OAuth not valid JSON
[Nest] 179 - 03/15/2025, 8:17:12 AM LOG [Api:EventRepository] Websocket Connect: fy5znUek8UCi44CcAAAN [Nest] 179 - 03/15/2025, 8:21:56 AM LOG [Api:SystemConfigService~6w2zu5ci] LogLevel=log (set via system config) [Nest] 200 - 03/15/2025, 8:21:56 AM LOG [Microservices:SystemConfigService] LogLevel=log (set via system config) [Nest] 179 - 03/15/2025, 8:22:08 AM LOG [Api:EventRepository] Websocket Disconnect: fy5znUek8UCi44CcAAAN [Nest] 179 - 03/15/2025, 8:22:10 AM ERROR [Api:OAuthRepository~ewn5qzug] Error in OAuth discovery: SyntaxError: Unexpected token '<', "<!doctype "... is not valid JSON [Nest] 179 - 03/15/2025, 8:22:10 AM ERROR [Api:OAuthRepository~ewn5qzug] SyntaxError: Unexpected token '<', "<!doctype "... is not valid JSON at JSON.parse (<anonymous>)I am using Authentik, I have checked the config on both apps, seems to be ok. Ideas ? Thx
16 Replies
:wave: Hey @[2RCP] Bonobo_Fi,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.the json config file for OAuth:
"oauth": { "autoLaunch": true, "autoRegister": true, "buttonText": "Login with OAuth", "clientId": "UnS3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxnJ9", "clientSecret": "Qq8xxxxxxxpu1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx0RLICDnMfZ", "defaultStorageQuota": 0, "enabled": true, "issuerUrl": "https://immich.domain.org/", "mobileOverrideEnabled": false, "mobileRedirectUri": "https://immich.domain.org/api/oauth/mobile-redirect", "profileSigningAlgorithm": "RS256", "scope": "openid email profile", "signingAlgorithm": "RS256", "storageLabelClaim": "preferred_username", "storageQuotaClaim": "immich_quota"
You are missing all of the correct redirect URLs
See https://immich.app/docs/administration/oauth
OpenID Configuration URL https://authentik.domain.tld/application/o/immich/.well-known/openid-configuration OpenID Configuration Issuer https://authentik.domain.tld/application/o/immich/ Authorize URL https://authentik.domain.tld/application/o/authorize/ Token URL https://authentik.domain.tld/application/o/token/ Userinfo URL https://authentik.domain.tld/application/o/userinfo/ Logout URL https://authentik.domain.tld/application/o/immich/end-session/ JWKS URL https://authentik.domain.tld/application/o/immich/jwks/ Redirect URIs regex: https://immich.domain.tld/auth/login regex: https://immich.domain.tld/user-settingWhich one is wrong ? All ?
Bottom two are what you dind't post, now you're missing
app.immich:///oauth-callback for the app to work
mobile-redirect is not an URL immich uses
It's btw quite literally that URL, don't fill out the TLD or anything
See also the authentik example at the bottom of the URL I gave youok I am goinf to modife it
Now I have a "failed to finish oauth" and it restart like loop ...
hmm you also have
/user-setting instead of /user-settingscorrected but same
OpenID Configuration URL https://authentik.domain.tld/application/o/immich/.well-known/openid-configuration OpenID Configuration Issuer https://authentik.domain.tld/application/o/immich/ Authorize URL https://authentik.domain.tld/application/o/authorize/ Token URL https://authentik.domain.tld/application/o/token/ Userinfo URL https://authentik.domain.tld/application/o/userinfo/ Logout URL https://authentik.domain.tld/application/o/immich/end-session/ JWKS URL https://authentik.domain.tld/application/o/immich/jwks/ Redirect URIs regex: https://domain.tld/auth/login regex: https://domain.tld/user-settings regex: app.immich:///oauth-callbackI ma using traefik as reverse proxy too
Not my expertise I'm afraid 👀 but that definitely sounds like something could be wrong too
np
In Immich, the issuer URL is: https://authentik.domain.tld/application/o/slug/.well-known/openid-configuration
and what algorithms to use ES384, RS256 ?? Or others ??
I have used RS256 ....
I have now this error logs
[Nest] 178 - 03/15/2025, 11:31:54 AM ERROR [Api:ErrorInterceptor~pb1pxfcr] Unknown error: RPError: expected application/jwt response from the userinfo_endpoint RPError: expected application/jwt response from the userinfo_endpoint at Client.userinfo (/app/immich/server/node_modules/openid-client/lib/client.js:1295:15) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async OAuthRepository.getProfile (/app/immich/server/dist/repositories/oauth.repository.js:43:29) at async AuthService.callback (/app/immich/server/dist/services/auth.service.js:136:25) at async OAuthController.finishOAuth (/app/immich/server/dist/controllers/oauth.controller.js:39:22)and a Failed to finish oauth is it a pb with the RS256 ? It seems to be a problem with my reverse proxy and how the cert is configured ...
If that is the case, are you passing the full chain cert or just the end cert? It can make a big difference
no idea, come back to you
I'm having the same issue and I'm at the same point you are. Did you figure this out yet? I'm using Zoraxy as my proxy but docker logs show same thing you're seeing.
nope ... I didn't find anybody to help me .... it seems to be more or less link to my Traefik ...
for immich, what port number are you using ? The default one ?
Immich itself is using 2283, yeah.
{"ClientAddr":"172.71.148.144:58984","ClientHost":"172.71.148.144","ClientPort":"58984","ClientUsername":"-","DownstreamContentSize":1207,"DownstreamStatus":404,"Duration":289295542,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":289295542,"RequestAddr":"immich.domain.tld","RequestContentSize":0,"RequestCount":504802,"RequestHost":"immich.domain.tld","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"immich@docker","SpanId":"0000000000000000","StartLocal":"2025-03-30T08:12:39.819586322+03:00"my last log .... OriginStatus=0 TGraefik doesn't know how to route I asked support on reddit ... I will let you know if ...