Issues connecting Immich to Jumpcloud via Oauth/OIDC, Cannot Login
Hi everyone!
I've setup Immich to authenticate against Jumpcloud using the oauth functionality built-in to immich. I ran a problem immediately as Jumpcloud only allows for https redirect URIs, so I setup Zoraxy as a reverse proxy to redirect https://immich.mydomain.com -> 192.168.3.174:2283.
After this, logging in w/ OAuth would send to me Jumpcloud then back to Immich login etc, and the F12 menu seemed to show that Immich was expectingJumpcloud to be using the "Basic" client authentication type. I recreated the app in Jumpcloud, chose "Login with OAuth" in Immich, and now I get a "failed to finish oauth" error message. I get a similar error if I try to link my account to Oauth. I've attached the error I get in the Docker logs when doing either of these options. I can see these requests go back and forth in the F12 -> Network menu in a web browser. It goes to Jumpcloud, authenticates me correctly, then sends me back to Immich but it fails there. If there is something specific I can send from the F12 menu let me know.
I've also attached screenshots of my OAuth config in Immich and Jumpcloud, and the docker-compose.yml. This is a fresh install of Debian 12, so it shouldn't have any custom .env variables. I didn't see anything in /etc/environment or .bashrc. The default is in .profile, see the attached .txt. Also, in the Immich oauth config screenshot you'll see profile signing algo is empty. I just did that as a test to see if it would say what the default is, I thought I put it in manually.
Edit, I tried this with a different account in jumpcloud to see if it would create a new account in Immich and let me in that way, but that didn't work either.
Let me know what else I can send over.
8 Replies
:wave: Hey @cable tv,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.Immich should be fully updated, forgot to mention that. I saw something in the release notes about oauth but didn't notice any difference in behavior.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:
Is there any other information I could provide to help in resolving this? I was able to take a capture of the transaction as a .HAR file, if that helps.
I did see the other threads about the Nextcloud OIDC issue, but I dont think they're related. They present different errors.
this is a really advanced topic, I think you should probably just switch to a compliant OIDC provider, sorry
Ahh, I was really hoping to keep things tied to one provider as we use them for several other apps already. I know you can usually tie two of them together so its still one set of credentials, but I want to avoid managing multiple IdPs and syncing between them.
Is there anything I can do to figure out what is going on? Could this be an issue with the response Immich receives in the end? Jumpcloud isn't able to use an HTTP redirect_uri, so maybe there is some issue with how the reverse proxy is handling the HTTPS -> HTTP redirect.
Sorry to push back, no ill-will meant! If this is more of a "just drop it" sort of thing, I will move on, lol. Just exhausting all my options. Thank you!!
I'm sure there's stuff you can do but it's probably at the level beyond what most of us here know, sorry
I would reach out to the OIDC provider this is more in their ballpark
No no, that's okay! I thought you meant it was beyond me, lol. I'll circle back with Jumpcloud, thank you for the input!