#OAuth login issues on tablets

Hello. Family members of mine has tablets. I'm trying to keep only OAuth as the only way to login because of easy authentification and identity recognition. I tried to login to Immich app on those tablets (they're pretty new - Android 11 and up) but after i clicked on "Login with OAuth" button, it either loaded the google logjn page (which is correct) or the app just crashed and went back to "enter server URL" screen.

Even if i was able to get on mentioned google login screen, after clicking on correct google acconut to login, the window closed (as it should) and app went back to "enter server URL" screen. After then i tried to check the logs for errors but they're seem to wipe.

Of course, within the Webapp, everything is fine but it's not customized to be working greatly on mobile devices.

Bump

What is your redirect urls? Maybe there is something wrong on them.

I have it set up with Authelia and it works as expected.

Weird. OAuth works perfectly on other non-tablet devices like smartphones and so.

I'm going to try emulate some tablet on my pc and try it that way

On emulator, it's not even trying to start the app

i could record a video of actual behavior on real tablets if you wish

Alright so, I tried it on NoxPlayer - there was the "keep stopping" error and now i tried it on LDPlayer and it works just fine. Do you guys know where could be the issue?

What is the version of the app and server?
And your auth config in Immich :⁠-⁠)

the auth is working on other android devices (like android phones - mine, my gf's, and both parents). There's no need to share the auth config. It is clearly issue within Immich android app

On my mom's tablet, it's been fixed by disabling the adblocker app (blokada 5) and my dad has AdGuard but even after turning off the "protection" it's still crashing

What if you turn off AdGuard, reboot the phone/tablet and try then? If AdGuard is doing some DNS-changes, maybe they are cached on the device. A reboot will verify if it works with AdGuard turned off.

i did a reboot but the app was alive (probably start on boot) so i think the only way to check it is uninstall the app completerly

Alright so i was playing with it a bit:

1. uninstalled all adblocking apps
2. restarted the device
3. tried immich for login - same as always
4. deleted all data and tried again - same
5. tried dad's old tablet with Android 6 i believe? Same behavior as on these
6. Tried to turn on Blokada again on mom's tablet and log off, log in to immich - failed but this time it didn't crash the app instantly. Instead it show an error i will attach
7. Exported the logs and deleting app's data and trying again - same behavior
8. I'm no longer able to log in with mom's tablet

It seems like it didn't found currentUser in Store or something.

I thought it might be caused by screen resolution? Maybe immich is unable to draw itself on such screen resolutions and aspect ratios, causing it to crash

The fun thing is i call it crash but i'm actually not sure if it is a crash. I assume it is a crash as the logs seems empty and i'm hoping it would write an error if the login was unsuccessfull

I also tried enabling permissions, wiping cache, restarting device and checking for any suspicious app that would potentially take over control over traffic routing but didn't find anything

@molten island

2023-06-22 21:23:01.194120,LogLevel.SEVERE,"ImmichErrorLogger","Key 'currentUser' not found in Store","#0      Store.get (package:immich_mobile/shared/models/store.dart:33)
#1      new Asset.local (package:immich_mobile/shared/models/asset.dart:43)
#2      HashService._mapAllHashedAssets (package:immich_mobile/shared/services/hash.service.dart:163)
#3      HashService._hashAssets (package:immich_mobile/shared/services/hash.service.dart:83)
<asynchronous suspension>
#4      SyncService._addAlbumFromDevice (package:immich_mobile/shared/services/sync.service.dart:549)
<asynchronous suspension>
#5      diffSortedLists (package:immich_mobile/utils/diff.dart:30)
<asynchronous suspension>
#6      SyncService._syncLocalAlbumAssetsToDb (package:immich_mobile/shared/services/sync.service.dart:373)
<asynchronous suspension>
#7      AlbumService.refreshDeviceAlbums (package:immich_mobile/modules/album/services/album.service.dart:113)
<asynchronous suspension>
#8      AssetNotifier.getAllAsset (package:immich_mobile/shared/providers/asset.provider.dart:54)

It seems login was not successful - there's no currently logged in user according to the stack trace

Is there a reason why it would do this before login successfully happens?

