Setting up authelia openid connect
Hello,
I'm trying to set up authelia with immich. Everything is working fine except for the issuerURL. I'm following the documentation: https://immich.app/docs/administration/oauth, however whenever I navigate to
http://192.168.1.121:8585/application/o/immich
It displays this message
I've set that as my issuer url and set the rest up like this:
https://i.imgur.com/Za4mWL5.png
I'm making use of Authelia, where I've set it up in the following way:
What am I doing wrong here?45 Replies
192.168.1.121:8585 is your endpoint for Immich, right? Shouldn't the issuer URL be Authelia?would that be the one within the docker network or the public authentication website?
yeah you got a point, completely misunderstood it
It needs to be publicly accessible from the client (browser, phone) and accessible from the immich server container.
okay that would mean auth.mydomain.com
Yes
alright going to try it out
cool it works
oh that is neat, since my authelia email and immich are the same I log in as the admin
Quick question before I go on, would 'auto register' be good to have turned on? As long as I've configured it correctly, it should mean that everyone with an authelia account can log in right?
ah wait, that would mean that everyone will be given the prompt, however only the people I allow will be able to "register"
I don't know how to do that tho lol
hm I think authelia doesn't allow this
So a few things
In the auth provider, meaning authelia there's probably the concepts of users, groups, and applications. You can configure there in the auth service what users can access what applications.
Unrelated to any of that are the settings in immich.
Auto register means when an authelia user accesses immich for the first time and an account doesn't already exist with the email address from authelia, it'll create a new non-admin user automatically. This is unrelated to authelia sign up and registration, which has to happen independently, before logging into immich.
I use Google oauth and so i have auto register turned off. I don't want anybody with a Gmail address to be able to create an account on my instance.
For a private hosted oauth service I would probably turn it on, as you're probably already controlling/restricting who can create an account in Authelia. With it on it would mean if someone has an account in Authelia they can login into immich without needing to pre register there.
In both situations I'd probably turn off password login.
Yeah so it's a bit odd because I'm getting the following message when users try to login with their authelia account (works for me somehow)
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."redirect_uri mismatching
In Authelia you added a few urls that ended with /auth/login, etc. The domain part must also match the different places, urls you use to login. Those are all added?
When you initiate the process what is the url you start at, and is that added in Authelia as a redirect uri?
Well I'm redirected to auth.mydomain.com/consent
Right, but what url are you coming from
image.mydomain.nl
https://image.mydomain.nl/auth/login?autoLaunch=0
Is this url in Authelia as a redirect uri?
https://image.mydomain.nl/auth/login
weird thing is that it works for my own account
You can currently login with another account?
Are you logging in as another user, or somebody else is and telling you they got that error?
I can login with the admin account, and the redirect works without issue it seems. and I get this :https://i.imgur.com/nobjxio.png
and I get all https://
But when my friends visits it is as follows according to the browser history:
http://image.mydomain.nl/auth/login
http://image.mydomain.nl/auth/login?autolaunch=0
https://auth.mydomain.nl/oidc
so it's a bit odd as to why he even gets http websites in the first place
Just have him login with the https variation of the link
And you can probably configure your web server to automatically redirect http traffic to https
but it shouldn't even be http in the first place
never set it up that way
Does that url work for you?
http implies port 80 https implies port 443. You can check if port 80 is open and/or if it redirects to immich
when I go http it instantly corrects it as https
What about not on your local network?
it instantly redirects me to auth.mydomain.nl consent page
as https
I've opened up my immich container using a reverse proxy which I've configured to be https
got my certs from cf
Weird
Anyway http vs https are considered different urls. Can your friend access the https url variation?
works without issue
But I wonder why he is able to get to http
that shouldn't be possible right?
It is an interesting question. Can you very port 80 is blocked by your router?
I'm just worried about possible misconfiguration
Well I only have port 443 portforwarded so yes
for the reverse proxy
Yeah, might be good to just double check. Does your dns point to your public ip or does it go through cloudflare?
Just did it's not there
luckily haha
this is within cloudflare zero
I run everything through cloudflare tunnels with proxy enabled for now
I might need to turn it off because of tos
This says any requests to that domain get send to https://swag:443
Yes, that is because the cloudflare tunnels is set up to work through swag
otherwise it would ignore authentication
and go straight to the app
this way I get to have authelia authentication
perhaps it's something within my swag config
for immich
That's fine. You may be able to connect to cloudflare over port 80 still
It'll still hit the rule and send the connection to swag:443.
I shouldn't be able to really, since I've set up a catch-all rule for http_status:404
That's if the domain doesn't match though
owh
The rule is domain => target
If the web server listens on port 1000 you can connect on 1000 and it'll still send it to 443 internally.
If the request sends the
origin: hostname header, it'll still match the rule.could this perhaps be the problem? https://i.imgur.com/mtaS8cW.png
It shouldn't be, since connection within the docker network is http
You have a connection routing through a few different web servers and between each one they can use http or https.
Remote client => cloud flare web server => docker swag server => immich proxy server => immich web/immich server
Your friend connecting over http means that the first connection has port 80 open. So
Remove client => cloud flare web server
Anyway, if you can't reproduce it on a mobile network (not on your wifi/lan) then I'd probably not worry too much.yeah it doesn't sit well. I've asked him to navigate to http://image.mydomain.nl and he just gets on
well not logged in
But still, he gets on to my site
That seems to have done it
What that a cloud flare thing?