I
Immich2y ago
zkvvoob

OIDC with Authelia / Error: Unexpected token e in JSON at position 0

Hello, I've migrated Immich to a new server. The database and photos have been imported successfully. The previous server used Authentik and used to work just fine. On this server I'd like to migrate to Authelia and Traefik. Redirect and certificates are working as expected. I can log in to Immich using my password. In Administration I've reset the OAuth settings to the ones configured in Authelia. When I click the "Login with OAuth" button on the login page, I'm redirected to Authelia, I can log in successfully, but after that I'm redirected to Immich's login page where there's a message saying "Internal Server Error". The Docker logs list the following: 
[Nest] 193  - 09/21/2023, 9:41:46 PM   ERROR [ExceptionsHandler] Unexpected token e in JSON at position 0
SyntaxError: Unexpected token e in JSON at position 0
    at JSON.parse (<anonymous>)
    at Client.userinfo (/app/immich/server/node_modules/openid-client/lib/client.js:1264:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async AuthService.callback (/app/immich/server/dist/domain/auth/auth.service.js:167:25)
    at async OAuthController.callback (/app/immich/server/dist/immich/controllers/oauth.controller.js:39:38)
    at async /app/immich/server/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /app/immich/server/node_modules/@nestjs/core/router/router-proxy.js:9:17
[Nest] 193  - 09/21/2023, 9:41:46 PM   ERROR [ExceptionsHandler] Unexpected token e in JSON at position 0
SyntaxError: Unexpected token e in JSON at position 0
    at JSON.parse (<anonymous>)
    at Client.userinfo (/app/immich/server/node_modules/openid-client/lib/client.js:1264:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async AuthService.callback (/app/immich/server/dist/domain/auth/auth.service.js:167:25)
    at async OAuthController.callback (/app/immich/server/dist/immich/controllers/oauth.controller.js:39:38)
    at async /app/immich/server/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /app/immich/server/node_modules/@nestjs/core/router/router-proxy.js:9:17
I'll post the Authelia configuration in another message.
6 Replies
zkvvoob
zkvvoobOP2y ago
Here's the OIDC configuration for Authelia: 
identity_providers:
  oidc:
    hmac_secret: {128-character-secret}
    issuer_private_key: {KEY}
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: true
    cors:
      endpoints:
         - authorization
         - token
         - revocation
         - introspection
         - userinfo
      allowed_origins:
        - https://auth.mydomain.com
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: immich
        description: Photo backup
        secret: {128-character-secret}
        public: false
        authorization_policy: one_factor
        consent_mode: auto
        pre_configured_consent_duration: 6M
        scopes:
          - openid
          - email
          - profile
        grant_types:
          - authorization_code
        redirect_uris:
        - https://photos.mydomain.com/auth/login
        - https://photos.mydomain.com/user-settings
        - app.immich:/
        userinfo_signing_algorithm: RS256
identity_providers:
  oidc:
    hmac_secret: {128-character-secret}
    issuer_private_key: {KEY}
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: true
    cors:
      endpoints:
         - authorization
         - token
         - revocation
         - introspection
         - userinfo
      allowed_origins:
        - https://auth.mydomain.com
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: immich
        description: Photo backup
        secret: {128-character-secret}
        public: false
        authorization_policy: one_factor
        consent_mode: auto
        pre_configured_consent_duration: 6M
        scopes:
          - openid
          - email
          - profile
        grant_types:
          - authorization_code
        redirect_uris:
        - https://photos.mydomain.com/auth/login
        - https://photos.mydomain.com/user-settings
        - app.immich:/
        userinfo_signing_algorithm: RS256
bo0tzz
bo0tzz2y ago
It's expecting a JSON response but not getting one, and with the e I would guess the response starts with error Do the authelia logs say anything?
zkvvoob
zkvvoobOP2y ago
Here's what's in Authelia's log: 
msg="Authorization Request with id 'b4679b50-5e78-4bbd-9a78-51ccb1c4844f' on client with id 'immich' is being processed" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Mark 1FA authentication attempt made by user 'zkvvoob'" method=POST path=/api/firstfactor remote_ip=X.X.X.X
msg="Successful 1FA authentication attempt made by user 'zkvvoob'" method=POST path=/api/firstfactor remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' is being processed" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'immich' and subject '61256c27-35be-44b2-8910-ebd88b6f0b31' and scopes 'openid email profile'" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'immich' and subject '61256c27-35be-44b2-8910-ebd88b6f0b31' and scopes 'openid email profile' with id '1'" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Access Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' is being processed" method=POST path=/api/oidc/token remote_ip=X.X.X.X
msg="Access Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' has successfully been processed" method=POST path=/api/oidc/token remote_ip=X.X.X.X
msg="Authorization Request with id 'b4679b50-5e78-4bbd-9a78-51ccb1c4844f' on client with id 'immich' is being processed" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Mark 1FA authentication attempt made by user 'zkvvoob'" method=POST path=/api/firstfactor remote_ip=X.X.X.X
msg="Successful 1FA authentication attempt made by user 'zkvvoob'" method=POST path=/api/firstfactor remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' is being processed" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'immich' and subject '61256c27-35be-44b2-8910-ebd88b6f0b31' and scopes 'openid email profile'" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'immich' and subject '61256c27-35be-44b2-8910-ebd88b6f0b31' and scopes 'openid email profile' with id '1'" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Authorization Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=X.X.X.X
msg="Access Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' is being processed" method=POST path=/api/oidc/token remote_ip=X.X.X.X
msg="Access Request with id '09e9d469-810d-4007-86ce-b18e2cf0de3b' on client with id 'immich' has successfully been processed" method=POST path=/api/oidc/token remote_ip=X.X.X.X
I'm using Traefik as a reverse proxy, if that matters.
jrasm91
jrasm912y ago
What is the pre configured content thing?
zkvvoob
zkvvoobOP2y ago
I beg your pardon? What thing? Hi, @bo0tzz! Have you had a chance to see the Authelia log I pasted yesterday? Does it help? I think I've found the culplrit: userinfo_signing_algorithm: RS256 in Authelia should be userinfo_signing_algorithm: none.
тσηι
тσηι2y ago
Hi, I have a similar error, altough it is not the "unexpected token e ..." its the "SyntaxError: Unexpected token < in JSON at position 0..." that gets thrown from the immich server when trying to log in via oidc with authelia. Did you maybe already also saw this error? And could you show your OAuth Authentication Immich settings? Just to document it, after searching in other threads too, I saw that the issuer URL should be something like https://auth.domain.com after adapting that it works like a charm.

Did you find this page helpful?