It should not. But it seems this can somehow happen

Try download chrome and use it as a default browser

Native browser might have issue with redirection

Can you confirm that username and password work fine and this is limited to oauth?

i will try

alright, i'm going to try it

i just noticed it is already set as default browser

but when i log in, it seems not to open normal chrome application but something like embeded browser. But it does the same on phones so i think it maybe is default browser but it's embeded version is somehow called Yep it is embeded chrome browser

Just a side note, the "change password after first login" screen doesn't seem to work properly. After clicking the button "Change password" with different passwords, it doesn't do anything. I needed to click back button and change the password field to the new password i typed. So it actually changed the password in backend but it just didn't forward me to immich's main screen with photos

yep, i confirm that it is limited only to OAuth. Password login works fine

Another side note that after i tried OAuth login again, those logs preserved but it didn't add any new log with failed login or something. So it clearly doesn't log logging in with OAuth somehow. I'm not sure how it log the error from yesterday then...

any updates?

So what versions of android are the tablets which are having the problems?

Dad's tablet:

• Model Samsung Galaxy Tab S7 FE
• Android 13
• One UI 5.1
• Security Patch 1.5.2023

Mom's tablet:

• Model Lenovo Tab P11
• Android 11
• Security Patch 5.4.2023

Dad's old tablet:

• Model Teclast T20
• Android 7.1.1
• Security Patch 5.7.2017

On all 3 tablets the same error so it shouldn't be caused by Android versions or so

@here Might it be caused by other apps installed on those tablets? as i said, in the emulated environment, it worked fine.

I find it strange that all the tablets have the same issue 🤔

Yeah, same here

maybe worth a try of removing chrome browser, install firefox and try again?

so the firefox would be the default one?

marked firefox as default browser to see if it get brought up during the redirection

yeah try that

sure, give me a sec

no change, same behavior

Hmm, ok maybe let me put in some logs for OAuth logging procedure in the next release

it worked once on mom's tablet and it sighed her in. Then i logged her off and tried again and from that point it's the same behavior as always

yup, that would be ideal

maybe in debug level for both server and phone app?

there is debug level log for mobile app

but it's not logging oauth still

but you need to sign in first to toggle it 😅

ah, shut

yesh it is not logging oauth because we don't put any logs there

so we will just put normal log for oauth to debug cases like this

yep. The debug level is set by default or it's needed to toggled on after you log in?

it is by default, there is finer level that can be toggled

right. Thank you for explaining.

looking forward for next version

no problem, sorry for the inconvenience

Can you put in an issue so I remember to do it?

i will update and try it as soon as it will be out

sure. going to do it

Thanks

Done https://github.com/immich-app/immich/issues/2932

You can try and download the APK from this build to get logs for Oauth sign in before the release https://github.com/immich-app/immich/actions/runs/5372432215

epic!

will let you know in couple of hours

OAuth still isn't in logs

even if i login with phone, i can't see any oauth logs

if i open up exported logs from tablets, i don't see anything really

just created columns for created_at, level, context etc...

@quick crag sorry for pinging but maybe if we could get somewhere with this?

Does the in app log view on the tablet show something? No need to export

nope

0 logs

maybe it's not caused by OAuth itself? i don't know really.

verbose logging would really help to write down every single action the user makes.

and also every action the device does

isn't it caused by having my server still od 1.63.0?

interesting thing to mention, if i want to login on phone, it kept chrome open as separate app with this redirection but on tablets it didn't keep the chrome as separate app in recent apps

No, Oauth mechanism hasn't changed for a long time

damnit chrome tablet

I think you'd need to run a development/debug build with full adb logging attached to get more clues what's (not) going on there. I'm out of ideas

Well, I'm not even sure on what side is the cause. Either tablet's side or Immich's

Adb is functional even without root right? That might be possible

From what i read it is possible to filter Immich to logging https://developer.android.com/tools/logcat

Yeah, no need for root. Just attach adb via USB or wifi and see what happens. You can try first to grep for "flutter" but maybe you need the unfiltered logs of that short time frame between oauth click in immich, switching to web browser and redirect back to immich

Understood. Will try as soon as i get home

the issue is there is literally spam even after filter out "flutter"

with "E" (Error) flag, there could be less logs?

more logs is ok though

but i don't believe it filter out only flutter

because i set flutter:F for fatal so it should be clear and it basically ignored the filter

and is spamming everything include D which is debug

so maybe flutter isn't the right app?

If you can start the app - perform oauth logging to get to the "error" state then get the logs and send it here

we can look at it together

with the flutter filter?

just send everything

we can filter out later

alright, give me a sec

https://paste.c-net.org/AdmirerPerson

To make things easier, i clicked on login with oauth around 15:57:40

should i do the same with the second tablet?

I guess one log with the issue is enough for now. thank you

alright, np 🙂

anything new yet?

I do see this exception

Could you take a video/screen recording of what happens on the tablet? Does the app crash? Just go back to the main screen, etc.? I think it would be useful to see what you are seeing as you try to login.

