OAuth error while getaddrinfo

Hello. I successfully deployed Immich with additional custom reverse proxy (Traefik). Now, i want to login with OAuth. So i deployed Keycloak, created realm (understand it as environment) and it's client (immich app). The client is configured like in the attached file, together with realm configuration. Now, i filled all the fields in Immich OAuth configuration (Issuer URL, Client ID, Client Secret; and other i kept unchanged). After i wanted to test it, i logged out and it immediately show an error at the top right part of screen like "internal server error (Immich Server Error)". So i took a look into the logs and found:
[Nest] 1 - 06/11/2023, 2:19:46 PM ERROR [ExceptionsHandler] getaddrinfo ENOTFOUND keycloak.local.dashrave.eu
Error: getaddrinfo ENOTFOUND keycloak.local.dashrave.eu
at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:107:26)
[Nest] 1 - 06/11/2023, 2:19:46 PM ERROR [ExceptionsHandler] getaddrinfo ENOTFOUND keycloak.local.dashrave.eu
Error: getaddrinfo ENOTFOUND keycloak.local.dashrave.eu
at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:107:26)
So i think there's issue where Immich can't interact with keycloak server i guess? But when i visit that url, i can login and everything.
24 Replies
Davis
Davis2y ago
Your ISSUER URL should be something like: https://auth.DOMAIN.org (or something similar that you get access your 2FA)
Mr.Green Cake
Mr.Green CakeOP2y ago
I've been told that the issue URL is the same as the Endpoint URL. So it should look different? I can't find anything about issuer url with Keycloak really
Mr.Green Cake
Mr.Green CakeOP2y ago
here's the response of configuration
No description
Mr.Green Cake
Mr.Green CakeOP2y ago
converted to text:
Mr.Green Cake
Mr.Green CakeOP2y ago
it looks like the https://keycloak.local.dashrave.eu/realms/immich/protocol/openid-connect/auth should be the issuer URL. However when i pasted it into the Issuer URL, it throw the same error as always. I think it is a DNS error more likely than some other error
Davis
Davis2y ago
Interesting… I’m using Authelia. If I go to my authentication website. It’ll be https://auth.DOMAIN.org. I entered that in to ISSUER URL because it directs to that authentication website. Are you able to access your main authentication website?
Mr.Green Cake
Mr.Green CakeOP2y ago
It depends what url i use. On https://keycloak.local.dashrave.eu/realms/immich I get {"realm":"immich","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoOOsAZcgoZT4r44qI5OJA60z1GPI/uwi/R+U07qQ8AX1G/q0iZ/TUFYpTMHDgl3jM9eM3N9uynWFVoDfZZRsXKQwwXR2Juf4qYhRyjLTp5qyASdN+Rsj6/0l+4v1h5vMc2CdEIs57C3BxeHLjyvzqm4xbH9r3lQBo/dB1nCQCtstl46Z5nO5w3bPqDYckoKg7qL1dzJyf7SREe/dgRiLcMiRK9x+dXb3ueEd4f2fufbcIW+IdG9HLP6ran9hZVAb97MgOxqET59HTS+RPvFj3yoBM9JorFWffa6gn6iB/+DW9Gp762XXUghvhyA1+q8tNF9RM1icUwlkM6c/nLh/eQIDAQAB","token-service":"https://keycloak.local.dashrave.eu/realms/immich/protocol/openid-connect","account-service":"https://keycloak.local.dashrave.eu/realms/immich/account","tokens-not-before":0} (that's the issuer url)
Mr.Green Cake
Mr.Green CakeOP2y ago
authorization endpoint gives me this:
No description
Mr.Green Cake
Mr.Green CakeOP2y ago
and the keycloak logs gives me
2023-06-11 14:50:14,566 WARN [org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor] (executor-thread-8) Parameter 'client_id' not present or present multiple times in the HTTP request parameters
2023-06-11 14:50:14,584 WARN [org.keycloak.events] (executor-thread-8) type=LOGIN_ERROR, realmId=82bf31a2-a76d-46b9-b2ad-f12a70c0008e, clientId=null, userId=null, ipAddress=192.168.1.11, error=invalid_request
2023-06-11 14:50:14,566 WARN [org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor] (executor-thread-8) Parameter 'client_id' not present or present multiple times in the HTTP request parameters
2023-06-11 14:50:14,584 WARN [org.keycloak.events] (executor-thread-8) type=LOGIN_ERROR, realmId=82bf31a2-a76d-46b9-b2ad-f12a70c0008e, clientId=null, userId=null, ipAddress=192.168.1.11, error=invalid_request
192.168.1.11 is my PC IP
Mr.Green Cake
Mr.Green CakeOP2y ago
In the Client scopes, i didn't find "openid" scope:
No description
Mr.Green Cake
Mr.Green CakeOP2y ago
as the immich is sending openid, email and profile scope, i found email and profile but not openid @Davis how do you have configured proxying? I found out the immich can't reach keycloak container probably due to double reverse proxy setup. When i gave immich-server direct access to the "proxy" docker network where is connected keycloak container as well and changed the Issuer URL to keycloak:8080 (so the hostname:interal_port) then immich actually created the button for Login with OAuth. Unfortunately, after clicking it it went to 404 or someting similar but that's not my actual focus. I need now to fix the resolving of keycloak container by immich
Davis
Davis2y ago
Yes. I’m using Nginx Proxy Manager that points to my Immich and to my Authentication.
