OAuth login issues on tablets
Hello. Family members of mine has tablets. I'm trying to keep only OAuth as the only way to login because of easy authentification and identity recognition. I tried to login to Immich app on those tablets (they're pretty new - Android 11 and up) but after i clicked on "Login with OAuth" button, it either loaded the google logjn page (which is correct) or the app just crashed and went back to "enter server URL" screen.
Even if i was able to get on mentioned google login screen, after clicking on correct google acconut to login, the window closed (as it should) and app went back to "enter server URL" screen. After then i tried to check the logs for errors but they're seem to wipe.
Of course, within the Webapp, everything is fine but it's not customized to be working greatly on mobile devices.
160 Replies
Bump
What is your redirect urls? Maybe there is something wrong on them.
I have it set up with Authelia and it works as expected.
Weird. OAuth works perfectly on other non-tablet devices like smartphones and so.
I'm going to try emulate some tablet on my pc and try it that way
On emulator, it's not even trying to start the app
i could record a video of actual behavior on real tablets if you wish
Alright so, I tried it on NoxPlayer - there was the "keep stopping" error and now i tried it on LDPlayer and it works just fine. Do you guys know where could be the issue?
What is the version of the app and server?
And your auth config in Immich :-)
the auth is working on other android devices (like android phones - mine, my gf's, and both parents). There's no need to share the auth config. It is clearly issue within Immich android app
On my mom's tablet, it's been fixed by disabling the adblocker app (blokada 5) and my dad has AdGuard but even after turning off the "protection" it's still crashing
What if you turn off AdGuard, reboot the phone/tablet and try then? If AdGuard is doing some DNS-changes, maybe they are cached on the device. A reboot will verify if it works with AdGuard turned off.
i did a reboot but the app was alive (probably start on boot) so i think the only way to check it is uninstall the app completerly
Alright so i was playing with it a bit:
1. uninstalled all adblocking apps
2. restarted the device
3. tried immich for login - same as always
4. deleted all data and tried again - same
5. tried dad's old tablet with Android 6 i believe? Same behavior as on these
6. Tried to turn on Blokada again on mom's tablet and log off, log in to immich - failed but this time it didn't crash the app instantly. Instead it show an error i will attach
7. Exported the logs and deleting app's data and trying again - same behavior
8. I'm no longer able to log in with mom's tablet
It seems like it didn't found currentUser in Store or something.
I thought it might be caused by screen resolution? Maybe immich is unable to draw itself on such screen resolutions and aspect ratios, causing it to crash
The fun thing is i call it crash but i'm actually not sure if it is a crash. I assume it is a crash as the logs seems empty and i'm hoping it would write an error if the login was unsuccessfull
I also tried enabling permissions, wiping cache, restarting device and checking for any suspicious app that would potentially take over control over traffic routing but didn't find anything
@zody
It seems login was not successful - there's no currently logged in user according to the stack trace
Is there a reason why it would do this before login successfully happens?
It should not. But it seems this can somehow happen
Try download chrome and use it as a default browser
Native browser might have issue with redirection
Can you confirm that username and password work fine and this is limited to oauth?
i will try
alright, i'm going to try it
i just noticed it is already set as default browser
but when i log in, it seems not to open normal chrome application but something like embeded browser. But it does the same on phones so i think it maybe is default browser but it's embeded version is somehow called Yep it is embeded chrome browser
Just a side note, the "change password after first login" screen doesn't seem to work properly. After clicking the button "Change password" with different passwords, it doesn't do anything. I needed to click back button and change the password field to the new password i typed. So it actually changed the password in backend but it just didn't forward me to immich's main screen with photos
yep, i confirm that it is limited only to OAuth. Password login works fine
Another side note that after i tried OAuth login again, those logs preserved but it didn't add any new log with failed login or something. So it clearly doesn't log logging in with OAuth somehow. I'm not sure how it log the error from yesterday then...
any updates?
So what versions of android are the tablets which are having the problems?
Dad's tablet:
- Model Samsung Galaxy Tab S7 FE
- Android 13
- One UI 5.1
- Security Patch 1.5.2023
Mom's tablet:
- Model Lenovo Tab P11
- Android 11
- Security Patch 5.4.2023
Dad's old tablet:
- Model Teclast T20
- Android 7.1.1
- Security Patch 5.7.2017
On all 3 tablets the same error so it shouldn't be caused by Android versions or so
@here Might it be caused by other apps installed on those tablets? as i said, in the emulated environment, it worked fine.