I tried to grep for debug logs of Immich in your adb log. there's really not much in there. I'm puzzled

sure, brb

due to non-existing simple and great software for videoediting (bluring credentials), i'm only exporting video now

i wasn't able to click share as i had the recording floating tools there

Hmm

so the login success

let me put in some more logs

Here you go

again with adb or in app?

in app

make it simple for you 😄

thank you 🫶

nope, still empty

hmm

do you have user name and password that you can try to log in the instance?

wym exactly?

create a user that can user email and password to log to the instance

after logging in try to check the log if it is still empty

yes, that's what we discussed with bo0tzz i think a while ago

or jrasm91 i don't remember

alright

other than some assets loaded, it didn't log the login

Now log out and try login using OAuth

nope, still no logs

no login related logs*

Can you just send all the logs again anyway?

adb or inapp?

in app

This is the APK that you run right?

yep, this one in quote

sec

That all looks pretty normal, showing assets being loaded into the database. It still kicks you to the login page agian?

sorry for misleading but those logs was from the login session i did with username / password that Alex asked me for

there is no log for oauth loggin which is strange

When you do login via oauth there are no logs?

after then i logged out and logged in with OAuth (2 attempts)

I wonder if this is related to the disk read error

exactly

i can try it with my phone so we'll see if the logs will be there if the login was successfull

I did put in the log to print out the sever config but they aren't get logged out

interesting

maybe this can contribute to troubleshooting?

to even check if the logs are written in any possible way

Can you try to run the app on mobile to see the logs is visible?

sure

yep, i see those OAuth logs now

do you want to see or it's irrelevalnt from this point?

it is irrelevant now

hmm

so there's issue somewhere between when is google account authenticated and when this confirmation is delivered to the server i guess? according to logs not being shown on tablet

i wonder how i was able to login once a while ago on one of those tablets hmmm

There is this error? Caused by: io.grpc.ff: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential.

Maybe the redirect to immich isn't being handled properly.

nope, there is 0 errors

or do you mean from server side?

that is from the adb log I believe

doesn't look like it

nevermind, it is

06-27 15:44:47.060 4239 4279 E MDD : Caused by: io.grpc.ff: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

interesting. How the auth credential could be wrong on tablets but on mobile it's okay?

but it's MDD app or package name, weird

probably an internal library is used for handleing Oauth request

Ah crap

That means to redo whole OAuth handling in Immich app?

With different library*

Or discuss it with that library's devs

not sure, this is only the instance with Google Oauth on the tablet platform, we don't have enough justification to change anything besides trying to find the actual cause

Do you have experience with Authentic that you can try to setup an OAuth instance for that?

That's a good idea. We should see if it is unique to Google oauth

I set up Keycloak. But the main point why I didn't want to keep it with Keycloak is that I would need to open another app to public

Aha, y'all meant it as part of troubleshooting, not the solution?

yes

Right. I can take a look into it tomorrow / the day after. It is ready to go but I would like to change the routing as now it looks like Client -> immich -> Keycloak -> Immich

But I'd rather have Keycloak as middleware so Client -> Keycloak -> Immich

But I'm not sure if immich allows such routing

Because it would skip the "login with OAuth button" part

No, i don't think it can work like that without bypassing the current oauth implementation in immich

Yeah. We've had similar discussion within exposing immich to internet. At this point, we need to rely on Immich's auth system instead of move the load of authentication to specialized auth apps like Keycloak or authentik

But then it's matter of minutes to set it up with Keycloak. Will let you know tomorrow around 6 PM GTM+2

You can move a lot of the load to a third party, especially for login events, but after that immich does generate it's own session token that is used directly.

For now, i have to go sleep, GN y'all 💤

I've got into changing the OAuth service to Keycloak and i'm able to login via web, however not through android app

#immich message

can you do it from your phone?

like login in web?

oauth login from the mobile app

not from the tablet

right, i'm unable to login from app in any android device

app's logs are clear

let me check my config

wait, isn't it maybe caused by having staging certificate on immich?

i accidentally changed the production for staging and now i'm unable to repull the cert for immich

yep, it was caused by staging certs on immich

i'm able to login to app from phone now

let's test it on tablet

sad news guys, it's the same on Keycloak setup...

that means anyone who will try immich app on tablet, it shouldn't work

"cough" Android tablet

If you've been using non-production certificates I wonder if it is possible that they are cached for the domain/connection.

