Immich•3y ago

locked out from server after enabling oauth

Hello team! I tried to enable the oauth with authelia but I might have done some mistakes and not I cannot login even with old password auth. log from server container

[Nest] 1  - 01/18/2023, 1:50:07 PM   ERROR [ExceptionsHandler] expected 200 OK, got: 404 Not Found
OPError: expected 200 OK, got: 404 Not Found
    at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
    at Function.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:179:18)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async OAuthService.getClient (/usr/src/app/dist/apps/immich/apps/immich/src/api-v1/oauth/oauth.service.js:112:24)
    at async OAuthService.generateConfig (/usr/src/app/dist/apps/immich/apps/immich/src/api-v1/oauth/oauth.service.js:45:22)
    at async /usr/src/app/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /usr/src/app/node_modules/@nestjs/core/router/router-proxy.js:9:17

[Nest] 1  - 01/18/2023, 1:50:07 PM   ERROR [ExceptionsHandler] expected 200 OK, got: 404 Not Found
OPError: expected 200 OK, got: 404 Not Found
    at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
    at Function.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:179:18)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async OAuthService.getClient (/usr/src/app/dist/apps/immich/apps/immich/src/api-v1/oauth/oauth.service.js:112:24)
    at async OAuthService.generateConfig (/usr/src/app/dist/apps/immich/apps/immich/src/api-v1/oauth/oauth.service.js:45:22)
    at async /usr/src/app/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /usr/src/app/node_modules/@nestjs/core/router/router-proxy.js:9:17

tested already stack restart after running

/usr/src/app # immich enable-password-login
Password login has been enabled.
/usr/src/app #

/usr/src/app # immich enable-password-login
Password login has been enabled.
/usr/src/app #

22 Replies

jrasm91•3y ago

I think this is in fact a bug. If OAuth get config fails while resolving the issuer url it errors out and while password login isn't disabled, it doesn't show the form.

jrasm91•3y ago

Should be fixed in https://github.com/immich-app/immich/pull/1322

GitHub

fix(web): login error handling by jrasm91 · Pull Request #1322 · im...

Enable password login if the api request to load auth config fails for whatever reason. Also, new (unhandled) error page 🎉!

bo0tzz•3y ago

@mariomare22 you said you set up your instance just today, right? For now it's probably easiest to just delete it and start over, I believe with the current misconfiguration + error handling you're basically locked out

mariomare22OP•3y ago

done! testing again authelia 🔒

bo0tzz•3y ago

Fwiw the error you posted seemed to indicate that the url you entered was wrong Just a heads up so it doesn't happen again 😛

jrasm91•3y ago

If it does break you can try using tag 1322 for the web container instead of release Until you get it working.

mariomare22OP•3y ago

      - id: immich
        description: immich
        secret: 'my secret'
        public: false
        authorization_policy: two_factor
        redirect_uris:
          - https://photos.domain.com/
          - https://photos.domain.com/auth/login
          - https://photos.domain.com/user-settings

        scopes:
          - openid
          - profile
          - groups
          - email
        userinfo_signing_algorithm: none

      - id: immich
        description: immich
        secret: 'my secret'
        public: false
        authorization_policy: two_factor
        redirect_uris:
          - https://photos.domain.com/
          - https://photos.domain.com/auth/login
          - https://photos.domain.com/user-settings

        scopes:
          - openid
          - profile
          - groups
          - email
        userinfo_signing_algorithm: none

this is the setup client I am using in authelia... not I am going to Immich I hope i did not do any booboo

jrasm91•3y ago

Immich doesn't ask for groups scope, not sure if that matters.

mariomare22OP•3y ago

now what is issuer url? 😄 never seen this before it should be auth.mydomain.com where authelia is listening...

bo0tzz•3y ago

https://www.authelia.com/integration/openid-connect/introduction/#well-known-discovery-endpoints Should be this, I think

Authelia

OpenID Connect - Integration

An introduction into integrating the Authelia OpenID Connect Provider with an OpenID Connect relying party

bo0tzz•3y ago

Try it in your browser to check if you're not sure

mariomare22OP•3y ago

It's working just fine!!! the error was exactly this! I put auth.mydomain.com/api/oidc/authorization and was not redirecting properly obviously testing mobile 😛

jrasm91•3y ago

Did your add the mobile redirect URI?

mariomare22OP•3y ago

yes! indeed but the redirect threw me an error!

jrasm91•3y ago

What error?

mariomare22OP•3y ago

testing from ipadin https://my.domain.com/api/oauth/mobile-redirect this is in the settings and in the endpoint

jrasm91•3y ago

Did you turn on the mobile compatible thing?

mariomare22OP•3y ago

when I put in the ipad app https://my.domain.com/api I get the oauth button and when I press I get an error... the redirect_uri parameter does not match any of the oauth 2.0..... of course...

jrasm91•3y ago

I don't think you need it with authelia Can you try turning it off and then adding this redirect URI? app.immich:/

mariomare22OP•3y ago

right 😄 yes this was added and the disable was needed!

jrasm91•3y ago

That's mostly for when the mobile redirect URI can't be set for some validation rules by the provider

mariomare22OP•3y ago

that means that authelia does a good job at redirecting...

Gaming

Programming

locked out from server after enabling oauth

Did you find this page helpful?