I find it strange that all the tablets have the same issue 🤔
Yeah, same here
maybe worth a try of removing chrome browser, install firefox and try again?
so the firefox would be the default one?
marked firefox as default browser to see if it get brought up during the redirection
yeah try that
sure, give me a sec
no change, same behavior
Hmm, ok maybe let me put in some logs for OAuth logging procedure in the next release
it worked once on mom's tablet and it sighed her in. Then i logged her off and tried again and from that point it's the same behavior as always
yup, that would be ideal
maybe in debug level for both server and phone app?
there is debug level log for mobile app
but it's not logging oauth still
but you need to sign in first to toggle it 😅
ah, shut
yesh it is not logging oauth because we don't put any logs there
so we will just put normal log for oauth to debug cases like this
yep. The debug level is set by default or it's needed to toggled on after you log in?
it is by default, there is finer level that can be toggled
right. Thank you for explaining.
looking forward for next version :immich:
no problem, sorry for the inconvenience
Can you put in an issue so I remember to do it?
i will update and try it as soon as it will be out
sure. going to do it
Thanks
GitHub
[BUG] OAuth login wouldn't get redirected on tablet android devices...
The bug According to our discussion, i'm opening this issue. I have 3 Android tablet devices at home from which none is able to login with OAuth. After i enter correct URL as target server and ...
You can try and download the APK from this build to get logs for Oauth sign in before the release https://github.com/immich-app/immich/actions/runs/5372432215
epic!
will let you know in couple of hours
OAuth still isn't in logs
even if i login with phone, i can't see any oauth logs
if i open up exported logs from tablets, i don't see anything really
just created columns for created_at, level, context etc...
@Alex sorry for pinging but maybe if we could get somewhere with this?
Does the in app log view on the tablet show something? No need to export
nope
0 logs
maybe it's not caused by OAuth itself? i don't know really.
verbose logging would really help to write down every single action the user makes.
and also every action the device does
isn't it caused by having my server still od 1.63.0?
interesting thing to mention, if i want to login on phone, it kept chrome open as separate app with this redirection but on tablets it didn't keep the chrome as separate app in recent apps
No, Oauth mechanism hasn't changed for a long time
damnit chrome tablet
I think you'd need to run a development/debug build with full adb logging attached to get more clues what's (not) going on there. I'm out of ideas
Well, I'm not even sure on what side is the cause. Either tablet's side or Immich's
Adb is functional even without root right? That might be possible
From what i read it is possible to filter Immich to logging https://developer.android.com/tools/logcat
Android Developers
Logcat command-line tool | Android Studio | Android Developers
Logcat is a command-line tool that dumps a log of system messages, including stack traces, when the device throws an error and sends messages that you have written from your app with the Log class.
Yeah, no need for root. Just attach adb via USB or wifi and see what happens. You can try first to grep for "flutter" but maybe you need the unfiltered logs of that short time frame between oauth click in immich, switching to web browser and redirect back to immich
Understood. Will try as soon as i get home :immich:
the issue is there is literally spam even after filter out "flutter"
with "E" (Error) flag, there could be less logs?
more logs is ok though
but i don't believe it filter out only flutter
because i set
flutter:F for fatal so it should be clear and it basically ignored the filter
and is spamming everything include D which is debug
so maybe flutter isn't the right app?If you can start the app - perform oauth logging to get to the "error" state then get the logs and send it here
we can look at it together
with the
flutter filter?just send everything
we can filter out later
alright, give me a sec
https://paste.c-net.org/AdmirerPerson
To make things easier, i clicked on login with oauth around 15:57:40
should i do the same with the second tablet?
I guess one log with the issue is enough for now. thank you
alright, np 🙂
anything new yet?
I do see this exception
Could you take a video/screen recording of what happens on the tablet? Does the app crash? Just go back to the main screen, etc.? I think it would be useful to see what you are seeing as you try to login.
