Skip to content

Authentik OAuth2 404 Errors Connecting to Immich #13252

Open
@ryphez

Description

@ryphez

I'm trying to set up Immich with OAuth2. I have had Authentik setup with SWAG for other apps like code-server and fresh rss which all work fine with a Proxy Provider. I followed the guide https://dev.to/rzumbado/immich-sso-with-authentik-2gi9 which seemed to all setup correctly, but when I hit my "photos.domain.com", I get 500 Internal Service Error

In the authentik logs I get this with no redirection to log in like usual

{
   "auth_via": "unauthenticated",
   "domain_url": "photos.domain.com",
   "event": "/outpost.goauthentik.io/auth/nginx",
   "host": "photos.domain.com",
   "level": "info",
   "logger": "authentik.asgi",
   "method": "GET",
   "pid": 46,
   "remote": "192.168.1.233",
   "request_id": "6aaea770e4bd444085003469d0cc48d3",
   "runtime": 8,
   "schema_name": "public",
   "scheme": "https",
   "status": 404,
   "timestamp": "2025-02-22T07:08:32.119602",
   "user": "",
   "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0"
 }    

My swag config for Immich (photos) is

    ## Version 2025/01/30
    # make sure that your immich container is named immich_server
    # make sure that your dns has a cname set for immich
    # immich v1.118+ only. For earlier versions, change $upstream_port to 3001 
    
    server {
        listen 443 ssl;
        listen [::]:443 ssl;
    
        server_name photos.*;
    
        include /config/nginx/ssl.conf;
    
        client_max_body_size 0;
    
        # enable for ldap auth (requires ldap-location.conf in the location block)
        #include /config/nginx/ldap-server.conf;
    
        # enable for Authelia (requires authelia-location.conf in the location block)
        #include /config/nginx/authelia-server.conf;
    
        # enable for Authentik (requires authentik-location.conf in the location block)
        include /config/nginx/authentik-server.conf;
    
        location / {
            # enable the next two lines for http auth
            #auth_basic "Restricted";
            #auth_basic_user_file /config/nginx/.htpasswd;
    
            # enable for ldap auth (requires ldap-server.conf in the server block)
            #include /config/nginx/ldap-location.conf;
    
            # enable for Authelia (requires authelia-server.conf in the server block)
            #include /config/nginx/authelia-location.conf;
    
            # enable for Authentik (requires authentik-server.conf in the server block)
            include /config/nginx/authentik-location.conf;
    
            include /config/nginx/proxy.conf;
            include /config/nginx/resolver.conf;
            set $upstream_app 192.168.1.69;
            set $upstream_port 2283;
            set $upstream_proto http;
            proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    
        }
    
        location ~ (/immich)?/api {
            include /config/nginx/proxy.conf;
            include /config/nginx/resolver.conf;
            set $upstream_app 192.168.1.69;
            set $upstream_port 2283;
            set $upstream_proto http;
            proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    
        }
    }
    ```

Lastly my authentik config in swag is
## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf

# location for authentik subfolder requests
location ^~ /outpost.goauthentik.io {
    auth_request off; # requests to this subfolder must be accessible without authentication
    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authentik authentik-server;
    proxy_pass http://$upstream_authentik:9000;
}

# location for authentik auth requests
location = /outpost.goauthentik.io/auth/nginx {
    internal;

    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authentik authentik-server;
    proxy_pass http://$upstream_authentik:9000;

    ## Include the Set-Cookie header if present
    auth_request_set $set_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $set_cookie;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# virtual location for authentik 401 redirects
location @goauthentik_proxy_signin {
    internal;

    ## Include the Set-Cookie header if present
    auth_request_set $set_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $set_cookie;

    ## Set the $target_url variable based on the original request
    set_escape_uri $target_url $scheme://$http_host$request_uri;

    ## Set the $signin_url variable
    set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;

    ## Redirect to login
    return 302 $signin_url;
}

Happy to try anything out or give more logs if needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions