Immich•9mo ago

Oauth authentication against Nextcloud OIDC provider fails with 401

Hi,
I'm trying to authenticate immich against the nextcloud oidc provider. I can authenticate my forgejo installation against it, so the nextcloud part seems to work.
Whenever I try to use oauth, I get this error in immich:

immich_server            | [Nest] 17  - 04/10/2025, 9:31:13 PM   ERROR [Api:ErrorInterceptor~x3s9wk3m] Unknown error: OPError: expected 200 OK, got: 401 Unauthorized
immich_server            | OPError: expected 200 OK, got: 401 Unauthorized
immich_server            |     at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
immich_server            |     at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1381:22)
immich_server            |     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
immich_server            |     at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:520:24)
immich_server            |     at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:42:28)
immich_server            |     at async AuthService.link (/usr/src/app/dist/services/auth.service.js:178:34)

immich_server            | [Nest] 17  - 04/10/2025, 9:31:13 PM   ERROR [Api:ErrorInterceptor~x3s9wk3m] Unknown error: OPError: expected 200 OK, got: 401 Unauthorized
immich_server            | OPError: expected 200 OK, got: 401 Unauthorized
immich_server            |     at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
immich_server            |     at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1381:22)
immich_server            |     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
immich_server            |     at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:520:24)
immich_server            |     at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:42:28)
immich_server            |     at async AuthService.link (/usr/src/app/dist/services/auth.service.js:178:34)

immich_server            | [Nest] 17  - 04/10/2025, 9:31:13 PM   ERROR [Api:ErrorInterceptor~x3s9wk3m] Unknown error: OPError: expected 200 OK, got: 401 Unauthorized
immich_server            | OPError: expected 200 OK, got: 401 Unauthorized
immich_server            |     at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
immich_server            |     at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1381:22)
immich_server            |     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
immich_server            |     at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:520:24)
immich_server            |     at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:42:28)
immich_server            |     at async AuthService.link (/usr/src/app/dist/services/auth.service.js:178:34)

immich_server            | [Nest] 17  - 04/10/2025, 9:31:13 PM   ERROR [Api:ErrorInterceptor~x3s9wk3m] Unknown error: OPError: expected 200 OK, got: 401 Unauthorized
immich_server            | OPError: expected 200 OK, got: 401 Unauthorized
immich_server            |     at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
immich_server            |     at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1381:22)
immich_server            |     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
immich_server            |     at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:520:24)
immich_server            |     at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:42:28)
immich_server            |     at async AuthService.link (/usr/src/app/dist/services/auth.service.js:178:34)

In Nextcloud, I get 3 warning messages which I will put in the next post because of maximum message length.

Any ideas what I could try? I made sure the client secret is correct. I deleted immich from nextcloud oidc-provider and added it again multiple times. A screenshot of my config in immich (slightly censored) is attached.

Immich•4/10/25, 9:40 PM

:wave: Hey @Knafrag,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.

References

Container Logs:
```
docker compose logs
```
```
docker compose logs
```
docs
Container Status:
```
docker ps -a
```
```
docker ps -a
```
docs
Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Immich•4/10/25, 9:40 PM

Checklist

I have...

:ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
:ballot_box_with_check: read applicable release notes.
:ballot_box_with_check: reviewed the FAQs for known issues.
:ballot_box_with_check: reviewed Github for known issues.
:ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
:ballot_box_with_check: uploaded the relevant information (see below).
:ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

Your docker-compose.yml and .env files.
Logs from all the containers and their status (see above).
All the troubleshooting steps you've tried so far.
Any recent changes you've made to Immich or your system.
Details about your system (both software/OS and hardware).
Details about your storage (filesystems, type of disks, output of commands like
```
fdisk -l
```
```
fdisk -l
```
and
```
df -h
```
```
df -h
```
).
The version of the Immich server, mobile app, and other relevant pieces.
Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the

/close

/close

command, and re-open it later if needed.

