Open
Description
I'm trying to set up Immich with OAuth2. I have had Authentik setup with SWAG for other apps like code-server and fresh rss which all work fine with a Proxy Provider. I followed the guide https://dev.to/rzumbado/immich-sso-with-authentik-2gi9 which seemed to all setup correctly, but when I hit my "photos.domain.com", I get 500 Internal Service Error
In the authentik logs I get this with no redirection to log in like usual
{
"auth_via": "unauthenticated",
"domain_url": "photos.domain.com",
"event": "/outpost.goauthentik.io/auth/nginx",
"host": "photos.domain.com",
"level": "info",
"logger": "authentik.asgi",
"method": "GET",
"pid": 46,
"remote": "192.168.1.233",
"request_id": "6aaea770e4bd444085003469d0cc48d3",
"runtime": 8,
"schema_name": "public",
"scheme": "https",
"status": 404,
"timestamp": "2025-02-22T07:08:32.119602",
"user": "",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0"
}
My swag config for Immich (photos) is
## Version 2025/01/30
# make sure that your immich container is named immich_server
# make sure that your dns has a cname set for immich
# immich v1.118+ only. For earlier versions, change $upstream_port to 3001
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name photos.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
include /config/nginx/authentik-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.1.69;
set $upstream_port 2283;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ (/immich)?/api {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.1.69;
set $upstream_port 2283;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
```
Lastly my authentik config in swag is
## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf
# location for authentik subfolder requests
location ^~ /outpost.goauthentik.io {
auth_request off; # requests to this subfolder must be accessible without authentication
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_authentik authentik-server;
proxy_pass http://$upstream_authentik:9000;
}
# location for authentik auth requests
location = /outpost.goauthentik.io/auth/nginx {
internal;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_authentik authentik-server;
proxy_pass http://$upstream_authentik:9000;
## Include the Set-Cookie header if present
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# virtual location for authentik 401 redirects
location @goauthentik_proxy_signin {
internal;
## Include the Set-Cookie header if present
auth_request_set $set_cookie $upstream_http_set_cookie;
add_header Set-Cookie $set_cookie;
## Set the $target_url variable based on the original request
set_escape_uri $target_url $scheme://$http_host$request_uri;
## Set the $signin_url variable
set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;
## Redirect to login
return 302 $signin_url;
}
Happy to try anything out or give more logs if needed.