#Wrong redirect after oAuth success

Why would Immic try to load /api/oauth/callback after an oAuth? That URL does not exist at all.

{
    "message": "Failed to finish oauth",
    "error": "Internal Server Error",
    "statusCode": 500,
    "correlationId": "p0n02pvf"
}

{"message":"Cannot GET /api/oauth/callback","error":"Not Found","statusCode":404,"correlationId":"cufthogg"}

Referrer is the domain on which immich runs, oAuth correctly logs in, no problem with that, but somehow immmich loads that weird url, then says :could not complete oauth: even if everything went well with oAuth (well, except that it did not log in, due to the bad url redirect)

Using authentik as per the docs, everything setup properly according the documentation, this happens on desktop computers, mobile I did not try.

:wave: Hey @lament karma,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker ps -a docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
• Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Checklist

I have...

1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

• Your docker-compose.yml and .env files.
• Logs from all the containers and their status (see above).
• All the troubleshooting steps you've tried so far.
• Any recent changes you've made to Immich or your system.
• Details about your system (both software/OS and hardware).
• Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
• The version of the Immich server, mobile app, and other relevant pieces.
• Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

Successfully submitted, a tag has been added to inform contributors. :white_check_mark:

Did you use this guide? https://immich.app/docs/administration/oauth#example-configuration

yes, and my other authentik instances work (gitea, etc)
That example file btw is wrong: it says to put issuer url to https://example.immich.app/application/o/immich/.well-known/openid-configuration which clearly cannot be 🙂

The issuer url has to be the issuer of ID, not consumer
Anyway, that apart, the authenication is not at fault.
Immich redirects after authentication on authentik was success, and after said redirects back to immic... to /api/oauth/callback wich is a non existing url.

example.immich.app is just an example placeholder for the IDP url

/api/oauth/callback is a valid & existing endpoint on the Immich server

yes... that much was clear, but it kind of insinuates you expect it on the same url as immich is.

not so much here. how comes this difference?

Because you're trying to open it in your browser which sends a GET

do I have to re-install perhaps?
I recall some updates where a bit of a ----- at some point, where I somehow managed to get it back up running...

It only handles POST requests

well. but after authentik it also goes with error (and that is not in the browser)

{
"message": "Failed to finish oauth",
"error": "Internal Server Error",
"statusCode": 500,
"correlationId": "p0n02pvf"
}

"Internal server error" means the actual error will be in the logs

so you are saying that redirect is expected and that it should log me in, or let me connect to an existing account after it?

I'm saying you should check the logs

yeah the hell....
[Nest] 17 - 04/10/2025, 8:35:04 PM ERROR [Api:ErrorInterceptor~iifrkauo] Unknown error: RPError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)
do not enable an Encryption Key in Authentik!!!