I couldn't even connect to server when I was using staging certs

When I changed them to production, I was able to connect to server

And dumped them so traefik would repull them

So it shouldn't be caused by cache

Any ideas from this point on?

we are asking among the dev for an Android tablet to test

Alright, thanx y'all for not leaving it as it is

According to multiple users it seems like i have issue with my configuration. I'd like to do some tests with @stoic nimbus who reports it works fine on exactly the same tablet model as mine. Do you agree Allram?

Side note: I tried it on another old android tablet - same behavior (total of 4 tablets reports same behavior)

Also, according to @radiant stump , it works on his tablet too. Could you provide at what level of domain you have your immich instance? mine is on foo.bar.example.com . Cloudflare claims this level of domain isn't covered by their "Universal Certificate"

i'm all in to do some tests

@stoic nimbus would it be possible for you to create an account for @stoic yacht in your oauth provider to test on your instance?

mine is https://photos.domain.org

sure

feel free to DM him so you don't have to post your instance address here

that would be amazing!

Immich.mydomain.tld

@stoic yacht are you doing this on the same network?

Some routers do weird things. Could this be a network/router problem?

i'm just going to find out

just a note to everyone here, we tried it with Allram and it did the same thing as with my setup

so it will be probably caused by router / ISP or such

i'm going to try it with mobile operator data provided from phone

When using your android phone have you used the exact same network?

yep

nope, it's the same through hotspot

i'm clueless

I really don't think this is an immich bug. It definitely sounds like a setup issue on your side tho. Since you can reproduce it with a proven working instance.

Have you set up the tablets in the same way? Using the same anti-virus? Same VPN? Same adblocker?

i wouldn't say the same way. There are some adblockers and such. In fact, it did work once after turning off the adblocker (Blokada)

Same problem occured on my instance. So my guess is on network problems/network config's

however when i tried to logoff and login again with adblock still turned off, i wasn't able to login anymore

but it didn't work on hotspot either so

i'm really clueless right now

there is no way it's not caused by tablets itself

not immich particularly but tablets

i think next step would be to do factory reset on one of those

IMHO it makes no sense it would be tablets that are the problem. But instead a setup/config issue on your side

I tried it with hotspot which means i bypassed my local network and instead did go through mobile data. I didn't even connect to my instance so i did not target any my stuff at all.

there's literally no way it's caused by setup. It might be PART of the cause but not the only cause

Given that we now have several android tablets that works just fine, I have a hard time believing it's a "tablet" related problem

I think we might need to experiment some more to pin down the cause because it is unknown at the moment

absolutely, i'm going to tomorrow

IMO it is a device specific issue. Doesn't work with an otherwise valid instance means that the environment is not the issue, or at least not the only issue. I'd guess something about the tablet, the apps installed, the network settings, etc. is causing an issue for whatever reason.

yup, it would be best to perform a factory reset on one of those and see the result. Unfortunately, backuping everything is really annoying job

UPDATE:

I'm back. After midlessly trying everything (i mean EVERYTHING) i was able to login with oauth on one of tablets. The key was to reset password, firstly login to app with normal credentials and after then, when i logged out, i was able to login with oauth

I'm guessing this behaviour is caused by some data specific to these tablets, weren't passed to app. So it throw error somewhere where it isn't meant to be logged and throw me back to first screen.

As soon as i logged in / out with normal credentials (email / password) i am perfectly able to back login but with oauth this time.

i think this (reply) because when i did steps above from tablet A and then tried oauth from tablet B, i wasn't able to login with tablet B and it has the same behavior as we were discussing here.

right now i'm about to try this same thing with different account (my father's) to see if these steps are constant or not

here's the whole log

i'm curious about this line

2023-08-19 13:53:34.087305,LogLevel.SEVERE,"ImmichErrorLogger","","#0 Store.get (package:immich_mobile/shared/models/store.dart:33) and the others under

is that only the storage permisson or something else?

It is not consistant...

Here's the log of resetting the password and logging in with credentials. It is different tablet so different environment

That's an error looking up a value from the database

so there's issue with the database?

Not 100% sure. Do you have the full stack trace?

this is the full log

I'm on my phone so I'm not going to look at it lol

alright

hold on. I was trying to login to @stoic nimbus 's server (he created me account) and i wasn't able to login on the same tablet model. So it couldn't be the database issue

note that i was trying to login through both: my local network and hotspot on my phone (to reduce possible causes)

so far it still seems theres someting f***** up with the tablets

Maybe a bug with some library on tablets or something

Recreated your account now 😅

The weird this is that I have 2 of the same tablets, and they work without problems from my side

yep, that is definitely weird

Even weirder is it doesn't work with my account on your server with the same tablet

so, any further steps?

You still haven't tried factory reset? I think that would be the next step 😬