Error with OAuth and mobile application
Previously, the mobile app was working fine, but I logged out as suggested to resolve the timeline thing. Now, I cannot log back in.
The app logs:
Authelia logs:
So it appears the application is trying to access https://immich.mydomain.me/.well-known/immich, which it isn't allowed to. I don't see that listed on the OAuth page. As mentioned, this used to work fine and still works fine from the Web interface. The mobile application redirect is setup and unchanged. Any ideas?
25 Replies
:wave: Hey @stumpylog,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:To be clear, do you have oauth set up in Immich or are you doing proxy auth?
oauth is setup in Immich
It works fine in the Web UI and did at least once in the app
Oh btw you still have your domain in the first code block for the authelia URL. If you care you should edit that message :)
path=/api/authz/forward-authThis very much sounds like proxy auth to me, i.e., some auth layer fronting Immich
I believe that is simply the proxy redirecting to Authelia for login, because the user isn't known
In general, nothing is accessible to unknown users and they are redirected to Authelia for login. So it seems the app is trying access https://immich.mydomain.me/.well-known/immich, but isn't known yet
is not authorized to user <anonymous>, responding with status code 401This sounds like you're not getting authed properly?
Yeah that's proxy auth
We don't support that
The confusing thing is you say it “isn’t allowed to” access that path - if you use our built in OIDC you can indeed hit that path
Immich is using OIDC to login via the web. And the app was working
If you open immich in an incognito web browser, what is the first thing you see?
It will redirect me to authelia for login
Even if you go to
immich.mydomain.me/.well-known/immich?That's not exempted from my access control list, so yes, that needs login
So that is not Immich's native oauth implementation then
You're fronting Immich with extra auth
So immich needs to be a
policy: "bypass"?I don't know authelia details, but the mobile app does not support proxy auth. All (api) endpoints need to be accessible directly
Hm, I'm not sure why it would have worked once
But the workaround is pretty simple, add a bypass for the resource
"^/.well-known/" and everything seems good againThis thread has been closed. To re-open, use the button below.
To my knowledge only bypassing that is not sufficient. It's possible some functionality is still limited with that, but I am not 100%
Me neither tbh 😅
It seems I had previously exempted
/api as well, so it seems I encountered something related beforeYeah that makes sense to me then. Exempting those two should cover all grounds
Do note that if you exempt /api you might as well drop the forward auth entirely
The well know things is just for API discovery. The web is bundled into the API so there's no need for discovery there. I think alternatively you could manually add the trailing /api to the server url in the mobile app.
Right but that is also just like static, public content, so why bother?
Just highlighting/explaining the difference between mobile and web