Oauth doesnt work on mobile with 132.1
Hi, I am using authelia and caddy.
Oauth works on web, does not work on mobile with error statuscode 500. Previously worked flawlessly for a year.
In the Authelia logs I see:
Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token
My authelia config is pretty simple:
- client_id: immich
client_name: Immich
client_secret: redacted
public: false
authorization_policy: household #this doesnt matter for debuging
consent_mode: implicit
redirect_uris:
- app.immich:///oauth-callback
- https://photos.example.com/auth/login
- https://photos.example.com/user-settings
scopes:
- openid
- profile
- groups
- email
userinfo_signed_response_alg: "none"
token_endpoint_auth_method: "client_secret_post" #I had to add this line recently, I think after 1.131, but it may have needed it earlier
My immich oauth config is simple too, matching this: https://www.authelia.com/integration/openid-connect/immich/
No override for mobile redirect, never was needed in the past.
131 Replies
:wave: Hey @Shivam,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.@Daniel FYI
Yup
@Rhyn Hey!
hey
so what can i help with?
Just wanted the both of you here
So I saw a couple of things that were off
Some of you had
profiles in their scope, which you probably don't want
Really your scope should just be openid, profile, emailthat was me
ohh, nope i had profile
not profiles
you mean group right?
no
Oh sorry
Yes I meant groups
Don't have groups
my scope is openid email profile offline_access
I removed that
but good call
i added offline access yesterday
didnt help though
Yeah I'd try reverting it to make sure we're as basic as possible
ok
sorry to be more helpful, my scope is exactly "openid email profile" now
And you both switched back to
client_secret_basic?sec
with basic it says failed to finish oauth
time="2025-04-25T16:11:23+02:00" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'client_secret_post', however the OAuth 2.0 client registration does not allow this method. The registered client with id 'ooxooMahsei5che.icho8heefuvo0ahri-en_2Ahyohjaiyu_Shi0ohm3Xo2feiw' is configured to only support 'token_endpoint_auth_method' method 'client_secret_basic'. Either the Authorization Server client registration will need to have the 'token_endpoint_auth_method' updated to 'client_secret_post'x or the Relying Party will need to be configured to use 'client_secret_basic'." (*workerPool).getCh.func1\nruntime/asm_amd64.s:1700 goexit"
this error looping in authelia log
probably i shouldve deleted the id 🙂
The client id isn't confident
i know
some context, authelia 4.39 is defintely more strict with the oauth 2.0 standards. 4.39 came out a few months ago. It probably wont show that error in 4.38. However immich 1.30 definitely worked with authelia 4.39
yeah i'm on latest authelia since it is out
havent had problem before 132
Yeah I can also give you some context. We used to not verifying the token at all which obviously is quite bad
And allowed for some broken and lax oauth configs
Could either of you try reverting to authelia 4.38?
feels like immich is sending post instead of basic
Yeah I think so too, looking into that right now
ill revert in the meantime
same
yeah it will be bit complicated
level=error msg="Error occurred running a startup check" error="error during schema migrate: current schema version is greater than the latest known schema version, you must downgrade to schema version 15 before you can use this version of Authelia"
idk if i still have backup that old
same issue
Then that's fine
Could either of you share their
.well-known/openid-configuration json?
Of autheliaSpecifically this part
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"none"
],
same
but authelia probably also validates with what the oauth client is allowed to use
#17881 should fix that. Could either of you run the Immich version from that PR once it's built?
we also updated our 3rd party oauth library. it's probably fine to update your client configuration to use
client_secret_posti gtg in 30 min or so so probably i can only try in the evening
Should be up in 5min but whatever you prefer
I don't think so actually
ill try then
why not
I tried it and it didn't work ootb
i can test, but am a bit green on how to do that. just change my docker image in the compose?
I'll give you what you need
will this fix the mobile client too? as far as i understand it is just to fix client secret basic
Idk what's wrong with mobile yet. I'd hope it fixes both tbh
i see
Ok, the image tag is
pr-17860
So instead of relase or a specific version tag, use thatonly for server or machine learning too?
Only for server
ok
like this right? services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-pr-17860}
Assuming
IMMICH_VERSION isn't set, yes
Really you should just update that env var thoughimage: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
image: ghcr.io/immich-app/immich-server:pr-17860
ohh.. # is formating
so instead the first line just use the second
Yup
good call it was
same error
:monkaHmm:
same issues using client secret basic
trying post now
same with post. basic doesnt work with web and mobile, post works with web, not mobile
yep
What's the error you get when using mobile?
from server?
or client or authelia?
