Unable to complete OAuth login - Immich & Authentik
Hi!
So I'm setting up OAuth login. I'm using Authentik. I created an OAuth2/OpenID Provider and Application using the docs.
The button to login with OAuth shows up and I get redirected correctly to Authentik. I'm prompted for my username, password, then a consent screen for using my email.. I'm then redirected back to Immich and the URL changes <immich>/auth/login?code=xxxxxx&state=xxxxxxxxx But then the login fails, I'm back at the Immich login and the text "Unable to complete OAuth login" appears.
I found the following error in the Immich server log:
I can't figure out why there is a time out and at what part of the login flow. Is it a connection / firewall issue?
13 Replies
The code/state from the url are sent to immich, who then sends them in a request to authentik for verification.
The library we're using to implement this request waits for a response from authentik for 3.5 seconds and then throw this error. Everything might be working fine, it's just if the response is delayed this error happens.
The first half of this process working implies that there isn't a network reachability issues, since the discovery process worked. So this is specific to the callback request just taking too long.
@stijnos Are you using docker? Can you try switching out the release tag on the immich-server for tag
1155? It should have a timeout of 30 seconds and we can see if that does anything different.I can confirm it’s working perfectly now!!! So it really was a timeout. Thank you @jrasm91
Sweet - it would still be interesting to know why it's taking so long lol.
Agreed. Do you think an increased timeout will make it to a release?
I was thinking about the best way to solve it the "right way", but I think a blanket 30 second timeout might be good enough. The other options are making it configurable, but I'm not sure if that's worth the effort or not.
Maybe the right fix is on me. I can clean installing my Authentik. However, not really a fan of doing that at this point in time. I'm daily driving it with some important stuff to me. That would be a holiday project.
If the 30 second window fixes it for now it would definitely solve my problem!
I don't see much downside to increasing the timeout. It's a timeout just for these oauth calls, which are restricted to logging in, so it's not a high volume call or anything.
From a security perspective I don't see other issues.
I changed the PR to ready to review. It'll probably be in the next release.
Merged!
I'm using TrueCharts - where would this setting be? Appreciate the help!!
This is my error:
3500ms implies you are still using an old version. The current timeout is 30s, so just pull the latest version and try again. The server should be on atleast v1.40.0.
Sounds good, I'm using helm charts by TrueCharts for TrueNAS Scale so I need to wait until they update it. Thanks for the help!