KnafragOP•4/10/25, 9:42 PM

nextcloud warnings:

[oidc] Warning: OIDCIdentityProvider BasicAuthBackend: RequestUri was: /<myNCpath>/index.php/tokenAllowed is only the token endpoint: /<myNCpath>/apps/oidc/token
    POST /<myNCpath>/index.php/token
    from 10.2.2.1 by ? at Apr 10, 2025, 11:31:13 PM

[oidc] Warning: OIDCIdentityProvider BasicAuthBackend: RequestUri was: /wolke9000/index.php/tokenAllowed is only the token endpoint: /wolke9000/apps/oidc/token
    POST /wolke9000/index.php/token
    from 10.2.2.1 by ? at Apr 10, 2025, 11:31:13 PM

[core] Warning: Login failed: '<myClientID>' (Remote IP: '10.2.2.1')
    POST /<myNCpath>/index.php/token
    from 10.2.2.1 by ? at Apr 10, 2025, 11:31:13 PM

[oidc] Warning: OIDCIdentityProvider BasicAuthBackend: RequestUri was: /<myNCpath>/index.php/tokenAllowed is only the token endpoint: /<myNCpath>/apps/oidc/token
    POST /<myNCpath>/index.php/token
    from 10.2.2.1 by ? at Apr 10, 2025, 11:31:13 PM

[oidc] Warning: OIDCIdentityProvider BasicAuthBackend: RequestUri was: /wolke9000/index.php/tokenAllowed is only the token endpoint: /wolke9000/apps/oidc/token
    POST /wolke9000/index.php/token
    from 10.2.2.1 by ? at Apr 10, 2025, 11:31:13 PM

[core] Warning: Login failed: '<myClientID>' (Remote IP: '10.2.2.1')
    POST /<myNCpath>/index.php/token
    from 10.2.2.1 by ? at Apr 10, 2025, 11:31:13 PM

Daniel•4/10/25, 9:43 PM

Could you also share the nextcloud config?

Daniel•4/10/25, 9:44 PM

And the paths of the links of the issuer URL would be helpful

Daniel•4/10/25, 9:44 PM

So open that page and send a (censored if you want) screenshot

KnafragOP•4/10/25, 9:50 PM

Here's the nc config

KnafragOP•4/10/25, 9:51 PM

I tried changing the expire times to many (123456) seconds which didn't help

DDaniel And the paths of the links of the issuer URL would be helpful

KnafragOP•4/10/25, 9:52 PM

By that, do you mean what /.well-known/openid-configuration points to?

Daniel•4/10/25, 9:52 PM

Yep!

Daniel•4/10/25, 9:52 PM

It should give you some json

KnafragOP•4/10/25, 9:53 PM

I'll try to make in somewhat pretty

Daniel•4/10/25, 9:54 PM

Browsers should just auto-format it

Daniel•4/10/25, 9:54 PM

Or have a button for it

KnafragOP•4/10/25, 9:55 PM

KnafragOP•4/10/25, 10:01 PM

When I use curl to send a get request to the token_endpoint (apps/oidc/token) I get a HTTP/1.1 405 Method Not AllowedHTTP/1.1 405 Method Not Allowed error. To me that suggests that nextcloud is at least listening there and handling my request

Daniel•4/10/25, 10:03 PM

It expects a POST I'd assume

KnafragOP•4/10/25, 10:06 PM

Apparently:

curl -d "param1=value1&param2=value2" -X POST https://foo/bar/apps/oidc/token
{"error":"invalid_grant","error_description":"Invalid grant_type provided. Must be authorization_code or refresh_token."}

curl -d "param1=value1&param2=value2" -X POST https://foo/bar/apps/oidc/token
{"error":"invalid_grant","error_description":"Invalid grant_type provided. Must be authorization_code or refresh_token."}

Daniel•4/10/25, 10:06 PM

Hmmm so the oidc config endpoint tells it to use /<myNCpath>/apps/oidc/token/<myNCpath>/apps/oidc/token but Immich posts to /token/token?

KnafragOP•4/10/25, 10:07 PM

does it?

