.js
index 193bdf9507..14df030b44 100644
--- a/frontend/src/FirstRun/AuthenticationRequiredModalContent.js
+++ b/frontend/src/FirstRun/AuthenticationRequiredModalContent.js
@@ -2,18 +2,37 @@ import PropTypes from 'prop-types';
 import React, { useEffect, useRef } from 'react';
 import Alert from 'Components/Alert';
 import FormGroup from 'Components/Form/FormGroup';
+import FormInputButton from 'Components/Form/FormInputButton';
 import FormInputGroup from 'Components/Form/FormInputGroup';
 import FormLabel from 'Components/Form/FormLabel';
+import OAuthInputConnector from 'Components/Form/OAuthInputConnector';
+import Icon from 'Components/Icon';
 import SpinnerButton from 'Components/Link/SpinnerButton';
 import LoadingIndicator from 'Components/Loading/LoadingIndicator';
 import ModalBody from 'Components/Modal/ModalBody';
 import ModalContent from 'Components/Modal/ModalContent';
 import ModalFooter from 'Components/Modal/ModalFooter';
 import ModalHeader from 'Components/Modal/ModalHeader';
-import { inputTypes, kinds } from 'Helpers/Props';
+import { icons, inputTypes, kinds } from 'Helpers/Props';
 import { authenticationMethodOptions, authenticationRequiredOptions, authenticationRequiredWarning } from 'Settings/General/SecuritySettings';
 import styles from './AuthenticationRequiredModalContent.css';
 
+const oauthData = {
+  implementation: { value: 'PlexImport' },
+  configContract: { value: 'PlexListSettings' },
+  fields: [
+    {
+      type: 'textbox',
+      name: 'accessToken'
+    },
+    {
+      type: 'oAuth',
+      name: 'signIn',
+      value: 'startAuth'
+    }
+  ]
+};
+
 function onModalClose() {
   // No-op
 }
@@ -21,6 +40,7 @@ function onModalClose() {
 function AuthenticationRequiredModalContent(props) {
   const {
     isPopulated,
+    plexServersPopulated,
     error,
     isSaving,
     settings,
@@ -33,10 +53,18 @@ function AuthenticationRequiredModalContent(props) {
     authenticationMethod,
     authenticationRequired,
     username,
-    password
+    password,
+    plexAuthServer,
+    plexRequireOwner,
+    oidcClientId,
+    oidcClientSecret,
+    oidcAuthority
   } = settings;
 
   const authenticationEnabled = authenticationMethod && authenticationMethod.value !== 'none';
+  const showUserPass = authenticationMethod && ['basic', 'forms'].includes(authenticationMethod.value);
+  const plexEnabled = authenticationMethod && authenticationMethod.value === 'plex';
+  const oidcEnabled = authenticationMethod && authenticationMethod.value === 'oidc';
 
   const didMount = useRef(false);
 
@@ -75,7 +103,7 @@ function AuthenticationRequiredModalContent(props) {
                   type={inputTypes.SELECT}
                   name="authenticationMethod"
                   values={authenticationMethodOptions}
-                  helpText="Require Username and Password to access Sonarr"
+                  helpText="Require login to access Sonarr"
                   onChange={onInputChange}
                   {...authenticationMethod}
                 />
@@ -99,33 +127,107 @@ function AuthenticationRequiredModalContent(props) {
               }
 
               {
-                authenticationEnabled ?
-                  <FormGroup>
-                    <FormLabel>Username</FormLabel>
+                showUserPass &&
+                  <>
+                    <FormGroup>
+                      <FormLabel>Username</FormLabel>
 
-                    <FormInputGroup
-                      type={inputTypes.TEXT}
-                      name="username"
-                      onChange={onInputChange}
-                      {...username}
-                    />
-                  </FormGroup> :
-                  null
+                      <FormInputGroup
+                        type={inputTypes.TEXT}
+                        name="username"
+                        onChange={onInputChange}
+                        {...username}
+                      />
+                    </FormGroup>
+
+                    <FormGroup>
+                      <FormLabel>Password</FormLabel>
+
+                      <FormInputGroup
+                        type={inputTypes.PASSWORD}
+                        name="password"
+                        onChange={onInputChange}
+                        {...password}
+                      />
+                    </FormGroup>
+                  </>
               }
 
               {
-                authenticationEnabled ?
-                  <FormGroup>
-                    <FormLabel>Password</FormLabel>
+                plexEnabled &&
+                  <>
+                    <FormGroup>
+                      <FormLabel>Plex Server</FormLabel>
 
-                    <FormInputGroup
-                      type={inputTypes.PASSWORD}
-                      name="password"
-                      onChange={onInputChange}
-                      {...password}
-                    />
-                  </FormGroup> :
-                  null
+                      <FormInputGroup
+                        type={inputTypes.PLEX_MACHINE_SELECT}
+                        name="plexAuthServer"
+                        buttons={[
+                          <FormInputButton
+                            key="auth"
+                            ButtonComponent={OAuthInputConnector}
+                            label={plexServersPopulated ? <Icon name={icons.REFRESH} /> : 'Fetch'}
+                            name="plexAuth"
+                            provider="importList"
+                            providerData={oauthData}
+                            section="settings.importLists"
+                            onChange={onInputChange}
+                          />
+                        ]}
+                        onChange={onInputChange}
+                        {...plexAuthServer}
+                      />
+                    </FormGroup>
+
+                    <FormGroup>
+                      <FormLabel>Restrict Access to Server Owner</FormLabel>
+
+                      <FormInputGroup
+                        type={inputTypes.CHECK}
+                        name="plexRequireOwner"
+                        onChange={onInputChange}
+                        {...plexRequireOwner}
+                      />
+                    </FormGroup>
+                  </>
+              }
+
+              {
+                oidcEnabled &&
+                  <>
+                    <FormGroup>
+                      <FormLabel>Authority</FormLabel>
+
+                      <FormInputGroup
+                        type={inputTypes.TEXT}
+                        name="oidcAuthority"
+                        onChange={onInputChange}
+                        {...oidcAuthority}
+                      />
+                    </FormGroup>
+
+                    <FormGroup>
+                      <FormLabel>ClientId</FormLabel>
+
+                      <FormInputGroup
+                        type={inputTypes.TEXT}
+                        name="oidcClientId"
+                        onChange={onInputChange}
+                        {...oidcClientId}
+                      />
+                    </FormGroup>
+
+                    <FormGroup>
+                      <FormLabel>ClientSecret</FormLabel>
+
+                      <FormInputGroup
+                        type={inputTypes.PASSWORD}
+                        name="oidcClientSecret"
+                        onChange={onInputChange}
+                        {...oidcClientSecret}
+                      />
+                    </FormGroup>
+                  </>
               }
             </div> :
             null
@@ -152,6 +254,7 @@ function AuthenticationRequiredModalContent(props) {
 
