I
Immich•3y ago
mariomare22

Authelia log in disabled

I am using caddy + authelia for immich reverse proxy and authentication but I get Login has been disabled. authelia config client: 
      - id: immich
        description: immich
        secret: 'mysecret'
        public: false
        authorization_policy: two_factor
        redirect_uris:
          - https://mydomain.com/
          - https://mydomain.com/auth/login
          - https://mydomain.com/user-settings
          - app.immich:/
        scopes:
          - openid
          - profile
          - email
        userinfo_signing_algorithm: none
      - id: immich
        description: immich
        secret: 'mysecret'
        public: false
        authorization_policy: two_factor
        redirect_uris:
          - https://mydomain.com/
          - https://mydomain.com/auth/login
          - https://mydomain.com/user-settings
          - app.immich:/
        scopes:
          - openid
          - profile
          - email
        userinfo_signing_algorithm: none
caddy configuration: 
mydomain.com {
    import cloudflare
        reverse_proxy http://immich_proxy:8080 {
}
mydomain.com {
    import cloudflare
        reverse_proxy http://immich_proxy:8080 {
}
normal authentication is working
No description
28 Replies
jrasm91
jrasm91•3y ago
And what changed did you do on the immich side?
mariomare22
mariomare22OP•3y ago
if I clean cookies I open immich I first that above screenshot then the login windows plus login with oauth, if I click there I get redirected to authelia domain I can login and the I am redirected back to login has been disabled instead if I clean cookies and open immich after the login screen disabled login in with immich auth I can log in
jrasm91
jrasm91•3y ago
OAuth involves two parts: (1) redirect to authelia get code, redirect back to immich, then (2) validate code and log you in. Sounds like you are saying part one is working and part two is erroring out. Can you check the immich server log?
mariomare22
mariomare22OP•3y ago
click on the login with oauth and get here
No description
jrasm91
jrasm91•3y ago
Yeah this is all looking good
mariomare22
mariomare22OP•3y ago
if I accept I get back to login is disabled and now it worked 😄
jrasm91
jrasm91•3y ago
Yeah sounds like an error with part 2 of oauth Lol what
mariomare22
mariomare22OP•3y ago
WTF in the log I am seeing lots of 'hackers' trying to authenticate on my server is there anyway to prevent that?
jrasm91
jrasm91•3y ago
You may want to disable password auth entirely You could also look at using fail2ban to block bad ips
mariomare22
mariomare22OP•3y ago
I have disabled also the autoregister done disabled password auth I will check fail2ban with Caddy or crowdsec thank you
jrasm91
jrasm91•3y ago
Lol i didn't do anything, but anytime 😛
mariomare22
mariomare22OP•3y ago
I think the problem was that it took some time for authelia to pass the handshake back to immich
jrasm91
jrasm91•3y ago
Possibly... I think we upped the timeout though. I assume you are running a fairly recent version of immich
mariomare22
mariomare22OP•3y ago
1.50.0 build 88 ios server is 1.50.1
jrasm91
jrasm91•3y ago
Yeah, it has a timeout of 30s .https://github.com/immich-app/immich/blob/main/server/libs/domain/src/oauth/oauth.core.ts#L23
GitHub
immich/oauth.core.ts at main · immich-app/immich
Self-hosted photo and video backup solution directly from your mobile phone. - immich/oauth.core.ts at main · immich-app/immich
mariomare22
mariomare22OP•3y ago
🆗
jrasm91
jrasm91•3y ago
Can you look at the immich web logs?
mariomare22
mariomare22OP•3y ago
Listening on 0.0.0.0:3000
Listening on 0.0.0.0:3000
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Listening on 0.0.0.0:3000
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Listening on 0.0.0.0:3000
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Listening on 0.0.0.0:3000
Listening on 0.0.0.0:3000
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Listening on 0.0.0.0:3000
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Listening on 0.0.0.0:3000
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
Photo page load error HttpError { status: 400, body: { message: 'Not logged in' } }
can you explain me a bit the session duration? nevermind I found an issue with the authelia config
jrasm91
jrasm91•3y ago
Ah ok.
mariomare22
mariomare22OP•3y ago
session: inactivity: 5m
jrasm91
jrasm91•3y ago
That should be fine actually
mariomare22
mariomare22OP•3y ago
how does this not affect the mobile session?
jrasm91
jrasm91•3y ago
We only use the token that this is probably referring to once and then issue our own session token.
mariomare22
mariomare22OP•3y ago
ok clear
jrasm91
jrasm91•3y ago
So as long as the login process doesn't take longer than 5 minutes to complete it should be fine lol Immich sessions are non-expiring now. Although I think we missed one change for the web where a cookie was still expiring after 7 days. Should be updated in the next release.
mariomare22
mariomare22OP•3y ago
Ok roger that Now i have to focus on fixing hairpin nat
jrasm91
jrasm91•3y ago
Does your router support that?
mariomare22
mariomare22OP•3y ago
Mikrotik routeros i hope so

Did you find this page helpful?