Failed to finish oauth, outgoing request timed out after 30000ms,unable to reach authentik.
Hi,not too sure what the issue at hand is here.
So authentik is set up as a Oauth provider with all the proper secrets and client ids entered into Immich,with the respective redirect urls, but somehow immich is unable to reach the SSO.
The oauth works when forwarded to local Ip, but not when authentik is behind a proxy.
This traefik config used to work in the past.
10 Replies
:wave: Hey @ShadowRenes,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.Immich logs: RPError: outgoing request timed out after 30000ms
at /usr/src/app/node_modules/openid-client/lib/helpers/request.js:140:13
at async Issuer.queryKeyStore (/usr/src/app/node_modules/openid-client/lib/helpers/issuer.js:84:20)
at async /usr/src/app/node_modules/openid-client/lib/helpers/issuer.js:35:26
at async Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:1089:14)
at async Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:793:49)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:532:7)
at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:45:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:136:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)
Are you able to validate the server container can reach your public authentik domain?
curl -sSf https://authentik.example.com > /dev/null && echo "success"No,it times out
Seems like some kind of networking issue outside immich then. If it can't hit your authentik service it won't work.
I use authentik and traefik and have no issues with it.
Hmmn,then how would I go about fixing it
Not too sure how to even diagnose the problem in the first place
Look at traefiks logs? Authentiks logs? Validate you can hit the public url from other containers / machines? I'm not 100% sure of the best way to diagnose. Does your container have access to the internet?
Um so oauth works when immich is redirected to authentiks local ip,but not to the domain. The domain for authentik is accessible from other machines,but cannot be curled from the host VM of authentik.
the host container for immich is able to access the internet
Security headers for traefik # Security headers
securityHeaders:
headers:
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
X-Forwarded-Proto: "https"
sslProxyHeaders:
X-Forwarded-Proto: https
referrerPolicy: "strict-origin-when-cross-origin"
hostsProxyHeaders:
- "X-Forwarded-Host"
customRequestHeaders:
X-Forwarded-Proto: "https"
contentTypeNosniff: true
browserXssFilter: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
Are Immich & Authentik running on the same machine?
i have tried running authentik together with traefik on the same vm,authentik as its seperate vm and right now, authentik with immich on the same vm but the issue persists
firewall is also disabled
for authentik_server this auth_via": "unauthenticated", "domain_url pops out but i'm not too sure of its significance