 AuthenticationRequiredModalContent.propTypes = {
   isPopulated: PropTypes.bool.isRequired,
+  plexServersPopulated: PropTypes.bool.isRequired,
   error: PropTypes.object,
   isSaving: PropTypes.bool.isRequired,
   saveError: PropTypes.object,
diff --git a/frontend/src/FirstRun/AuthenticationRequiredModalContentConnector.js b/frontend/src/FirstRun/AuthenticationRequiredModalContentConnector.js
index 6653a9d34d..0db646a27b 100644
--- a/frontend/src/FirstRun/AuthenticationRequiredModalContentConnector.js
+++ b/frontend/src/FirstRun/AuthenticationRequiredModalContentConnector.js
@@ -13,9 +13,11 @@ const SECTION = 'general';
 function createMapStateToProps() {
   return createSelector(
     createSettingsSectionSelector(SECTION),
-    (sectionSettings) => {
+    (state) => state.settings.plex,
+    (sectionSettings, plex) => {
       return {
-        ...sectionSettings
+        ...sectionSettings,
+        plexServersPopulated: plex.isPopulated
       };
     }
   );
diff --git a/frontend/src/Helpers/Props/inputTypes.js b/frontend/src/Helpers/Props/inputTypes.js
index ac031d4f02..5e6ecf755e 100644
--- a/frontend/src/Helpers/Props/inputTypes.js
+++ b/frontend/src/Helpers/Props/inputTypes.js
@@ -9,6 +9,7 @@ export const NUMBER = 'number';
 export const OAUTH = 'oauth';
 export const PASSWORD = 'password';
 export const PATH = 'path';
+export const PLEX_MACHINE_SELECT = 'plexMachineSelect';
 export const QUALITY_PROFILE_SELECT = 'qualityProfileSelect';
 export const ROOT_FOLDER_SELECT = 'rootFolderSelect';
 export const INDEXER_FLAGS_SELECT = 'indexerFlagsSelect';
@@ -35,6 +36,7 @@ export const all = [
   OAUTH,
   PASSWORD,
   PATH,
+  PLEX_MACHINE_SELECT,
   QUALITY_PROFILE_SELECT,
   DOWNLOAD_CLIENT_SELECT,
   ROOT_FOLDER_SELECT,
diff --git a/frontend/src/Settings/General/GeneralSettings.js b/frontend/src/Settings/General/GeneralSettings.js
index 17335a53ff..5d9aba5c2e 100644
--- a/frontend/src/Settings/General/GeneralSettings.js
+++ b/frontend/src/Settings/General/GeneralSettings.js
@@ -106,6 +106,7 @@ class GeneralSettings extends Component {
       packageUpdateMechanism,
       onInputChange,
       onConfirmResetApiKey,
+      plexServersPopulated,
       ...otherProps
     } = this.props;
 
@@ -144,6 +145,7 @@ class GeneralSettings extends Component {
 
                 <SecuritySettings
                   settings={settings}
+                  plexServersPopulated={plexServersPopulated}
                   isResettingApiKey={isResettingApiKey}
                   onInputChange={onInputChange}
                   onConfirmResetApiKey={onConfirmResetApiKey}
@@ -201,6 +203,7 @@ class GeneralSettings extends Component {
 
 GeneralSettings.propTypes = {
   advancedSettings: PropTypes.bool.isRequired,
+  plexServersPopulated: PropTypes.bool.isRequired,
   isFetching: PropTypes.bool.isRequired,
   isPopulated: PropTypes.bool.isRequired,
   error: PropTypes.object,
diff --git a/frontend/src/Settings/General/GeneralSettingsConnector.js b/frontend/src/Settings/General/GeneralSettingsConnector.js
index 18b23a9507..68098f6f9d 100644
--- a/frontend/src/Settings/General/GeneralSettingsConnector.js
+++ b/frontend/src/Settings/General/GeneralSettingsConnector.js
@@ -17,12 +17,14 @@ const SECTION = 'general';
 function createMapStateToProps() {
   return createSelector(
     (state) => state.settings.advancedSettings,
+    (state) => state.settings.plex,
     createSettingsSectionSelector(SECTION),
     createCommandExecutingSelector(commandNames.RESET_API_KEY),
     createSystemStatusSelector(),
-    (advancedSettings, sectionSettings, isResettingApiKey, systemStatus) => {
+    (advancedSettings, plexSettings, sectionSettings, isResettingApiKey, systemStatus) => {
       return {
         advancedSettings,
+        plexServersPopulated: plexSettings.isPopulated,
         isResettingApiKey,
         isWindows: systemStatus.isWindows,
         isWindowsService: systemStatus.isWindows && systemStatus.mode === 'service',
diff --git a/frontend/src/Settings/General/SecuritySettings.js b/frontend/src/Settings/General/SecuritySettings.js
index 8903d3fb2e..be15bede23 100644
--- a/frontend/src/Settings/General/SecuritySettings.js
+++ b/frontend/src/Settings/General/SecuritySettings.js
@@ -5,6 +5,7 @@ import FormGroup from 'Components/Form/FormGroup';
 import FormInputButton from 'Components/Form/FormInputButton';
 import FormInputGroup from 'Components/Form/FormInputGroup';
 import FormLabel from 'Components/Form/FormLabel';
+import OAuthInputConnector from 'Components/Form/OAuthInputConnector';
 import Icon from 'Components/Icon';
 import ClipboardButton from 'Components/Link/ClipboardButton';
 import ConfirmModal from 'Components/Modal/ConfirmModal';
@@ -14,9 +15,11 @@ import translate from 'Utilities/String/translate';
 export const authenticationRequiredWarning = 'To prevent remote access without authentication, Radarr now requires authentication to be enabled. You can optionally disable authentication from local addresses.';
 
 export const authenticationMethodOptions = [
-  { key: 'none', value: translate('None'), isDisabled: true },
-  { key: 'basic', value: translate('AuthBasic') },
-  { key: 'forms', value: translate('AuthForm') }
+  { key: 'none', value: 'None', isDisabled: true },
+  { key: 'basic', value: 'Basic (Browser Popup, insecure over HTTP)' },
+  { key: 'forms', value: 'Forms (Login Page)' },
+  { key: 'plex', value: 'Plex' },
+  { key: 'oidc', value: 'OpenID Connect' }
 ];
 
 export const authenticationRequiredOptions = [
@@ -30,6 +33,22 @@ const certificateValidationOptions = [
   { key: 'disabled', value: translate('Disabled') }
 ];
 
+const oauthData = {
+  implementation: { value: 'PlexImport' },
+  configContract: { value: 'PlexListSettings' },
+  fields: [
+    {
+      type: 'textbox',
+      name: 'accessToken'
+    },
+    {
+      type: 'oAuth',
+      name: 'signIn',
+      value: 'startAuth'
+    }
+  ]
+};
+
 class SecuritySettings extends Component {
 
   //
@@ -69,6 +88,7 @@ class SecuritySettings extends Component {
   render() {
     const {
       settings,
+      plexServersPopulated,
       isResettingApiKey,
       onInputChange
     } = this.props;
@@ -78,11 +98,19 @@ class SecuritySettings extends Component {
       authenticationRequired,
       username,
       password,
+      plexAuthServer,
+      plexRequireOwner,
+      oidcClientId,
+      oidcClientSecret,
+      oidcAuthority,
       apiKey,
       certificateValidation
     } = settings;
 
     const authenticationEnabled = authenticationMethod && authenticationMethod.value !== 'none';
+    const showUserPass = authenticationMethod && ['basic', 'forms'].includes(authenticationMethod.value);
+    const plexEnabled = authenticationMethod && authenticationMethod.value === 'plex';
+    const oidcEnabled = authenticationMethod && authenticationMethod.value === 'oidc';
 
     return (
       <FieldSet legend={translate('Security')}>
@@ -118,33 +146,107 @@ class SecuritySettings extends Component {
         }
 
         {
-          authenticationEnabled ?
-            <FormGroup>
-              <FormLabel>{translate('Username')}</FormLabel>
+          showUserPass &&
+            <>
+              <FormGroup>
+                <FormLabel>{translate('Username')}</FormLabel>
 
-              <FormInputGroup
-                type={inputTypes.TEXT}
-                name="username"
-                onChange={onInputChange}
-                {...username}
-              />
-            </FormGroup> :
-            null
+                <FormInputGroup
+                  type={inputTypes.TEXT}
+                  name="username"
+                  onChange={onInputChange}
+                  {...username}
+                />
+              </FormGroup>
+
+              <FormGroup>
+                <FormLabel>{translate('Password')}</FormLabel>
+
+                <FormInputGroup
+                  type={inputTypes.PASSWORD}
+                  name="password"
+                  onChange={onInputChange}
+                  {...password}
+                />
+              </FormGroup>
+            </>
         }
 
         {
-          authenticationEnabled ?
-            <FormGroup>
-              <FormLabel>{translate('Password')}</FormLabel>
+          plexEnabled &&
+            <>
+              <FormGroup>
+                <FormLabel>{translate('PlexServer')}</FormLabel>
 
