Web app OAuth with Entra not working on v1.132.3
Sadly even after updating to v1.132.3, OAuth is not working in the web app. After downgrading to v1.131.3, it works.
39 Replies
:wave: Hey @ryacom,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:Having the same issue with Authentik.
The container cannot reach the issuer URL
Whelp it worked after downgrading the other day but now it does not. I will have to do some more digging.
There have been OAuth issues that were fixed with today's release, but the error you got clearly says it's just a connection issue
I can curl the URL from outside the container but not inside so something is obviously wrong with my setup, though I am not sure what changed
What's the error you're getting?
DNS?
Yeah "could not resolve host". OAuth was definitely broken with 1.132 but this is obviously some other issue I need to sort out
Well that's strange, if I exec into my Gitea container for example, it works
After down and up the curl works but there is still a problem
Check the logs of your IDP?
It's Microsoft Entra so I don't think there is much I can see other than "successful login." However now if I downgrade back to v1.131.3, it works.
Microsoft :monkaW:
Lol
It's free and I like Microsoft Authenticator :)
Is this error only thrown when logging in with mobile?
Wait a week they will call it something else.
What does Microsoft authenticator have to do with using entra
You can self-host any IDP, it's also free
Web, app doesn't work but I haven't looked at the logs
How do your entra settings look like?
Authenticator lets you do passwordless auth with push notifications
May I introduce you to: webauthn/passkeys? :P
Any settings in particular? There aren't very many, just the redirect URIs and secret
Yes, the authentication method
I saw the discussion around that for Authelia but I don't see a similar option anywhere in Entra
Does this help? https://login.microsoftonline.com/048699d0-4e5d-4e9b-9187-bab11918ee4d/v2.0/.well-known/openid-configuration
So you should be able to change it to
_post
I have no clue how you can configure that in the worst IDP in existence though
I am not following, isn't client_secret_post the desired setting?
If I am interpreting the metadata correctly that is currently a supported method
Correct, that's what it should be
Entra supports it, which is what I said, yes
You'll probably need to configure it to use it though
I am not sure if controlling that is possible
I guess I am going back to password login, unless there is some magic setting I don't know about
Not sure what else to say, I have 23 other apps doing SSO with Microsoft that work
Can you share a screenshot of the app configuration screen on entra?
It also looks like entra supports pkce so if you change the app type to that I believe it might just start working as well
I also have issues with entra id after upgrading to 1.132.3, My app config on entra looks like this. And I get the error [Nest] 17 - 04/29/2025, 7:03:41 AM ERROR [Api:ErrorInterceptor~3umswvnq] Unknown error: ResponseBodyError: server responded with an error in the response body
ResponseBodyError: server responded with an error in the response body
at checkOAuthBodyError (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:865:19)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async processGenericAccessTokenResponse (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:1141:5)
at async processAuthorizationCodeOAuth2Response (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:1373:20)
at async authorizationCodeGrant (file:///usr/src/app/node_modules/openid-client/build/index.js:850:18)
at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:52:28) in the immich-server container when trying to authenicate. The only log I can find on the entra side says that the login went fine...
Or rather like this works on earlier version but neither way works on 1.132.3
This was the one I tested but when troubleshooting but that didn't work with either 1.132.3 or 1.131.3 but gave different issues.
Where do you get that from? The well known endpoint doesn't imply that
What options do you get when clicking on "add platform"?
Is what I get as options.
Ah hm that doesn't really help :/
No not really sadly :/
Id like to figure out what the problem is. Is there any way you can create a test account that I can use to login with?