Has anyone used Immich OAuth authentication with Tailscale IDP?
Tailscale serve is great for private access but can also provide user authentication info through its tsidp command documented here https://github.com/tailscale/tailscale/tree/main/cmd/tsidp
Has anyone got it working with Immich? I'm new to Immich and deployed using docker compose on an Ubuntu 24.04 Incus container with docker ce installed.
I set up a local user for admin purposes but want my photo usage to use accounts provided via tsidp. Immich seems to work fine although I have not really used it yet.
TS IDP does not care much at all about OAuth flow/configuration because you control access at the network level using ACLs tied to your external OAuth authentication (Google, Github, Azure...). That is, there is no setup on the tsidp side for any new app; no client_id, no secret, no redirect url. I think it blindly trusts any client app that wants to use it and provides it with the appropriate repsonses.
I've set up Karakeep to use tsidp and since Karakeep wants a client ID & secret but TS IDP doesn't care I put in bogus values.
For Immich I did the same and otherwise do not change the defaults but I get an error "Failed to finish oauth" in the user interface.
I suspect Immich wants something more? I'm not familiar enough with both openid to know how to debug it and also not familiar with docker to find logs of the error that I cannot otherwise find in the user interface.
Has anyone got it working with Immich? I'm new to Immich and deployed using docker compose on an Ubuntu 24.04 Incus container with docker ce installed.
I set up a local user for admin purposes but want my photo usage to use accounts provided via tsidp. Immich seems to work fine although I have not really used it yet.
TS IDP does not care much at all about OAuth flow/configuration because you control access at the network level using ACLs tied to your external OAuth authentication (Google, Github, Azure...). That is, there is no setup on the tsidp side for any new app; no client_id, no secret, no redirect url. I think it blindly trusts any client app that wants to use it and provides it with the appropriate repsonses.
I've set up Karakeep to use tsidp and since Karakeep wants a client ID & secret but TS IDP doesn't care I put in bogus values.
For Immich I did the same and otherwise do not change the defaults but I get an error "Failed to finish oauth" in the user interface.
I suspect Immich wants something more? I'm not familiar enough with both openid to know how to debug it and also not familiar with docker to find logs of the error that I cannot otherwise find in the user interface.