-              <FormInputGroup
-                type={inputTypes.PASSWORD}
-                name="password"
-                onChange={onInputChange}
-                {...password}
-              />
-            </FormGroup> :
-            null
+                <FormInputGroup
+                  type={inputTypes.PLEX_MACHINE_SELECT}
+                  name="plexAuthServer"
+                  buttons={[
+                    <FormInputButton
+                      key="auth"
+                      ButtonComponent={OAuthInputConnector}
+                      label={plexServersPopulated ? <Icon name={icons.REFRESH} /> : 'Fetch'}
+                      name="plexAuth"
+                      provider="importList"
+                      providerData={oauthData}
+                      section="settings.importLists"
+                      onChange={onInputChange}
+                    />
+                  ]}
+                  onChange={onInputChange}
+                  {...plexAuthServer}
+                />
+              </FormGroup>
+
+              <FormGroup>
+                <FormLabel>{translate('RestrictAccessToServerOwner')}</FormLabel>
+
+                <FormInputGroup
+                  type={inputTypes.CHECK}
+                  name="plexRequireOwner"
+                  onChange={onInputChange}
+                  {...plexRequireOwner}
+                />
+              </FormGroup>
+            </>
+        }
+
+        {
+          oidcEnabled &&
+            <>
+              <FormGroup>
+                <FormLabel>{translate('Authority')}</FormLabel>
+
+                <FormInputGroup
+                  type={inputTypes.TEXT}
+                  name="oidcAuthority"
+                  onChange={onInputChange}
+                  {...oidcAuthority}
+                />
+              </FormGroup>
+
+              <FormGroup>
+                <FormLabel>{translate('ClientId')}</FormLabel>
+
+                <FormInputGroup
+                  type={inputTypes.TEXT}
+                  name="oidcClientId"
+                  onChange={onInputChange}
+                  {...oidcClientId}
+                />
+              </FormGroup>
+
+              <FormGroup>
+                <FormLabel>{translate('ClientSecret')}</FormLabel>
+
+                <FormInputGroup
+                  type={inputTypes.PASSWORD}
+                  name="oidcClientSecret"
+                  onChange={onInputChange}
+                  {...oidcClientSecret}
+                />
+              </FormGroup>
+            </>
         }
 
         <FormGroup>
@@ -208,6 +310,7 @@ class SecuritySettings extends Component {
 
 SecuritySettings.propTypes = {
   settings: PropTypes.object.isRequired,
+  plexServersPopulated: PropTypes.bool.isRequired,
   isResettingApiKey: PropTypes.bool.isRequired,
   onInputChange: PropTypes.func.isRequired,
   onConfirmResetApiKey: PropTypes.func.isRequired
diff --git a/frontend/src/Store/Actions/Settings/plex.js b/frontend/src/Store/Actions/Settings/plex.js
new file mode 100644
index 0000000000..c5dc7860c4
--- /dev/null
+++ b/frontend/src/Store/Actions/Settings/plex.js
@@ -0,0 +1,48 @@
+import createFetchHandler from 'Store/Actions/Creators/createFetchHandler';
+import { createThunk } from 'Store/thunks';
+
+//
+// Variables
+
+const section = 'settings.plex';
+
+//
+// Actions Types
+
+export const FETCH_PLEX_RESOURCES = 'settings/plex/fetchResources';
+
+//
+// Action Creators
+
+export const fetchPlexResources = createThunk(FETCH_PLEX_RESOURCES);
+
+//
+// Details
+
+export default {
+
+  //
+  // State
+
+  defaultState: {
+    isFetching: false,
+    isPopulated: false,
+    error: null,
+    pendingChanges: {},
+    isSaving: false,
+    saveError: null,
+    items: []
+  },
+
+  //
+  // Action Handlers
+
+  actionHandlers: {
+    [FETCH_PLEX_RESOURCES]: createFetchHandler(section, '/authentication/plex/resources')
+  },
+
+  //
+  // Reducers
+
+  reducers: { }
+};
diff --git a/frontend/src/Store/Actions/settingsActions.js b/frontend/src/Store/Actions/settingsActions.js
index f14548f9ac..07a4f27fb7 100644
--- a/frontend/src/Store/Actions/settingsActions.js
+++ b/frontend/src/Store/Actions/settingsActions.js
@@ -20,6 +20,7 @@ import metadataOptions from './Settings/metadataOptions';
 import naming from './Settings/naming';
 import namingExamples from './Settings/namingExamples';
 import notifications from './Settings/notifications';
+import plex from './Settings/plex';
 import qualityDefinitions from './Settings/qualityDefinitions';
 import qualityProfiles from './Settings/qualityProfiles';
 import remotePathMappings from './Settings/remotePathMappings';
@@ -45,6 +46,7 @@ export * from './Settings/metadataOptions';
 export * from './Settings/naming';
 export * from './Settings/namingExamples';
 export * from './Settings/notifications';
+export * from './Settings/plex';
 export * from './Settings/qualityDefinitions';
 export * from './Settings/qualityProfiles';
 export * from './Settings/remotePathMappings';
@@ -81,6 +83,7 @@ export const defaultState = {
   naming: naming.defaultState,
   namingExamples: namingExamples.defaultState,
   notifications: notifications.defaultState,
+  plex: plex.defaultState,
   qualityDefinitions: qualityDefinitions.defaultState,
   qualityProfiles: qualityProfiles.defaultState,
   remotePathMappings: remotePathMappings.defaultState,
@@ -125,6 +128,7 @@ export const actionHandlers = handleThunks({
   ...naming.actionHandlers,
   ...namingExamples.actionHandlers,
   ...notifications.actionHandlers,
+  ...plex.actionHandlers,
   ...qualityDefinitions.actionHandlers,
   ...qualityProfiles.actionHandlers,
   ...remotePathMappings.actionHandlers,
@@ -160,6 +164,7 @@ export const reducers = createHandleActions({
   ...naming.reducers,
   ...namingExamples.reducers,
   ...notifications.reducers,
+  ...plex.reducers,
   ...qualityDefinitions.reducers,
   ...qualityProfiles.reducers,
   ...remotePathMappings.reducers,
diff --git a/frontend/src/login.html b/frontend/src/login.html
index 284753eccd..ab401438bb 100644
--- a/frontend/src/login.html
+++ b/frontend/src/login.html
@@ -210,34 +210,37 @@
 
             <form
               role="form"
+              action="/login"
               data-parsley-validate=""
               novalidate=""
               class="mb-lg"
               method="POST"
             >
-              <div class="form-group">
-                <input
-                  type="email"
-                  name="username"
-                  class="form-input"
-                  placeholder="Username"
-                  autocomplete="off"
-                  pattern=".{1,}"
-                  required
-                  title="User name is required"
-                  autoFocus="true"
-                  autoCapitalize="false"
-                />
-              </div>
+              <div id="user-pass" class="hidden">
+                <div class="form-group">
+                  <input
+                    type="email"
+                    name="username"
+                    class="form-input"
+                    placeholder="Username"
+                    autocomplete="off"
+                    pattern=".{1,}"
+                    required
+                    title="User name is required"
+                    autoFocus="true"
+                    autoCapitalize="false"
+                  />
+                </div>
 
-              <div class="form-group">
-                <input
-                  type="password"
-                  name="password"
-                  class="form-input"
-                  placeholder="Password"
-                  required
-                />
+                <div class="form-group">
+                  <input
+                    type="password"
+                    name="password"
+                    class="form-input"
+                    placeholder="Password"
+                    required
+                  />
+                </div>
               </div>
 
               <div class="remember-me-container">
@@ -257,10 +260,10 @@
                   >Forgot your password?</a
                 >
               </div>
-              <button type="submit" class="button">Login</button>
+              <button type="submit" class="button">LOGIN_PLACEHOLDER</button>
 
               <div id="login-failed" class="login-failed hidden">
-                Incorrect Username or Password
+                FAILED_PLACEHOLDER
               </div>
             </form>
           </div>
@@ -283,9 +286,14 @@
     var copyDiv = document.getElementById("copy");
     copyDiv.classList.remove("hidden");
 
-    if (window.location.search.indexOf("loginFailed=true") > -1) {
-      var loginFailedDiv = document.getElementById("login-failed");
+    var loginFailedDiv = document.getElementById("login-failed");
 
