OAuth error while getaddrinfo
Hello. I successfully deployed Immich with additional custom reverse proxy (Traefik). Now, i want to login with OAuth. So i deployed Keycloak, created realm (understand it as environment) and it's client (immich app). The client is configured like in the attached file, together with realm configuration.
Now, i filled all the fields in Immich OAuth configuration (Issuer URL, Client ID, Client Secret; and other i kept unchanged).
After i wanted to test it, i logged out and it immediately show an error at the top right part of screen like "internal server error (Immich Server Error)". So i took a look into the logs and found:
So i think there's issue where Immich can't interact with keycloak server i guess? But when i visit that url, i can login and everything.
24 Replies
Your ISSUER URL should be something like: https://auth.DOMAIN.org (or something similar that you get access your 2FA)
I've been told that the issue URL is the same as the Endpoint URL. So it should look different?
I can't find anything about issuer url with Keycloak really
here's the response of configuration
converted to text:
it looks like the
https://keycloak.local.dashrave.eu/realms/immich/protocol/openid-connect/auth should be the issuer URL. However when i pasted it into the Issuer URL, it throw the same error as always.
I think it is a DNS error more likely than some other errorInteresting… I’m using Authelia. If I go to my authentication website. It’ll be https://auth.DOMAIN.org. I entered that in to ISSUER URL because it directs to that authentication website.
Are you able to access your main authentication website?
It depends what url i use.
On
https://keycloak.local.dashrave.eu/realms/immich
I get {"realm":"immich","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoOOsAZcgoZT4r44qI5OJA60z1GPI/uwi/R+U07qQ8AX1G/q0iZ/TUFYpTMHDgl3jM9eM3N9uynWFVoDfZZRsXKQwwXR2Juf4qYhRyjLTp5qyASdN+Rsj6/0l+4v1h5vMc2CdEIs57C3BxeHLjyvzqm4xbH9r3lQBo/dB1nCQCtstl46Z5nO5w3bPqDYckoKg7qL1dzJyf7SREe/dgRiLcMiRK9x+dXb3ueEd4f2fufbcIW+IdG9HLP6ran9hZVAb97MgOxqET59HTS+RPvFj3yoBM9JorFWffa6gn6iB/+DW9Gp762XXUghvhyA1+q8tNF9RM1icUwlkM6c/nLh/eQIDAQAB","token-service":"https://keycloak.local.dashrave.eu/realms/immich/protocol/openid-connect","account-service":"https://keycloak.local.dashrave.eu/realms/immich/account","tokens-not-before":0}
(that's the issuer url)authorization endpoint gives me this:
and the keycloak logs gives me
192.168.1.11 is my PC IP
In the Client scopes, i didn't find "openid" scope:
as the immich is sending openid, email and profile scope, i found email and profile but not openid
@Davis how do you have configured proxying?
I found out the immich can't reach keycloak container probably due to double reverse proxy setup. When i gave immich-server direct access to the "proxy" docker network where is connected keycloak container as well and changed the Issuer URL to keycloak:8080 (so the hostname:interal_port) then immich actually created the button for Login with OAuth. Unfortunately, after clicking it it went to 404 or someting similar but that's not my actual focus. I need now to fix the resolving of keycloak container by immich
Yes. I’m using Nginx Proxy Manager that points to my Immich and to my Authentication.
alright and do you use your proxy on top of immich's proxy?
The issuer url is really just trying to load the open id configuration file
It appends well known / open id configuration to the url automatically, but you can use that whole url directly.
Can you curl that url from inside the container?
I think you probably don't even need the server to be on the same network for it to be able to communicate with keycloak. It doesn't need a direct link, it needs to resolve it just any other external service would
sadly, immich-server container doesn't know command curl
sh: curl: not found
But if i do the same from traefik container which is probably built on different flavor of linux and know ping, it writes ping: bad address 'keycloak.local.dashrave.eu'
so yeah, it can't resolve DNS enteries from my local DNS server.How does anything resolve it then?
until now, the pihole container (which is my local DNS server) wasn't attached to proxy docker network. That made me thinking i just need to attach it on proxy docker network and specify the DNS IPs on traefik container. Wrong. It resolves fine when i specify the DNS server on my PC and i can go to keycloak.local.dashrave.eu or any other service that i configure. But the containers between each other can't.
If you have any idea how to define DNS IP in those containers, feel free to share
Usually you set up DNS at the router level
But I'm sure there is a way to configure it at a docker level or container level
Do you want the whole network to use your pi or only certain devices?
ideally whole network
alright this is interesting. I tried to enter DNS servers of traefik container to
Where 192.168.1.13 is host IP of physical server. That didn't work. But, when i add pihole container to the
proxy docker network and set the IP of the container within the docker network (which is 192.168.96.8) and then pinged the keycloak.local.dashrave.eu it went fine. The interesting on that is the response from ping is from 192.168.1.13 which is host IP, not container IP. But when i set it as DNS server, it won't work
this is interesting as well. I did traceroute on
keycloak.local.dashrave.eu and the only hop it did is on prowlarr.local.dashrave.eu which i don't understand honestly. The prowlarr.local.dashrave.eu is another DNS record in my pihole so why it goes through it?
You can usually set the DNS at the router level btw
Closing this post as it has been solved https://github.com/immich-app/immich/discussions/2728#discussioncomment-6155054
GitHub
Dual reverse proxy · immich-app immich · Discussion #2728
Hello. Lately i've been deploying Immich with Traefik on top of it and Keycloak for authentication. I solved all issues until now. The problem here is the dual proxy setup. As Immich docs tells...