I tried to grep for debug logs of Immich in your adb log. there's really not much in there. I'm puzzled
sure, brb
due to non-existing simple and great software for videoediting (bluring credentials), i'm only exporting video now
i wasn't able to click share as i had the recording floating tools there
Hmm
so the login success
let me put in some more logs
Here you go
again with adb or in app?
in app
make it simple for you 😄
thank you 🫶
nope, still empty
hmm
do you have user name and password that you can try to log in the instance?
wym exactly?
create a user that can user email and password to log to the instance
after logging in try to check the log if it is still empty
yes, that's what we discussed with bo0tzz i think a while ago
or jrasm91 i don't remember
alright
other than some assets loaded, it didn't log the login
Now log out and try login using OAuth
nope, still no logs
no login related logs*
Can you just send all the logs again anyway?
adb or inapp?
in app
This is the APK that you run right?
yep, this one in quote
sec
That all looks pretty normal, showing assets being loaded into the database. It still kicks you to the login page agian?
sorry for misleading but those logs was from the login session i did with username / password that Alex asked me for
there is no log for oauth loggin which is strange
When you do login via oauth there are no logs?
after then i logged out and logged in with OAuth (2 attempts)
I wonder if this is related to the disk read error
exactly
i can try it with my phone so we'll see if the logs will be there if the login was successfull
I did put in the log to print out the sever config but they aren't get logged out
interesting
maybe this can contribute to troubleshooting?
to even check if the logs are written in any possible way
Can you try to run the app on mobile to see the logs is visible?
sure
yep, i see those OAuth logs now
do you want to see or it's irrelevalnt from this point?
it is irrelevant now
hmm
so there's issue somewhere between when is
google account authenticated and when this confirmation is delivered to the server i guess? according to logs not being shown on tablet
i wonder how i was able to login once a while ago on one of those tablets hmmmThere is this error? Caused by: io.grpc.ff: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential.
Maybe the redirect to immich isn't being handled properly.
nope, there is 0 errors
or do you mean from server side?
that is from the adb log I believe
doesn't look like it
nevermind, it is
06-27 15:44:47.060 4239 4279 E MDD : Caused by: io.grpc.ff: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
interesting. How the auth credential could be wrong on tablets but on mobile it's okay?
but it's MDD app or package name, weirdprobably an internal library is used for handleing Oauth request
Ah crap
That means to redo whole OAuth handling in Immich app?
With different library*
Or discuss it with that library's devs
not sure, this is only the instance with Google Oauth on the tablet platform, we don't have enough justification to change anything besides trying to find the actual cause
Do you have experience with Authentic that you can try to setup an OAuth instance for that?
That's a good idea. We should see if it is unique to Google oauth
I set up Keycloak. But the main point why I didn't want to keep it with Keycloak is that I would need to open another app to public
Aha, y'all meant it as part of troubleshooting, not the solution?
yes
Right. I can take a look into it tomorrow / the day after. It is ready to go but I would like to change the routing as now it looks like Client -> immich -> Keycloak -> Immich
But I'd rather have Keycloak as middleware so Client -> Keycloak -> Immich
But I'm not sure if immich allows such routing
Because it would skip the "login with OAuth button" part
No, i don't think it can work like that without bypassing the current oauth implementation in immich
Yeah. We've had similar discussion within exposing immich to internet. At this point, we need to rely on Immich's auth system instead of move the load of authentication to specialized auth apps like Keycloak or authentik
But then it's matter of minutes to set it up with Keycloak. Will let you know tomorrow around 6 PM GTM+2
You can move a lot of the load to a third party, especially for login events, but after that immich does generate it's own session token that is used directly.
For now, i have to go sleep, GN y'all 💤
I've got into changing the OAuth service to Keycloak and i'm able to login via web, however not through android app
https://discord.com/channels/979116623879368755/994044917355663450/1123702348452221041
can you do it from your phone?
like login in web?
oauth login from the mobile app
not from the tablet
right, i'm unable to login from app in any android device
app's logs are clear
let me check my config
wait, isn't it maybe caused by having staging certificate on immich?
i accidentally changed the production for staging and now i'm unable to repull the cert for immich
yep, it was caused by staging certs on immich
i'm able to login to app from phone now
let's test it on tablet
sad news guys, it's the same on Keycloak setup...
that means anyone who will try immich app on tablet, it shouldn't work
"cough" Android tablet
If you've been using non-production certificates I wonder if it is possible that they are cached for the domain/connection.
I couldn't even connect to server when I was using staging certs
When I changed them to production, I was able to connect to server
And dumped them so traefik would repull them
So it shouldn't be caused by cache
Any ideas from this point on?
we are asking among the dev for an Android tablet to test
Alright, thanx y'all for not leaving it as it is :immich:
According to multiple users it seems like i have issue with my configuration. I'd like to do some tests with @Allram who reports it works fine on exactly the same tablet model as mine. Do you agree Allram?
