Authentik and Immich | Immich | Page 1

quasi hearth Apr 13, 2024, 7:29 AM

#

Hey Everyone,
I'm trying to get authentik to work as my oAuth provider, and I have followed the steps in this documentation: https://docs.goauthentik.io/integrations/services/immich/
However, whenever I try to authenticate, these errors appear in the immich server logs:

[Nest] 7 - 04/13/2024, 7:14:19 AM ERROR [AuthService] Error in OAuth discovery: RPError: outgoing request timed out after 30000ms
[Nest] 7 - 04/13/2024, 7:14:19 AM ERROR [AuthService] RPError: outgoing request timed out after 30000ms
at /usr/src/app/node_modules/openid-client/lib/helpers/request.js:140:13
at async Issuer.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:143:22)
at async AuthService.getOAuthClient (/usr/src/app/dist/services/auth.service.js:259:28)
at async AuthService.authorize (/usr/src/app/dist/services/auth.service.js:158:24)

I have everything setup behind an instance of nginx proxy manager, with a valid wildcard let'sencrypt cert. The instances of authentik and immich are on two seperate hosts, but are able to ping each other. If there is any more information that is required please let me know.

uncut lavaBOT Apr 13, 2024, 7:29 AM

#

:wave: Hey @quasi hearth,

Thanks for reaching out to us. Please follow the recommended actions below; this will help us be more effective in our support effort and leave more time for building Immich immich .

References

Container Logs: docker compose logs docs
Container Status: docker compose ps docs
Reverse Proxy: https://immich.app/docs/administration/reverse-proxy

Checklist

:ballot_box_with_check: I have verified I'm on the latest release(note that mobile app releases may take some time).
:ballot_box_with_check: I have read applicable release notes.
:ballot_box_with_check: I have reviewed the FAQs for known issues.
:ballot_box_with_check: I have reviewed Github for known issues.
:ballot_box_with_check: I have tried accessing Immich via local ip (without a custom reverse proxy).
:ballot_box_with_check: I have uploaded the relevant logs, docker compose, and .env files using the buttons below or the /upload command.
:ballot_box_with_check: I have tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

#

@quasi hearth uploaded

📎 docker-compose.yml

#

@quasi hearth uploaded

📎 env.txt

#

@quasi hearth uploaded

📎 immich_server.txt

quasi hearth Apr 13, 2024, 7:36 AM

#

As a side note, I had this exact setup working about 2 weeks ago, but due to a power outage I had to recreate the setup (I have since bought a UPS)

uncut lavaBOT Apr 13, 2024, 7:37 AM

#

@quasi hearth uploaded

📎 immich_server.txt

maiden island Apr 13, 2024, 7:43 AM

#

Immich isn't able to reach authentik

#

(or authentik isn't running)

quasi hearth Apr 13, 2024, 7:45 AM

#

If I go to the "OpenID Configuration URL" in my browser, it does return the proper json

#

I'll triple check my firewall settings

#

100% firewall issue, I created a test windows vm and was not able to reach authentic.mypublic.domain, then edited the hosts file to point authentic.mypublic.domain to my reverse proxy IP and that worked

quasi hearth Apr 13, 2024, 7:58 AM

#

maiden island Immich isn't able to reach authentik

thanks for pointing me in the correct direction

quasi hearth Apr 13, 2024, 5:09 PM

#

After sleeping on it and a bit more googling, I figured out my issue. If anyone else is having the same issue where they 1: Have port forwarded their public IP to their Reverse Proxy and 2: Have their reverse proxy and immich on the same subnet and 3: Are using OPNsense as their firewall, make sure you enable "Reflection for port forwards" and "Automatic outbound NAT for Reflection" in your advanced NAT settings in OPNSense

#Authentik and Immich

References

Checklist