Mr.Green Cake
Mr.Green CakeOP2y ago
alright and do you use your proxy on top of immich's proxy?
jrasm91
jrasm912y ago
The issuer url is really just trying to load the open id configuration file It appends well known / open id configuration to the url automatically, but you can use that whole url directly. Can you curl that url from inside the container? I think you probably don't even need the server to be on the same network for it to be able to communicate with keycloak. It doesn't need a direct link, it needs to resolve it just any other external service would
Mr.Green Cake
Mr.Green CakeOP2y ago
sadly, immich-server container doesn't know command curl sh: curl: not found But if i do the same from traefik container which is probably built on different flavor of linux and know ping, it writes ping: bad address 'keycloak.local.dashrave.eu' so yeah, it can't resolve DNS enteries from my local DNS server.
jrasm91
jrasm912y ago
How does anything resolve it then?
Mr.Green Cake
Mr.Green CakeOP2y ago
until now, the pihole container (which is my local DNS server) wasn't attached to proxy docker network. That made me thinking i just need to attach it on proxy docker network and specify the DNS IPs on traefik container. Wrong. It resolves fine when i specify the DNS server on my PC and i can go to keycloak.local.dashrave.eu or any other service that i configure. But the containers between each other can't. If you have any idea how to define DNS IP in those containers, feel free to share
jrasm91
jrasm912y ago
Usually you set up DNS at the router level But I'm sure there is a way to configure it at a docker level or container level Do you want the whole network to use your pi or only certain devices?
Mr.Green Cake
Mr.Green CakeOP2y ago
ideally whole network
Mr.Green Cake
Mr.Green CakeOP2y ago
alright this is interesting. I tried to enter DNS servers of traefik container to
dns:
- 192.168.1.13
- 8.8.8.8
dns:
- 192.168.1.13
- 8.8.8.8
Where 192.168.1.13 is host IP of physical server. That didn't work. But, when i add pihole container to the proxy docker network and set the IP of the container within the docker network (which is 192.168.96.8) and then pinged the keycloak.local.dashrave.eu it went fine. The interesting on that is the response from ping is from 192.168.1.13 which is host IP, not container IP. But when i set it as DNS server, it won't work
No description
Mr.Green Cake
Mr.Green CakeOP2y ago
this is interesting as well. I did traceroute on keycloak.local.dashrave.eu and the only hop it did is on prowlarr.local.dashrave.eu which i don't understand honestly. The prowlarr.local.dashrave.eu is another DNS record in my pihole so why it goes through it?
Mr.Green Cake
Mr.Green CakeOP2y ago
No description
jrasm91
jrasm912y ago
You can usually set the DNS at the router level btw
Mr.Green Cake
Mr.Green CakeOP2y ago
GitHub
Dual reverse proxy · immich-app immich · Discussion #2728
Hello. Lately i've been deploying Immich with Traefik on top of it and Keycloak for authentication. I solved all issues until now. The problem here is the dual proxy setup. As Immich docs tells...

Did you find this page helpful?