All of them ideally lol
Oh you know what
This seems like a caching issue on mobile
@Alex does mobile cache oauth config? If so, how can you clear that?
that was my idea first
so i deleted all my sessions
it doesn't 🤔
That wouldn't help for that
in authelia..
same error but with a fresh session
Yeah that wouldn't be bound to sessions
If anything mobile would store somewhere that it was using basic auth
And keep trying that
the thing is i freshly installed the app yesterday
so no cache whatsoever
And you haven't tried it today with basic auth at some point?
actually on my other phone where just upgraded from playstore it is still working with an old session
i just tried.. havent deleted data yet tho
ill try
Ty :)
same
it flashes a login page for a second and goes back to internal error
And authelia still says it tried basic auth?
FWIW I am still confused why it's not accepting basic auth now tbh
On web, could you click on the version on the bottom left?
thats only for web
Immich
v1.132.2
ExifTool
13.00
Node.js
v22.14.0
Libvips
8.16.1
ImageMagick
7.1.1-47
FFmpeg
7.0.2-7
Repository
immich-app/immich
Source
17860/merge@e1ee84f14
Build
14666744411
Version History
Installed 1.132.2 on Apr 25, 2025
Installed 1.132.1 on Apr 24, 2025
Installed 1.131.3 on Apr 2, 2025
Installed 1.131.2 on Apr 1, 2025
Installed 1.130.3 on Mar 27, 2025
on mobile it says
Could you click on the source link?
Oh hm
i cant my setup automatically redirects to oauth
and i cannot login with basic
You're all good shivam already got it for me
Yeah so that definitely isn't my PR
ok, my bad
Now it would be interesting to see what Rhyn got 😅
Can you log in with post on web right now?
let me switch back to post so i can login
is the docker image pr-17860 or pr-17881?
as directed i used immich:pr-17860, but i can change to immich:pr-17881
same
😄
i believe here
@Daniel need to bring out of draft to get it built I believe
nvm
I see it was built
Oh wait did I mess up and gave you the wrong tag? :monakS:
seems like it
Yeah please change to 17881
Mb
Apologies for the confusion :/
lol
need coffee man
pulling
No coffee after 4pm!
its Friyayy
Hehe fair :P
yay, now web works with basic. mobile is still broken
with the correct tag web is working with basic
Wait what mobile is still broken? :monkaW:
What's the error message there now?
authelia | time="2025-04-25T10:54:21-04:00" level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token remote_ip=192.168.2.2
same error as client post now
yeah same as before
Could you post your current authelia configs again?
it is the same as in github issue but with basic
- client_id: immich
client_name: Immich
client_secret: redacted
public: false
authorization_policy: household #this doesnt matter for debuging
consent_mode: implicit
redirect_uris:
- app.immich:///oauth-callback
- https://photos.example.com/auth/login
- https://photos.example.com/user-settings
scopes:
- openid
- profile
- email
userinfo_signed_response_alg: "none"
token_endpoint_auth_method: "client_secret_basic"
same
ohh, i also deleted offline access from scopes
I don't think you should be changing response modes
The response should be
code with basic auth
But idk what that translates to in authelia, I'd just comment out that block for now I think
Also, userinfo_signed_response_alg should be RS256 I thinkill try that
ill check
ill keep it rs256, but same error. still works in web, mobile has statuscode 500
authelia | time="2025-04-25T11:03:59-04:00" level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token remote_ip=192.168.2.2
i have to go.. good luck with the debugging
in immich settings, do i need a profile signing algorithm?
currently is "none"
Yes! That should also be RS256
RS256 means the userinfo/profile is signed. I don't think that's normally the case.
It is for me at least 😅
Hey can you setup an account for me on your instance? and DM me the info, let me try logging in with mobile and trace the debug message
yup, will do in 10 min, finishing up lunch
no problem
just DM me
it seems to be hitting this case:
https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L179-L181
seems like I got unlucky settin OIDC 😄
If you're using authelia it's a bit of a bad timing, yes 😅
ahahah
yes
I just set it
pr-17860 fixes it?
Nope
#17886 fixes it, but you'll need to wait for the mobile release there
[Pull Request] fix: Authelia OAuth code verifier value contains invalid characters (immich-app/immich#17886)
ahhh