Authelia login page redirect loop with OIDC/Oauth setup
I set up authelia as oidc provider for immich, but when I login with credentials on the authelia login page, it just redirects back to the same authelia login page.
The immich container logs don't show anything either, no errors or anything.
The authelia logs show authentication succeeded, authorization request being processed and then the request timing out. I think that immich is somehow unable to route to authelia host, despite me being able to ping and curl the authelia page from inside the immich_server container.
I am using local ip for convenience, but i have also tried with domain names and the outcomes are the same.
Anyone who has successfully set up oidc with authelia got any tips?
70 Replies
That doesn't look like the right issuer url
Maybe it is? Does this url work?
http://192.168.1.7:9091/.well-known/openid-configuration
(If you open it in a browser)
I've it working with authelia. What are the redirect url you have set up for authelia?
this is what i got from that page
redirect_uris:
- app.immich:/
- http://192.168.1.7:2283/auth/login
- http://192.168.1.7:2283/user-settings
also, can i ask what issuer url did you put for the immich configuration?
Do you see the oauth button on the Immich login page?
Yes, i can click on the oauth button and go to the authelia login page, but after using correct credentials, it just redirects back to the same login page
What is your authelia domain ?
I tried with your settings and I have the same problem
Did you try with a domain name ?
What do you mean by "same login". Do you mean the immich login page?
the authelia login page
Can you record a video?
yeah i tried with domain name, just changing the redirect uri, otherwise settings are the same, same outcome being unable to sign in
If it is not redirecting back to immich, it sounds like something is misconfigured. Do you have auto login checked in immich? If so, can you disable it?
Do you use Authelia ? It's supposed to work with a domain name and a reverse proxy.
Is that question for me?
No no for @dretyuiop
if by auto login you mean auto launch in immich, then yes i have it disabled
Do you use authelia with any other applications besides immich?
yes i used a domain name, but i encountered the same redirect problem, so i tested my setup on my work machine with local ip for convenience, still facing the same problem.
no, other applications i use lldap, you think this is a problem with my authelia setup then?
Yes
here is a video showing off the problem
Well to start with you are using the issuer url of 192.168.1.7 and the video is shows .6
yeah my local ip changed cus i was lazy to setup static ip for my work machine, i just changed the settings in immich and authelia to .6. Don't think it matters
What you copy/paste the url in the browser on the login path here?
You mean the url for immich page? That's http://192.168.1.6:2283/
No the whole thing with the query params and all
On the authelia login portal
It looks like immich is redirecting you to:
http://192.168.1.6:2283/auth/login&response_type=code&scope=openid+email+profile&state=S1I50mqi0Szp-vadzklflRFCyEVhK-77QwckdNBwr54&workflow=openid_connectWhich is correct. After that authelia isn't working because of a presumable misconfiguration. I've never used it so can't be of much help. You should check the authelia logs and/or open ask for help with them directly instead.
I actually asked for help in the authelia discord, but they weren't that active. Honestly, I was just hoping someone who got authelia oidc working with immich can show their configuration. Thanks anyways though.
No problem. I think the issue is definitely related to a setup issue. Maybe you can ask in general-discussion if anybody has a valid configuration they could share or if they could take a look.
Should oAuth even work with IPs and http only?
Given that the immich docs have examples for local ip and http in oauth section i would assume so
I have Authelia running with Immich. I have authelia on my domain: https://identity.DOMAIN.org
And Immich on: https://photos.DOMAIN.org
I don't use local ip's, i only use domain names, but i guess it should work anyway?
Authelia Identity_provider config:
Immich config
it seems like you haven't generated a random string for the encryption key for the database, have you added any users to Authelia (in users_database.yml) and can you log in to Authelia without Immich?
you are also using port 8080 on the immich_proxy, tried to change the authelia redirect_uris from 2283 to 8080?
And you are sure that 192.168.1.7 is the IP for immich_server? or is that for immich_proxy?
i changed the the immich_proxy ports to 8080:8080 and the port in authelia conf file to 8080, still the same situation. The 192.168.1.7 is ip for both immich_server and immich_proxy, because its the host ip
If by log in to authelia, you mean if it will redirect me to the default url with the credentials, then yes it did.
Copying your oidc section didnt work. Could you share your whole config file (with secrets removed) ?
on the video you sent it doesn't look like you can log into to Authelia even?
i logged in, thats why it breifly flickered and redirect back to authelia login page. If the credentials were wrong, it would have a red popup saying the credentials were wrong.
here is my Authelia config with all my secrets and stuff removed.
Just note that i run Redis and PostgreSQL Unix sockets and don't use SQlite DB
This cannot be the same ip for both docker containers, but it should be enough to just point the login to the immich_web container if you don't use the immich_proxy. If you use that you need to point Authelia to the immich_proxy container
NVM: Got it, i didn't see that you run it with host IP, tought it was separate IP for each container.
It still doesn't work. Thanks anyways though
Does the authelia authentication works ?
yeah i can go to the default redirect url in authelia
No I mean this page
if u mean the oauth, then no it doesn't work for me
i am not sure what that page is, so i am just assuming it is the oauth page
That is Authelia's page after logging in to Authelia.
It’s the home page for authelia
When you go to 192.168.1.7:9091 you’re supposed to see this once you’re authenticated
I just get redirected to the default_redirection_url once i authenticate in authelia. You guys don't get redirected?
Nope
Do you have a
authelia_session cookie after the authentication ?no cookies
btw what authelia version are you guys using?
This means your Authelia is not set correctly; my advice would be to have the authelia authentication working first, then works on the Immich OAuth Authentication. Authelia is a bit complicated to setup and understand, I recommend reading their documentation (which is amazing) and watching some tutorials
The latest ~ 4.37.5
Also maybe try a different browser
Isn't the only thing needed to setup authelia the config file? I did use the authelia docs to write the config file and even just copied it from someone who got oidc working, still no luck.
Can you post your latest authelia config, then we can see if there is anything else that is missing now.
default_redirection_url is not needed per se
and you have created a user in users_database.yml?
What is the output of your Authelia log? Also when you try to log in?
and have you generated a random string of more than 20 characters under 'encryption_key' for storage?
yes
when using oauth:
when going directly to authelia:
i just used the you_must_generate string itself as the encryption_key, since I was just testing to see if it worked and not deploying it. I can test using an actualy random string though
I thought you were using lldap ?
i am testing this on my work machine and using file for convenience. I used lldap when setting up on my server.
Is your authelia authentication working ?
no, when i go to the page and authenticate, it just auto redirects to the default url. I posted my config file above, maybe you can see if it is a config problem.
You replaced
example.com with your domain right ?No, since i didn't want to set up reverse proxy on my work machine, but i can test using domain name later. But I used domain name on my server and it didn't work before, so i doubt it will now though
I don’t think it’s possible to have authelia working without a domain
Ok I managed to solve the problem. It was indeed a configuration problem. The session.domain I put immich.example.com instead of just example.com because I didn't read the manual. Thank you to everyone who helped out.
🥳🥳
The hardest part is behind now. Enjoy !