+    if (window.location.pathname.indexOf("/sso") === -1) {
+      var userPassDiv = document.getElementById("user-pass");
+      userPassDiv.classList.remove("hidden");
+    }
+
+    if (window.location.pathname.indexOf("/failed") > -1) {
       loginFailedDiv.classList.remove("hidden");
     }
   </script>
diff --git a/src/NzbDrone.Core/Authentication/AuthenticationType.cs b/src/NzbDrone.Core/Authentication/AuthenticationType.cs
index ca408774b0..0e8f5c49bc 100644
--- a/src/NzbDrone.Core/Authentication/AuthenticationType.cs
+++ b/src/NzbDrone.Core/Authentication/AuthenticationType.cs
@@ -5,6 +5,8 @@ public enum AuthenticationType
         None = 0,
         Basic = 1,
         Forms = 2,
-        External = 3
+        External = 3,
+        Oidc = 4,
+        Plex = 5,
     }
 }
diff --git a/src/NzbDrone.Core/Configuration/ConfigService.cs b/src/NzbDrone.Core/Configuration/ConfigService.cs
index b0832d9bf2..7670e24d5e 100644
--- a/src/NzbDrone.Core/Configuration/ConfigService.cs
+++ b/src/NzbDrone.Core/Configuration/ConfigService.cs
@@ -403,6 +403,16 @@ public bool CleanupMetadataImages
 
         public string HmacSalt => GetValue("HmacSalt", Guid.NewGuid().ToString(), true);
 
+        public string PlexAuthServer => GetValue("PlexAuthServer", string.Empty);
+
+        public bool PlexRequireOwner => GetValueBoolean("PlexRequireOwner", true);
+
+        public string OidcClientId => GetValue("OidcClientId", string.Empty);
+
+        public string OidcClientSecret => GetValue("OidcClientSecret", string.Empty);
+
+        public string OidcAuthority => GetValue("OidcAuthority", string.Empty);
+
         public bool ProxyEnabled => GetValueBoolean("ProxyEnabled", false);
 
         public ProxyType ProxyType => GetValueEnum<ProxyType>("ProxyType", ProxyType.Http);
diff --git a/src/NzbDrone.Core/Configuration/IConfigService.cs b/src/NzbDrone.Core/Configuration/IConfigService.cs
index 2c5b3576e8..22c4de9eb4 100644
--- a/src/NzbDrone.Core/Configuration/IConfigService.cs
+++ b/src/NzbDrone.Core/Configuration/IConfigService.cs
@@ -88,6 +88,16 @@ public interface IConfigService
         string RijndaelSalt { get; }
         string HmacSalt { get; }
 
+        // Plex Auth
+        string PlexAuthServer { get; }
+
+        bool PlexRequireOwner { get; }
+
+        // OIDC Auth
+        string OidcClientId { get; }
+        string OidcClientSecret { get; }
+        string OidcAuthority { get; }
+
         // Proxy
         bool ProxyEnabled { get; }
         ProxyType ProxyType { get; }
diff --git a/src/NzbDrone.Core/Localization/Core/en.json b/src/NzbDrone.Core/Localization/Core/en.json
index ed28961e40..ea4114dbbb 100644
--- a/src/NzbDrone.Core/Localization/Core/en.json
+++ b/src/NzbDrone.Core/Localization/Core/en.json
@@ -74,6 +74,7 @@
   "Authentication": "Authentication",
   "AuthenticationMethodHelpText": "Require Username and Password to access Radarr",
   "AuthForm": "Forms (Login Page)",
+  "Authority": "Authority",
   "Auto": "Auto",
   "Automatic": "Automatic",
   "AutomaticSearch": "Automatic Search",
@@ -133,7 +134,9 @@
   "ClickToChangeMovie": "Click to change movie",
   "ClickToChangeQuality": "Click to change quality",
   "ClickToChangeReleaseGroup": "Click to change release group",
+  "ClientId": "ClientId",
   "ClientPriority": "Client Priority",
+  "ClientSecret": "ClientSecret",
   "CloneCustomFormat": "Clone Custom Format",
   "CloneFormatTag": "Clone Format Tag",
   "CloneIndexer": "Clone Indexer",
@@ -696,6 +699,7 @@
   "Permissions": "Permissions",
   "PhysicalRelease": "Physical Release",
   "PhysicalReleaseDate": "Physical Release Date",
+  "PlexServer": "Plex Server",
   "Port": "Port",
   "PortNumber": "Port Number",
   "PosterOptions": "Poster Options",
@@ -860,6 +864,7 @@
   "RestartRequiredHelpTextWarning": "Requires restart to take effect",
   "Restore": "Restore",
   "RestoreBackup": "Restore Backup",
+  "RestrictAccessToServerOwner": "Restrict Access to Server Owner",
   "Restrictions": "Restrictions",
   "Result": "Result",
   "Retention": "Retention",
diff --git a/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvProxy.cs b/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvProxy.cs
index 0a299a4ba5..68a41bb918 100644
--- a/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvProxy.cs
+++ b/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvProxy.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Net;
 using NLog;
 using NzbDrone.Common.EnvironmentInfo;
@@ -12,6 +13,7 @@ public interface IPlexTvProxy
     {
         string GetAuthToken(string clientIdentifier, int pinId);
         bool Ping(string clientIdentifier, string authToken);
+        List<PlexTvResource> GetResources(string clientIdentifier, string token);
     }
 
     public class PlexTvProxy : IPlexTvProxy
@@ -30,9 +32,7 @@ public string GetAuthToken(string clientIdentifier, int pinId)
             var request = BuildRequest(clientIdentifier);
             request.ResourceUrl = $"/api/v2/pins/{pinId}";
 
-            PlexTvPinResponse response;
-
-            if (!Json.TryDeserialize<PlexTvPinResponse>(ProcessRequest(request), out response))
+            if (!Json.TryDeserialize<PlexTvPinResponse>(ProcessRequest(request), out var response))
             {
                 response = new PlexTvPinResponse();
             }
@@ -63,6 +63,20 @@ public bool Ping(string clientIdentifier, string authToken)
             return false;
         }
 
+        public List<PlexTvResource> GetResources(string clientIdentifier, string token)
+        {
+            var request = BuildRequest(clientIdentifier);
+            request.AddQueryParam("X-Plex-Token", token);
+            request.ResourceUrl = "api/v2/resources";
+
+            if (!Json.TryDeserialize<List<PlexTvResource>>(ProcessRequest(request), out var response))
+            {
+                response = new List<PlexTvResource>();
+            }
+
+            return response;
+        }
+
         private HttpRequestBuilder BuildRequest(string clientIdentifier)
         {
             var requestBuilder = new HttpRequestBuilder("https://plex.tv")
diff --git a/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvResource.cs b/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvResource.cs
new file mode 100644
index 0000000000..3bd20c4f05
--- /dev/null
+++ b/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvResource.cs
@@ -0,0 +1,13 @@
+namespace NzbDrone.Core.Notifications.Plex.PlexTv
+{
+    public class PlexTvResource
+    {
+        public string Name { get; set; }
+        public string Product { get; set; }
+        public string Platform { get; set; }
+        public string ClientIdentifier { get; set; }
+        public string Provides { get; set; }
+        public bool Owned { get; set; }
+        public bool Home { get; set; }
+    }
+}
diff --git a/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvService.cs b/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvService.cs
index 8aa324b7e5..08c3f8763d 100644
--- a/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvService.cs
+++ b/src/NzbDrone.Core/Notifications/Plex/PlexTv/PlexTvService.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Text;
@@ -15,6 +16,8 @@ public interface IPlexTvService
         PlexTvSignInUrlResponse GetSignInUrl(string callbackUrl, int pinId, string pinCode);
         string GetAuthToken(int pinId);
         void Ping(string authToken);
+        List<PlexTvResource> GetResources(string token);
+
         HttpRequest GetWatchlist(string authToken);
     }
 
@@ -94,6 +97,11 @@ public void Ping(string authToken)
             _cache.Get(authToken, () => _proxy.Ping(_configService.PlexClientIdentifier, authToken), TimeSpan.FromHours(24));
         }
 