Daniel•4/10/25, 10:07 PM

The thing is I'm fairly certain it must be an issue with how you've configured the nextcloud oidc stuff, since it works for everyone, but at the time it doesn't make any sense

KKnafrag Click to see attachment

bo0tzz•4/10/25, 10:07 PM

Is this from the exact same address as entered in immich?

KKnafrag nextcloud warnings: ``` [oidc] Warning: OIDCIdentityProvider BasicAuthBackend: R...

Daniel•4/10/25, 10:07 PM

It says so here

Bbo0tzz Is this from the exact same address as entered in immich?

KnafragOP•4/10/25, 10:08 PM

yes, I copy & pasted from the immich configuration page

DDaniel It says so here

KnafragOP•4/10/25, 10:08 PM

do you mean the index.php/tokenAllowed ?

KKnafrag yes, I copy & pasted from the immich configuration page

bo0tzz•4/10/25, 10:09 PM

KKnafrag do you mean the index.php/tokenAllowed ?

bo0tzz•4/10/25, 10:09 PM

I think the Allowed there is actually part of the next sentence in the error message

bo0tzz•4/10/25, 10:09 PM

Ie it's bad formatting and there should be a space

KnafragOP•4/10/25, 10:09 PM

I see, and it posts to index.php/token

bo0tzz•4/10/25, 10:09 PM

Apparently yeah

Bbo0tzz I think the Allowed there is actually part of the next sentence in the error mes...

Daniel•4/10/25, 10:09 PM

Yeah exactly, that's what I thought too

KKnafrag I see, and it posts to index.php/token

bo0tzz•4/10/25, 10:10 PM

But I don't see how that could possibly happen if that's not in the well-known response

KnafragOP•4/10/25, 10:10 PM

That makes a lot of sense. I've been wondering about tokenAllowed for a few days, trying to find where it came from

DDaniel The thing is I'm fairly certain it must be an issue with how you've configured t...

Daniel•4/10/25, 10:11 PM

Same @bo0tzz lol

Daniel•4/10/25, 10:13 PM

Just to make sure; have you tried restarting Immich? lmao

KnafragOP•4/10/25, 10:15 PM

many times

KnafragOP•4/10/25, 10:15 PM

and nextcloud

KnafragOP•4/10/25, 10:16 PM

the strange thing is that I can authenticate forgejo against the nextcloud oidc provider

KnafragOP•4/10/25, 10:16 PM

so it seems to work in general

Daniel•4/10/25, 10:16 PM

I assume forgejo doesn't use the well known endpoint?

Daniel•4/10/25, 10:17 PM

You probably configured the token endpoint manually there?

KnafragOP•4/10/25, 10:19 PM

no, I just entered 3 things: the auto discovery url, the client ID and the secret

KnafragOP•4/10/25, 10:20 PM

and I configured the redirection URI in nextcloud for forgejo

KnafragOP•4/10/25, 10:21 PM

I was already wondering if the immich_quota claim that immich might check for can be the issue. But nothing in any message I get hints to that.

KKnafrag no, I just entered 3 things: the auto discovery url, the client ID and the secre...

Daniel•4/10/25, 10:22 PM

Oh that makes it even weirder

KnafragOP•4/10/25, 10:23 PM

I even tried swapping the oidc clients. So using forgejo's ID and secret for immich, after adapting the redirect URIs in NC. Didn't change a thing

KnafragOP•4/10/25, 10:40 PM

Thank you very much for your help so far. I gotta run for now, but I'll check back tomorrow. Maybe someone has more ideas what I can try.

KnafragOP•4/14/25, 8:47 PM

I do have an update:
I now tried to authenticate paperless-ngx against my nextcloud. I get the exact same error. So this narrows the error down to be with my nextcloud-setup and not with immich.

KnafragOP•4/14/25, 8:47 PM

Thank you for the support!

KnafragOP•4/14/25, 8:48 PM

for anyone interested, we're having this discussion with the developer of the nextcloud openid-provider plugin:
https://github.com/H2CK/oidc/issues/545

Oauth authentication against Nextcloud OIDC provider fails with 401

References

Checklist

Information

Similar Threads

Similar Threads

Similar Threads

References

Checklist

Information