Matching existing users up with OIDC users?
I am very new to the OIDC setup and currently just use the Immich built-in auth.
If I switch to OIDC with Authelia (still figuring that out), will the existing users be able to be "mapped" to the new users which Authelia derives from LDAP?
How does that work?
13 Replies
Not a dev, but Immich uses so called 'Storage Labels' to figure out where to put the images
Under 'Administration > Users` you can click on the pen icon next to a user and change this label
So if you would use a new user, by say using a different IdP, you could just change that Storage Label to match the original one on your old account
You might need to run the 'Storage Migration Job', after changing the label to reflect changes in the DB and Filesystem
Storage label is kind of independent of OAuth resolving/mapping to the right user to begin with.
In Immich users have an email address. If the user is logging in with Authelia, it will try to match an existing user with the same email address.
Okay, so if my ldap server has the same email address as the one used in Immich, it should "just work?"
yup
Awesome. Thanks!
And if it doesn't 'just work', the user can log in to their immich account and then link it to oauth via their account settings page
What do they login with right now? Email/password?
Yeah, the basic Immich user settings
No external auth is currently used
Ok yeah, it'll automatically match on email, which seems to be the most common
Great. I am currently trying to figure out how to set up Authelia OIDC, etc. I'm a little out of my depth, so it'll probbaly end up its own thread here. 😄
there are some existing posts here with similar questions and some of them have examples which may help.
Yep. I've already been looking over those. I don't have the basic understanding yet, so the differences in configs I see posted are throwing me. Like one will have the issuer_private_key and hmac_secret and another won't. Yet both users say their config works. I've tried to add different versions of the setup and Authelia won't even start after I add it. So, I'm missing something.
I already have Authelia running for services that just need a basic auth barrier. But servicxes like Nextcloud and Immich which have mobile apps, etc don't work with the basic Authelia wall in front of them. So, I'm at the point of going the OIDC route.
Ah, I see. Yeah, makes sense.