+        public List<PlexTvResource> GetResources(string token)
+        {
+            return _proxy.GetResources(_configService.PlexClientIdentifier, token);
+        }
+
         public HttpRequest GetWatchlist(string authToken)
         {
             Ping(authToken);
diff --git a/src/NzbDrone.Host/Startup.cs b/src/NzbDrone.Host/Startup.cs
index 5b8aed0587..9be9b778d6 100644
--- a/src/NzbDrone.Host/Startup.cs
+++ b/src/NzbDrone.Host/Startup.cs
@@ -22,7 +22,6 @@
 using NzbDrone.Core.Lifecycle;
 using NzbDrone.Core.Messaging.Events;
 using NzbDrone.Host.AccessControl;
-using NzbDrone.Http.Authentication;
 using NzbDrone.SignalR;
 using Radarr.Api.V4.System;
 using Radarr.Http;
diff --git a/src/Radarr.Api.V4/Authentication/AuthenticationController.cs b/src/Radarr.Api.V4/Authentication/AuthenticationController.cs
new file mode 100644
index 0000000000..fce1f1ef6b
--- /dev/null
+++ b/src/Radarr.Api.V4/Authentication/AuthenticationController.cs
@@ -0,0 +1,28 @@
+using System.Collections.Generic;
+using System.Net;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Mvc;
+using NzbDrone.Core.Notifications.Plex.PlexTv;
+using Radarr.Http;
+
+namespace Radarr.Api.V4.Authentication
+{
+    [V4ApiController]
+    public class AuthenticationController : Controller
+    {
+        private readonly IPlexTvService _plex;
+
+        public AuthenticationController(IPlexTvService plex)
+        {
+            _plex = plex;
+        }
+
+        [HttpGet("plex/resources")]
+        public List<PlexTvResource> GetResources(string accessToken)
+        {
+            return _plex.GetResources(accessToken);
+        }
+    }
+}
diff --git a/src/Radarr.Api.V4/Config/HostConfigController.cs b/src/Radarr.Api.V4/Config/HostConfigController.cs
index 3e502d5c6a..556701df21 100644
--- a/src/Radarr.Api.V4/Config/HostConfigController.cs
+++ b/src/Radarr.Api.V4/Config/HostConfigController.cs
@@ -1,3 +1,4 @@
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Reflection;
@@ -23,6 +24,8 @@ public class HostConfigController : RestController<HostConfigResource>
         private readonly IConfigService _configService;
         private readonly IUserService _userService;
 
+        private static readonly List<AuthenticationType> UserPassAuths = new List<AuthenticationType> { AuthenticationType.Basic, AuthenticationType.Forms };
+
         public HostConfigController(IConfigFileProvider configFileProvider,
                                     IConfigService configService,
                                     IUserService userService,
@@ -42,8 +45,12 @@ public HostConfigController(IConfigFileProvider configFileProvider,
             SharedValidator.RuleFor(c => c.UrlBase).ValidUrlBase();
             SharedValidator.RuleFor(c => c.InstanceName).ContainsRadarr().When(c => c.InstanceName.IsNotNullOrWhiteSpace());
 
-            SharedValidator.RuleFor(c => c.Username).NotEmpty().When(c => c.AuthenticationMethod != AuthenticationType.None);
-            SharedValidator.RuleFor(c => c.Password).NotEmpty().When(c => c.AuthenticationMethod != AuthenticationType.None);
+            SharedValidator.RuleFor(c => c.Username).NotEmpty().When(c => UserPassAuths.Contains(c.AuthenticationMethod));
+            SharedValidator.RuleFor(c => c.Password).NotEmpty().When(c => UserPassAuths.Contains(c.AuthenticationMethod));
+            SharedValidator.RuleFor(c => c.PlexAuthServer).NotEmpty().When(c => c.AuthenticationMethod == AuthenticationType.Plex);
+            SharedValidator.RuleFor(c => c.OidcAuthority).IsValidUrl().Must(x => x.StartsWith("https://")).WithMessage("Authority must use HTTPS").When(c => c.AuthenticationMethod == AuthenticationType.Oidc);
+            SharedValidator.RuleFor(c => c.OidcClientId).NotEmpty().When(c => c.AuthenticationMethod == AuthenticationType.Oidc);
+            SharedValidator.RuleFor(c => c.OidcClientSecret).NotEmpty().When(c => c.AuthenticationMethod == AuthenticationType.Oidc);
 
             SharedValidator.RuleFor(c => c.SslPort).ValidPort().When(c => c.EnableSsl);
             SharedValidator.RuleFor(c => c.SslPort).NotEqual(c => c.Port).When(c => c.EnableSsl);
diff --git a/src/Radarr.Api.V4/Config/HostConfigResource.cs b/src/Radarr.Api.V4/Config/HostConfigResource.cs
index 8dd3fdfea2..1d1ca3d354 100644
--- a/src/Radarr.Api.V4/Config/HostConfigResource.cs
+++ b/src/Radarr.Api.V4/Config/HostConfigResource.cs
@@ -31,6 +31,11 @@ public class HostConfigResource : RestResource
         public bool UpdateAutomatically { get; set; }
         public UpdateMechanism UpdateMechanism { get; set; }
         public string UpdateScriptPath { get; set; }
+        public string PlexAuthServer { get; set; }
+        public bool PlexRequireOwner { get; set; }
+        public string OidcClientId { get; set; }
+        public string OidcClientSecret { get; set; }
+        public string OidcAuthority { get; set; }
         public bool ProxyEnabled { get; set; }
         public ProxyType ProxyType { get; set; }
         public string ProxyHostname { get; set; }
@@ -74,6 +79,11 @@ public static HostConfigResource ToResource(this IConfigFileProvider model, ICon
                 UpdateAutomatically = model.UpdateAutomatically,
                 UpdateMechanism = model.UpdateMechanism,
                 UpdateScriptPath = model.UpdateScriptPath,
+                PlexAuthServer = configService.PlexAuthServer,
+                PlexRequireOwner = configService.PlexRequireOwner,
+                OidcClientId = configService.OidcClientId,
+                OidcClientSecret = configService.OidcClientSecret,
+                OidcAuthority = configService.OidcAuthority,
                 ProxyEnabled = configService.ProxyEnabled,
                 ProxyType = configService.ProxyType,
                 ProxyHostname = configService.ProxyHostname,
diff --git a/src/Radarr.Http/Authentication/ApiKeyRequirement.cs b/src/Radarr.Http/Authentication/ApiKeyRequirement.cs
index abe096ce93..e916740b07 100644
--- a/src/Radarr.Http/Authentication/ApiKeyRequirement.cs
+++ b/src/Radarr.Http/Authentication/ApiKeyRequirement.cs
@@ -1,7 +1,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 
-namespace NzbDrone.Http.Authentication
+namespace Radarr.Http.Authentication
 {
     public class ApiKeyRequirement : AuthorizationHandler<ApiKeyRequirement>, IAuthorizationRequirement
     {
diff --git a/src/Radarr.Http/Authentication/AuthenticationBuilderExtensions.cs b/src/Radarr.Http/Authentication/AuthenticationBuilderExtensions.cs
index 6bc763be4e..0b7e12048f 100644
--- a/src/Radarr.Http/Authentication/AuthenticationBuilderExtensions.cs
+++ b/src/Radarr.Http/Authentication/AuthenticationBuilderExtensions.cs
@@ -1,7 +1,9 @@
 using System;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.DependencyInjection;
+using NzbDrone.Common.EnvironmentInfo;
 using NzbDrone.Core.Authentication;
+using Radarr.Http.Authentication.Plex;
 
 namespace Radarr.Http.Authentication
 {
@@ -22,25 +24,50 @@ public static AuthenticationBuilder AddNone(this AuthenticationBuilder authentic
             return authenticationBuilder.AddScheme<AuthenticationSchemeOptions, NoAuthenticationHandler>(name, options => { });
         }
 