Side note: I tried it on another old android tablet - same behavior (total of 4 tablets reports same behavior)
Also, according to @wutanc , it works on his tablet too. Could you provide at what level of domain you have your immich instance? mine is on
foo.bar.example.com . Cloudflare claims this level of domain isn't covered by their "Universal Certificate"i'm all in to do some tests
@Allram would it be possible for you to create an account for @Mr.Green Cake in your oauth provider to test on your instance?
feel free to DM him so you don't have to post your instance address here
that would be amazing!
Immich.mydomain.tld
@Mr.Green Cake are you doing this on the same network?
Some routers do weird things. Could this be a network/router problem?
i'm just going to find out
just a note to everyone here, we tried it with Allram and it did the same thing as with my setup
so it will be probably caused by router / ISP or such
i'm going to try it with mobile operator data provided from phone
When using your android phone have you used the exact same network?
yep
nope, it's the same through hotspot
i'm clueless
I really don't think this is an immich bug. It definitely sounds like a setup issue on your side tho. Since you can reproduce it with a proven working instance.
Have you set up the tablets in the same way? Using the same anti-virus? Same VPN? Same adblocker?
i wouldn't say the same way. There are some adblockers and such. In fact, it did work once after turning off the adblocker (Blokada)
Same problem occured on my instance. So my guess is on network problems/network config's
however when i tried to logoff and login again with adblock still turned off, i wasn't able to login anymore
but it didn't work on hotspot either so
i'm really clueless right now
there is no way it's not caused by tablets itself
not immich particularly but tablets
i think next step would be to do factory reset on one of those
IMHO it makes no sense it would be tablets that are the problem. But instead a setup/config issue on your side
I tried it with hotspot which means i bypassed my local network and instead did go through mobile data. I didn't even connect to my instance so i did not target any my stuff at all.
there's literally no way it's caused by setup. It might be PART of the cause but not the only cause
Given that we now have several android tablets that works just fine, I have a hard time believing it's a "tablet" related problem
I think we might need to experiment some more to pin down the cause because it is unknown at the moment
absolutely, i'm going to tomorrow
IMO it is a device specific issue. Doesn't work with an otherwise valid instance means that the environment is not the issue, or at least not the only issue. I'd guess something about the tablet, the apps installed, the network settings, etc. is causing an issue for whatever reason.
yup, it would be best to perform a factory reset on one of those and see the result. Unfortunately, backuping everything is really annoying job
UPDATE:
I'm back. After midlessly trying everything (i mean EVERYTHING) i was able to login with oauth on one of tablets. The key was to reset password, firstly login to app with normal credentials and after then, when i logged out, i was able to login with oauth
I'm guessing this behaviour is caused by some data specific to these tablets, weren't passed to app. So it throw error somewhere where it isn't meant to be logged and throw me back to first screen.
As soon as i logged in / out with normal credentials (email / password) i am perfectly able to back login but with oauth this time.
i think this (reply) because when i did steps above from tablet A and then tried oauth from tablet B, i wasn't able to login with tablet B and it has the same behavior as we were discussing here.
right now i'm about to try this same thing with different account (my father's) to see if these steps are constant or not
here's the whole log
i'm curious about this line
2023-08-19 13:53:34.087305,LogLevel.SEVERE,"ImmichErrorLogger","","#0 Store.get (package:immich_mobile/shared/models/store.dart:33) and the others under
is that only the storage permisson or something else?
It is not consistant...Here's the log of resetting the password and logging in with credentials. It is different tablet so different environment
That's an error looking up a value from the database
so there's issue with the database?
Not 100% sure. Do you have the full stack trace?
this is the full log
I'm on my phone so I'm not going to look at it lol
alright
hold on. I was trying to login to @Allram 's server (he created me account) and i wasn't able to login on the same tablet model. So it couldn't be the database issue
note that i was trying to login through both: my local network and hotspot on my phone (to reduce possible causes)
so far it still seems theres someting f* up with the tablets
Maybe a bug with some library on tablets or something
Recreated your account now 😅
The weird this is that I have 2 of the same tablets, and they work without problems from my side
yep, that is definitely weird
Even weirder is it doesn't work with my account on your server with the same tablet
so, any further steps?
You still haven't tried factory reset? I think that would be the next step 😬
yeah i didn't. It's a bit hard to cluster all the things i have to do.