59 Replies
So it doesn't know where to find authentik
But the base domain it sees the cloudflare IP
And this isn't the url you used in the issuer url? Was that the base domain?
The issuer URL is my first query
without the path after, obviously
I'm confused
Apologies, what am I not stating correctly?
When you click the login with Authentik button you are directed to Authentik successfully?
Yes
But then I go right back to the immich login
That implies that immich loaded the discovery document successfully
Which means it resolved the domain and URL you used in the issuer url in immich
Would authentik be handling all that?
Immich send a request to the discovery document first, then redirects the user, and finally called back to Authentik one more time to confirm a code.
This looks like a network error during step three
But it is weird that step one worked successfully, when it should be making a request to the same domain
The URL I get after I login with authentik has the path
/auth/login?code=XXX&state=XXX
The immich URL I mean
Not literally "XXXX" to be clearYup and then immich needs to send the code to Authentik
After that oauth is successful and you'll be logged in
I get the
Error: getaddrinfo ENOTFOUND again
This might be some truenas scale fuckery
I should clarify that this URL shows on immich login page after authentik.In the immich oauth settings you are using auth.donain.com?
Correct
I might just have to ask the Truecharts people because this seems like something they'd know
I'm not sure how you are even getting redirected in the first place, but this seems like a networking issue
truecharts are the group that does a 3rd party repo for truenas scale and both immich & authentik are their apps
Yeah, some people here have used it. Not sure of with oauth specifically or not
Do you need to do anything special to let the two apps talk to each other internally?
I appreciate your time. I think you're right in the networking issue. Probably some kubernetes deal, which I'm not familiar with yet
Normally when I want this, I use the internal kubernetes address I gave you earlier
Where do you setup DNS for your domains? Do you have split DNS?
There's a scale app that handles the DNS for apps. I set the subdomain.domain.tld in the app set up and it automatically translates. it's worked fine for me thus far
Do those apps use Authentik?
Not all of them, I have mostly the *arr apps using it and nextcloud
Just because I would imagine the setup/network requirements are the same
Yea nextcloud setup worked fine, but I followed a guide. Lemme look at the saml settings of nextcloud
I'd assume your DNS would resolve the auth domain successfully for immich as that seems to be the only problem.
Yea that uses the public domain names in its config
Next cloud isn't attached to a special network is it?
it's part of the same setup as immich
Sometimes there are internal and external networks
They're all in their little kubernetes space, whatever it's called.
I'll stop taking up your time since this really does look like something outside of immich. I thank you very much for helping me understand this much
Sounds good and good luck. I think as soon as immich can talk to that subdomain you'll be all set. Could always try restarting stuff lol.
found this thread trying to get SSO working from the mobile app, couple of clarifications:
- Authentik works fine with Immich using OAuth2 on TrueNAS with proper settings
- The "Scale" app for DNS that OP is referring to is just Traefik
for OP - the settings for Immich OAuth2 in Authentik are more or less the same as Portainer, try this guide from the docs:
https://goauthentik.io/integrations/services/portainer/
Portainer | authentik
Support level: Community
Did you get it working for mobile?
yeah, took me a bit to find the right url
What do you mean?
i just had to put https://my.immichsite.com/api as the end point, which is what is listed as default, but I didn't see it until I had tried a bunch of other ones
Ah, gotcha.
FWIW - Authentik does support the return URI
app.immich:/ but you have to input it manually in the Authentik settings
It seems that once Immich connects the first time with .../o/immich/.well-known/... that it doesn't automatically add a 2nd return URI for mobile
so you have to make sure both are listed in Authentik, manually:
https://cdn.securelink.to/u/EIQ9tv.png
What do you mean by this?
Should Authentik support the mobile redirect URI without manually adding it?
Authentik generates 2 configuration links for OAuth2. By using the
/.well-known/ link in the Immich OAuth2 config section, upon first connection, Immich pushes basic config info back to Authentik (like the redirect URI).
However, since the mobile app has a different redirect, it's not going to get automatically populated
I'm not smart enough to know if it can be done automatically, I just figured I'd post the solution for the next person who comes searching for itI don't think immich ever updates the configuration in Authentik, it just consumes the settings.
well, i suppose it's a matter of symantics...maybe it's better to say - "Authentik grabs the redirect URL"
Usually all of the redirect URIs have to be manually registered when the app is configurer on the OAuth server.
Immich specifies which redirect URI attention should use depending where you login from
yeah, i used to think so too, but then suddenly they started magically appearing in Authentik
¯\_(ツ)_/¯
You didn't add the /auth/login one?
no
here's the full text under that last screenshot:
https://cdn.securelink.to/u/CSdD8a.png
Interesting
magic 🙂
It's a Authentik feature lol
yeah, appears so
That's good to know. Unfortunately you can only send one redirect URI per login request
Did you follow the docs here?
https://immich.app/docs/features/oauth#prerequisites
OAuth Authentication | Immich
This page contains details about using OAuth in Immich.
i did not actually look at the immich docs, I already knew which Authentik fields to post where based on the field names
Cool, sounds good.