-        public static AuthenticationBuilder AddExternal(this AuthenticationBuilder authenticationBuilder, string name)
+        public static string GetChallengeScheme(this AuthenticationType scheme)
         {
-            return authenticationBuilder.AddScheme<AuthenticationSchemeOptions, NoAuthenticationHandler>(name, options => { });
+            return scheme.ToString() + "Remote";
         }
 
         public static AuthenticationBuilder AddAppAuthentication(this IServiceCollection services)
         {
-            return services.AddAuthentication()
+            var builder = services.AddAuthentication()
                 .AddNone(AuthenticationType.None.ToString())
-                .AddExternal(AuthenticationType.External.ToString())
+                .AddNone(AuthenticationType.External.ToString())
                 .AddBasic(AuthenticationType.Basic.ToString())
                 .AddCookie(AuthenticationType.Forms.ToString(), options =>
                 {
-                    options.Cookie.Name = "RadarrAuth";
-                    options.AccessDeniedPath = "/login?loginFailed=true";
+                    options.Cookie.Name = BuildInfo.AppName + "Auth";
                     options.LoginPath = "/login";
+                    options.AccessDeniedPath = "/login/failed";
+                    options.LogoutPath = "/logout";
                     options.ExpireTimeSpan = TimeSpan.FromDays(7);
                     options.SlidingExpiration = true;
                 })
+                .AddCookie(AuthenticationType.Plex.ToString(), options =>
+                {
+                    options.Cookie.Name = BuildInfo.AppName + "PlexAuth";
+                    options.LoginPath = "/login/sso";
+                    options.AccessDeniedPath = "/login/sso/failed";
+                    options.LogoutPath = "/logout";
+                    options.ExpireTimeSpan = TimeSpan.FromDays(7);
+                    options.SlidingExpiration = true;
+                })
+                .AddPlex(AuthenticationType.Plex.GetChallengeScheme(), options =>
+                {
+                    options.SignInScheme = AuthenticationType.Plex.ToString();
+                    options.CorrelationCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
+                })
+                .AddCookie(AuthenticationType.Oidc.ToString(), options =>
+                {
+                    options.Cookie.Name = BuildInfo.AppName + "OidcAuth";
+                    options.LoginPath = "/login/sso";
+                    options.AccessDeniedPath = "/login/sso/failed";
+                    options.LogoutPath = "/logout";
+                    options.ExpireTimeSpan = TimeSpan.FromDays(7);
+                    options.SlidingExpiration = true;
+                })
+                .AddOpenIdConnect(AuthenticationType.Oidc.GetChallengeScheme(), _ => { } /* See ConfigureOidcOptions.cs */)
                 .AddApiKey("API", options =>
                 {
                     options.HeaderName = "X-Api-Key";
@@ -51,6 +78,8 @@ public static AuthenticationBuilder AddAppAuthentication(this IServiceCollection
                     options.HeaderName = "X-Api-Key";
                     options.QueryName = "access_token";
                 });
+
+            return builder;
         }
     }
 }
diff --git a/src/Radarr.Http/Authentication/AuthenticationController.cs b/src/Radarr.Http/Authentication/AuthenticationController.cs
index e796f92f4e..6de214c760 100644
--- a/src/Radarr.Http/Authentication/AuthenticationController.cs
+++ b/src/Radarr.Http/Authentication/AuthenticationController.cs
@@ -23,13 +23,24 @@ public AuthenticationController(IAuthenticationService authService, IConfigFileP
         }
 
         [HttpPost("login")]
-        public async Task<IActionResult> Login([FromForm] LoginResource resource, [FromQuery] string returnUrl = null)
+        public Task LoginLogin([FromForm] LoginResource resource, [FromQuery] string returnUrl = "/")
+        {
+            if (_configFileProvider.AuthenticationMethod == AuthenticationType.Forms)
+            {
+                return LoginForms(resource, returnUrl);
+            }
+
+            return LoginSso(resource, returnUrl);
+        }
+
+        private async Task LoginForms(LoginResource resource, string returnUrl)
         {
             var user = _authService.Login(HttpContext.Request, resource.Username, resource.Password);
 
             if (user == null)
             {
-                return Redirect($"~/login?returnUrl={returnUrl}&loginFailed=true");
+                await HttpContext.ForbidAsync(AuthenticationType.Forms.ToString());
+                return;
             }
 
             var claims = new List<Claim>
@@ -41,20 +52,36 @@ public async Task<IActionResult> Login([FromForm] LoginResource resource, [FromQ
 
             var authProperties = new AuthenticationProperties
             {
-                IsPersistent = resource.RememberMe == "on"
+                IsPersistent = resource.RememberMe == "on",
+                RedirectUri = returnUrl
             };
 
             await HttpContext.SignInAsync(AuthenticationType.Forms.ToString(), new ClaimsPrincipal(new ClaimsIdentity(claims, "Cookies", "user", "identifier")), authProperties);
+        }
 
-            return Redirect(_configFileProvider.UrlBase + "/");
+        private async Task LoginSso(LoginResource resource, string returnUrl = "/")
+        {
+            var authProperties = new AuthenticationProperties
+            {
+                IsPersistent = resource.RememberMe == "on",
+                RedirectUri = returnUrl
+            };
+
+            await HttpContext.ChallengeAsync(_configFileProvider.AuthenticationMethod.GetChallengeScheme(), authProperties);
         }
 
         [HttpGet("logout")]
-        public async Task<IActionResult> Logout()
+        public async Task Logout()
         {
             _authService.Logout(HttpContext);
-            await HttpContext.SignOutAsync(AuthenticationType.Forms.ToString());
-            return Redirect(_configFileProvider.UrlBase + "/");
+
+            var authType = _configFileProvider.AuthenticationMethod;
+            await HttpContext.SignOutAsync(authType.ToString());
+
+            if (authType == AuthenticationType.Oidc)
+            {
+                await HttpContext.SignOutAsync(authType.GetChallengeScheme());
+            }
         }
     }
 }
diff --git a/src/Radarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs b/src/Radarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
index 3ad4edcba4..5dc31d8fc5 100644
--- a/src/Radarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
+++ b/src/Radarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Authorization.Infrastructure;
 
-namespace NzbDrone.Http.Authentication
+namespace Radarr.Http.Authentication
 {
     public class BypassableDenyAnonymousAuthorizationRequirement : DenyAnonymousAuthorizationRequirement
     {
diff --git a/src/Radarr.Http/Authentication/OpenIdConnect/ConfigureOidcOptions.cs b/src/Radarr.Http/Authentication/OpenIdConnect/ConfigureOidcOptions.cs
new file mode 100644
index 0000000000..099b652bbf
--- /dev/null
+++ b/src/Radarr.Http/Authentication/OpenIdConnect/ConfigureOidcOptions.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Diagnostics;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Extensions.Options;
+using NzbDrone.Common.Extensions;
+using NzbDrone.Core.Authentication;
+using NzbDrone.Core.Configuration;
+
+namespace Radarr.Http.Authentication.OpenIdConnect
+{
+    public class ConfigureOidcOptions : IConfigureNamedOptions<OpenIdConnectOptions>
+    {
+        private readonly IConfigService _configService;
+
+        public ConfigureOidcOptions(IConfigService configService)
+        {
+            _configService = configService;
+        }
+
+        public void Configure(string name, OpenIdConnectOptions options)
+        {
+            options.ClientId = _configService.OidcClientId.IsNullOrWhiteSpace() ? "dummy" : _configService.OidcClientId;
+            options.ClientSecret = _configService.OidcClientSecret.IsNullOrWhiteSpace() ? "dummy" : _configService.OidcClientSecret;
+            options.Authority = _configService.OidcAuthority.IsNullOrWhiteSpace() ? "https://dummy.com" : _configService.OidcAuthority;
+            options.SignedOutRedirectUri = "/login/sso";
+            options.SignInScheme = AuthenticationType.Oidc.ToString();
+            options.NonceCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
+            options.CorrelationCookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
+        }
+
+        public void Configure(OpenIdConnectOptions options)
+        => Debug.Fail("This infrastructure method shouldn't be called.");
+    }
+}
diff --git a/src/Radarr.Http/Authentication/Plex/PlexConstants.cs b/src/Radarr.Http/Authentication/Plex/PlexConstants.cs
new file mode 100644
index 0000000000..7e34de12b9
--- /dev/null
+++ b/src/Radarr.Http/Authentication/Plex/PlexConstants.cs
@@ -0,0 +1,9 @@
+namespace Radarr.Http.Authentication.Plex
+{
+    public static class PlexConstants
+    {
+        public static readonly string PinId = "pin_id";
+        public static readonly string ServerOwnedClaim = "plex:server:owned";
+        public static readonly string ServerAccessClaim = "plex:server:access";
+    }
+}
diff --git a/src/Radarr.Http/Authentication/Plex/PlexDefaults.cs b/src/Radarr.Http/Authentication/Plex/PlexDefaults.cs
new file mode 100644
index 0000000000..47f9fe8d52
--- /dev/null
+++ b/src/Radarr.Http/Authentication/Plex/PlexDefaults.cs
@@ -0,0 +1,17 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Radarr.Http.Authentication.Plex
+{
+    public static class PlexDefaults
+    {
+        public const string AuthenticationScheme = "Plex";
+        public static readonly string DisplayName = "Plex";
+        public static readonly string AuthorizationEndpoint = "https://plex.tv/api/v2/pins";
+        public static readonly string TokenEndpoint = "https://app.plex.tv/auth/#!";
+        public static readonly string UserInformationEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
+    }
+}
diff --git a/src/Radarr.Http/Authentication/Plex/PlexExtensions.cs b/src/Radarr.Http/Authentication/Plex/PlexExtensions.cs
new file mode 100644
index 0000000000..8829e07503
--- /dev/null
+++ b/src/Radarr.Http/Authentication/Plex/PlexExtensions.cs
@@ -0,0 +1,16 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Radarr.Http.Authentication.Plex
+{
+    public static class PlexExtensions
+    {
+        public static AuthenticationBuilder AddPlex(this AuthenticationBuilder builder, string authenticationScheme, Action<PlexOptions> configureOptions)
+            => builder.AddOAuth<PlexOptions, PlexHandler>(authenticationScheme, PlexDefaults.DisplayName, configureOptions);
+    }
+}
diff --git a/src/Radarr.Http/Authentication/Plex/PlexHandler.cs b/src/Radarr.Http/Authentication/Plex/PlexHandler.cs
new file mode 100644
index 0000000000..4d811f2723
--- /dev/null
+++ b/src/Radarr.Http/Authentication/Plex/PlexHandler.cs
@@ -0,0 +1,135 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.OAuth;
+using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
+using NzbDrone.Core.Notifications.Plex.PlexTv;
+
+namespace Radarr.Http.Authentication.Plex
+{
+    public class PlexHandler : OAuthHandler<PlexOptions>
+    {
+        private readonly IPlexTvService _plexTvService;
+
+        public PlexHandler(IOptionsMonitor<PlexOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, IPlexTvService plexTvService)
+        : base(options, logger, encoder, clock)
+        {
+            _plexTvService = plexTvService;
+        }
+
+        protected override string BuildChallengeUrl(AuthenticationProperties properties, string redirectUri)
+        {
+            var pinUrl = _plexTvService.GetPinUrl();
+
+            var requestMessage = new HttpRequestMessage(HttpMethod.Post, pinUrl.Url);
+            requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+
+            var response = Backchannel.Send(requestMessage, Context.RequestAborted);
+            var pin = JsonSerializer.Deserialize<PlexPinResponse>(response.Content.ReadAsStream());
+
+            properties.Items.Add(PlexConstants.PinId, pin.id.ToString());
+
+            var state = Options.StateDataFormat.Protect(properties);
+
+            var plexRedirectUrl = QueryHelpers.AddQueryString(redirectUri, new Dictionary<string, string> { { "state", state } });
+
+            return _plexTvService.GetSignInUrl(plexRedirectUrl, pin.id, pin.code).OauthUrl;
+        }
+
+        protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync()
+        {
+            var query = Request.Query;
+
+            var state = query["state"];
+            var properties = Options.StateDataFormat.Unprotect(state);
+
+            if (properties == null)
+            {
+                return HandleRequestResult.Fail("The oauth state was missing or invalid.");
+            }
+
+            if (!properties.Items.TryGetValue(PlexConstants.PinId, out var code))
+            {
+                return HandleRequestResult.Fail("The pin was missing or invalid.");
+            }
+
+            if (!int.TryParse(code, out var _))
+            {
+                return HandleRequestResult.Fail("The pin was in the wrong format.");
+            }
+
+            var codeExchangeContext = new OAuthCodeExchangeContext(properties, code, BuildRedirectUri(Options.CallbackPath));
+            using var tokens = await ExchangeCodeAsync(codeExchangeContext);
+
+            if (tokens.Error != null)
+            {
+                return HandleRequestResult.Fail(tokens.Error);
+            }
+
+            if (string.IsNullOrEmpty(tokens.AccessToken))
+            {
+                return HandleRequestResult.Fail("Failed to retrieve access token.");
+            }
+
+            var resources = _plexTvService.GetResources(tokens.AccessToken);
+
+            var identity = new ClaimsIdentity(ClaimsIssuer);
+
+            foreach (var resource in resources)
+            {
+                if (resource.Owned)
+                {
+                    identity.AddClaim(new Claim(PlexConstants.ServerOwnedClaim, resource.ClientIdentifier));
+                }
+                else
+                {
+                    identity.AddClaim(new Claim(PlexConstants.ServerAccessClaim, resource.ClientIdentifier));
+                }
+            }
+
+            var ticket = await CreateTicketAsync(identity, properties, tokens);
+            if (ticket != null)
+            {
+                return HandleRequestResult.Success(ticket);
+            }
+            else
+            {
+                return HandleRequestResult.Fail("Failed to retrieve user information from remote server.");
+            }
+        }
+
+        protected override Task<OAuthTokenResponse> ExchangeCodeAsync(OAuthCodeExchangeContext context)
+        {
+            var token = _plexTvService.GetAuthToken(int.Parse(context.Code));
+
+            var result = !StringValues.IsNullOrEmpty(token) switch
+            {
+                true => OAuthTokenResponse.Success(JsonDocument.Parse(string.Format("{{\"access_token\": \"{0}\"}}", token))),
+                false => OAuthTokenResponse.Failed(new Exception("No token returned"))
+            };
+
+            return Task.FromResult(result);
+        }
+
+        private static OAuthTokenResponse PrepareFailedOAuthTokenReponse(HttpResponseMessage response, string body)
+        {
+            var errorMessage = $"OAuth token endpoint failure: Status: {response.StatusCode};Headers: {response.Headers};Body: {body};";
+            return OAuthTokenResponse.Failed(new Exception(errorMessage));
+        }
+
+        private class PlexPinResponse
+        {
+            public int id { get; set; }
+            public string code { get; set; }
+        }
+    }
+}
diff --git a/src/Radarr.Http/Authentication/Plex/PlexOptions.cs b/src/Radarr.Http/Authentication/Plex/PlexOptions.cs
new file mode 100644
index 0000000000..5fe17d5e06
--- /dev/null
+++ b/src/Radarr.Http/Authentication/Plex/PlexOptions.cs
@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Authentication.OAuth;
+using Microsoft.AspNetCore.Http;
+
+namespace Radarr.Http.Authentication.Plex
+{
+    public class PlexOptions : OAuthOptions
+    {
+        public PlexOptions()
+        {
+            CallbackPath = new PathString("/signin-plex");
+            AuthorizationEndpoint = PlexDefaults.AuthorizationEndpoint;
+            TokenEndpoint = PlexDefaults.TokenEndpoint;
+            UserInformationEndpoint = PlexDefaults.UserInformationEndpoint;
+        }
+
+        public override void Validate()
+        {
+        }
+    }
+}
diff --git a/src/Radarr.Http/Authentication/Plex/PlexServerRequirement.cs b/src/Radarr.Http/Authentication/Plex/PlexServerRequirement.cs
new file mode 100644
index 0000000000..0855d83580
--- /dev/null
+++ b/src/Radarr.Http/Authentication/Plex/PlexServerRequirement.cs
@@ -0,0 +1,52 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using NzbDrone.Core.Configuration;
+using NzbDrone.Core.Configuration.Events;
+using NzbDrone.Core.Messaging.Events;
+
+namespace Radarr.Http.Authentication.Plex
+{
+    public class PlexServerRequirement : IAuthorizationRequirement
+    {
+    }
+
+    public class PlexServerHandler : AuthorizationHandler<PlexServerRequirement>, IHandle<ConfigSavedEvent>
+    {
+        private readonly IConfigService _configService;
+        private string _requiredServer;
+        private bool _requireOwner;
+
+        public PlexServerHandler(IConfigService configService)
+        {
+            _configService = configService;
+            _requiredServer = configService.PlexAuthServer;
+            _requireOwner = configService.PlexRequireOwner;
+        }
+
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PlexServerRequirement requirement)
+        {
+            var serverClaim = context.User.FindFirst(c => c.Type == PlexConstants.ServerOwnedClaim && c.Value == _requiredServer);
+            if (serverClaim != null)
+            {
+                context.Succeed(requirement);
+            }
+
+            if (!_requireOwner)
+            {
+                serverClaim = context.User.FindFirst(c => c.Type == PlexConstants.ServerAccessClaim && c.Value == _requiredServer);
+                if (serverClaim != null)
+                {
+                    context.Succeed(requirement);
+                }
+            }
+
+            return Task.CompletedTask;
+        }
+
+        public void Handle(ConfigSavedEvent message)
+        {
+            _requiredServer = _configService.PlexAuthServer;
+            _requireOwner = _configService.PlexRequireOwner;
+        }
+    }
+}
diff --git a/src/Radarr.Http/Authentication/UiAuthorizationHandler.cs b/src/Radarr.Http/Authentication/UiAuthorizationHandler.cs
index fa77127ab2..51dfd2b4af 100644
--- a/src/Radarr.Http/Authentication/UiAuthorizationHandler.cs
+++ b/src/Radarr.Http/Authentication/UiAuthorizationHandler.cs
@@ -9,7 +9,7 @@
 using NzbDrone.Core.Messaging.Events;
 using Radarr.Http.Extensions;
 
-namespace NzbDrone.Http.Authentication
+namespace Radarr.Http.Authentication
 {
     public class UiAuthorizationHandler : AuthorizationHandler<BypassableDenyAnonymousAuthorizationRequirement>, IAuthorizationRequirement, IHandle<ConfigSavedEvent>
     {
diff --git a/src/Radarr.Http/Authentication/UiAuthorizationPolicyProvider.cs b/src/Radarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
index 50f1c3adab..ab9df5c3fe 100644
--- a/src/Radarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
+++ b/src/Radarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
@@ -2,9 +2,11 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Options;
+using NzbDrone.Core.Authentication;
 using NzbDrone.Core.Configuration;
+using Radarr.Http.Authentication.Plex;
 
-namespace NzbDrone.Http.Authentication
+namespace Radarr.Http.Authentication
 {
     public class UiAuthorizationPolicyProvider : IAuthorizationPolicyProvider
     {
@@ -28,10 +30,15 @@ public Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
         {
             if (policyName.Equals(POLICY_NAME, StringComparison.OrdinalIgnoreCase))
             {
-                var policy = new AuthorizationPolicyBuilder(_config.AuthenticationMethod.ToString())
+                var builder = new AuthorizationPolicyBuilder(_config.AuthenticationMethod.ToString())
                     .AddRequirements(new BypassableDenyAnonymousAuthorizationRequirement());
 
-                return Task.FromResult(policy.Build());
+                if (_config.AuthenticationMethod == AuthenticationType.Plex)
+                {
+                    builder.AddRequirements(new PlexServerRequirement());
+                }
+
+                return Task.FromResult(builder.Build());
             }
 
             return FallbackPolicyProvider.GetPolicyAsync(policyName);
diff --git a/src/Radarr.Http/Frontend/Mappers/LoginHtmlMapper.cs b/src/Radarr.Http/Frontend/Mappers/LoginHtmlMapper.cs
index 184c826cf2..3493717f74 100644
--- a/src/Radarr.Http/Frontend/Mappers/LoginHtmlMapper.cs
+++ b/src/Radarr.Http/Frontend/Mappers/LoginHtmlMapper.cs
@@ -3,12 +3,15 @@
 using NLog;
 using NzbDrone.Common.Disk;
 using NzbDrone.Common.EnvironmentInfo;
+using NzbDrone.Core.Authentication;
 using NzbDrone.Core.Configuration;
 
 namespace Radarr.Http.Frontend.Mappers
 {
     public class LoginHtmlMapper : HtmlMapperBase
     {
+        private readonly IConfigFileProvider _configFileProvider;
+
         public LoginHtmlMapper(IAppFolderInfo appFolderInfo,
                                IDiskProvider diskProvider,
                                Lazy<ICacheBreakerProvider> cacheBreakProviderFactory,
@@ -16,6 +19,8 @@ public LoginHtmlMapper(IAppFolderInfo appFolderInfo,
                                Logger logger)
             : base(diskProvider, cacheBreakProviderFactory, logger)
         {
+            _configFileProvider = configFileProvider;
+
             HtmlPath = Path.Combine(appFolderInfo.StartUpFolder, configFileProvider.UiFolder, "login.html");
             UrlBase = configFileProvider.UrlBase;
         }
@@ -25,6 +30,34 @@ public override string Map(string resourceUrl)
             return HtmlPath;
         }
 
+        protected override Stream GetContentStream(string filePath)
+        {
+            var text = GetHtmlText();
+
+            var loginText = _configFileProvider.AuthenticationMethod switch
+            {
+                AuthenticationType.Plex => "Authenticate with Plex",
+                AuthenticationType.Oidc => "Authenticate with OpenID Connect",
+                _ => "Login"
+            };
+
+            var failedText = _configFileProvider.AuthenticationMethod switch
+            {
+                AuthenticationType.Forms => "Incorrect Username or Password",
+                _ => "Access Denied"
+            };
+
+            text = text.Replace("LOGIN_PLACEHOLDER", loginText);
+            text = text.Replace("FAILED_PLACEHOLDER", failedText);
+
+            var stream = new MemoryStream();
+            var writer = new StreamWriter(stream);
+            writer.Write(text);
+            writer.Flush();
+            stream.Position = 0;
+            return stream;
+        }
+
         public override bool CanHandle(string resourceUrl)
         {
             return resourceUrl.StartsWith("/login");
diff --git a/src/Radarr.Http/Frontend/StaticResourceController.cs b/src/Radarr.Http/Frontend/StaticResourceController.cs
index e0eeeefc5e..9707415a40 100644
--- a/src/Radarr.Http/Frontend/StaticResourceController.cs
+++ b/src/Radarr.Http/Frontend/StaticResourceController.cs
@@ -4,8 +4,6 @@
 using Microsoft.AspNetCore.Cors;
 using Microsoft.AspNetCore.Mvc;
 using NLog;
-using NzbDrone.Common.EnvironmentInfo;
-using NzbDrone.Core.Configuration;
 using Radarr.Http.Extensions;
 using Radarr.Http.Frontend.Mappers;
 
@@ -27,6 +25,9 @@ public StaticResourceController(IEnumerable<IMapHttpRequestsToDisk> requestMappe
 
         [AllowAnonymous]
         [HttpGet("login")]
+        [HttpGet("login/failed")]
+        [HttpGet("login/sso")]
+        [HttpGet("login/sso/failed")]
         public IActionResult LoginPage()
         {
             return MapResource("login");
diff --git a/src/Radarr.Http/Radarr.Http.csproj b/src/Radarr.Http/Radarr.Http.csproj
index 098bf3a28b..4f5d01c524 100644
--- a/src/Radarr.Http/Radarr.Http.csproj
+++ b/src/Radarr.Http/Radarr.Http.csproj
@@ -3,6 +3,7 @@
     <TargetFrameworks>net6.0</TargetFrameworks>
   </PropertyGroup>
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.0.5" />
     <PackageReference Include="FluentValidation" Version="8.6.2" />
 	<PackageReference Include="ImpromptuInterface" Version="7.0.1" />
     <PackageReference Include="NLog" Version="5.0.1" />