Hi, I am using authelia and caddy.

Oauth works on web, does not work on mobile with error statuscode 500. Previously worked flawlessly for a year.

In the Authelia logs I see:
Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token

My authelia config is pretty simple:

• client_id: immich
  client_name: Immich
  client_secret: redacted
  public: false
  authorization_policy: household #this doesnt matter for debuging
  consent_mode: implicit
  redirect_uris:
  • app.immich:///oauth-callback
  • https://photos.example.com/auth/login
  • https://photos.example.com/user-settings
    scopes:
  • openid
  • profile
  • groups
  • email
    userinfo_signed_response_alg: "none"
    token_endpoint_auth_method: "client_secret_post" #I had to add this line recently, I think after 1.131, but it may have needed it earlier

My immich oauth config is simple too, matching this: https://www.authelia.com/integration/openid-connect/immich/
No override for mobile redirect, never was needed in the past.

:wave: Hey @gray tree,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker ps -a docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
• Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Checklist

I have...

1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

• Your docker-compose.yml and .env files.
• Logs from all the containers and their status (see above).
• All the troubleshooting steps you've tried so far.
• Any recent changes you've made to Immich or your system.
• Details about your system (both software/OS and hardware).
• Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
• The version of the Immich server, mobile app, and other relevant pieces.
• Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

@tranquil anvil FYI

Yup

@cold egret Hey!

hey

so what can i help with?

Just wanted the both of you here

So I saw a couple of things that were off

Some of you had profiles in their scope, which you probably don't want

Really your scope should just be openid, profile, email

that was me

ohh, nope i had profile

not profiles

you mean group right?

no

Oh sorry

Yes I meant groups

Don't have groups

my scope is openid email profile offline_access

I removed that

but good call

i added offline access yesterday

didnt help though

Yeah I'd try reverting it to make sure we're as basic as possible

ok

sorry to be more helpful, my scope is exactly "openid email profile" now

And you both switched back to client_secret_basic?

sec

with basic it says failed to finish oauth

time="2025-04-25T16:11:23+02:00" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'client_secret_post', however the OAuth 2.0 client registration does not allow this method. The registered client with id 'ooxooMahsei5che.icho8heefuvo0ahri-en_2Ahyohjaiyu_Shi0ohm3Xo2feiw' is configured to only support 'token_endpoint_auth_method' method 'client_secret_basic'. Either the Authorization Server client registration will need to have the 'token_endpoint_auth_method' updated to 'client_secret_post'x or the Relying Party will need to be configured to use 'client_secret_basic'." (*workerPool).getCh.func1\nruntime/asm_amd64.s:1700 goexit"

this error looping in authelia log

probably i shouldve deleted the id 🙂

The client id isn't confident

i know

some context, authelia 4.39 is defintely more strict with the oauth 2.0 standards. 4.39 came out a few months ago. It probably wont show that error in 4.38. However immich 1.30 definitely worked with authelia 4.39

yeah i'm on latest authelia since it is out

havent had problem before 132

Yeah I can also give you some context. We used to not verifying the token at all which obviously is quite bad

And allowed for some broken and lax oauth configs

Could either of you try reverting to authelia 4.38?

feels like immich is sending post instead of basic

Yeah I think so too, looking into that right now

ill revert in the meantime

same

yeah it will be bit complicated

level=error msg="Error occurred running a startup check" error="error during schema migrate: current schema version is greater than the latest known schema version, you must downgrade to schema version 15 before you can use this version of Authelia"

idk if i still have backup that old

same issue

Then that's fine

Could either of you share their .well-known/openid-configuration json?

Of authelia

Specifically this part

"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
"none"
],

same

but authelia probably also validates with what the oauth client is allowed to use

#17881 should fix that. Could either of you run the Immich version from that PR once it's built?

[Pull Request] fix: oauth client auth method (immich-app/immich#17881)

we also updated our 3rd party oauth library. it's probably fine to update your client configuration to use client_secret_post

i gtg in 30 min or so so probably i can only try in the evening

Should be up in 5min but whatever you prefer

I don't think so actually

ill try then

why not

I tried it and it didn't work ootb

i can test, but am a bit green on how to do that. just change my docker image in the compose?

I'll give you what you need

will this fix the mobile client too? as far as i understand it is just to fix client secret basic

Idk what's wrong with mobile yet. I'd hope it fixes both tbh

i see

Ok, the image tag is pr-17860

So instead of relase or a specific version tag, use that

only for server or machine learning too?

Only for server

ok

like this right? services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-pr-17860}

Assuming IMMICH_VERSION isn't set, yes

Really you should just update that env var though

image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}

image: ghcr.io/immich-app/immich-server:pr-17860

ohh.. # is formating

so instead the first line just use the second

Yup

good call it was

same error

same issues using client secret basic

trying post now

same with post. basic doesnt work with web and mobile, post works with web, not mobile

yep

What's the error you get when using mobile?

from server?

or client or authelia?

All of them ideally lol

Oh you know what

This seems like a caching issue on mobile

@prisma shard does mobile cache oauth config? If so, how can you clear that?

that was my idea first

so i deleted all my sessions

it doesn't 🤔

That wouldn't help for that

in authelia..

same error but with a fresh session

Yeah that wouldn't be bound to sessions

If anything mobile would store somewhere that it was using basic auth

And keep trying that

the thing is i freshly installed the app yesterday

so no cache whatsoever

And you haven't tried it today with basic auth at some point?

actually on my other phone where just upgraded from playstore it is still working with an old session

i just tried.. havent deleted data yet tho

ill try

Ty :)

same

it flashes a login page for a second and goes back to internal error

And authelia still says it tried basic auth?

FWIW I am still confused why it's not accepting basic auth now tbh

On web, could you click on the version on the bottom left?

thats only for web

Immich
v1.132.2
ExifTool

13.00
Node.js

v22.14.0
Libvips

8.16.1
ImageMagick

7.1.1-47
FFmpeg

7.0.2-7
Repository
immich-app/immich
Source
17860/merge@e1ee84f14
Build
14666744411
Version History

Installed 1.132.2 on Apr 25, 2025
Installed 1.132.1 on Apr 24, 2025
Installed 1.131.3 on Apr 2, 2025
Installed 1.131.2 on Apr 1, 2025
Installed 1.130.3 on Mar 27, 2025

on mobile it says

Could you click on the source link?

Oh hm

i cant my setup automatically redirects to oauth

https://github.com/immich-app/immich/commit/e1ee84f14a46e7a766312d55c616a6da38b4c0a7

and i cannot login with basic

You're all good shivam already got it for me

Yeah so that definitely isn't my PR

ok, my bad

Now it would be interesting to see what Rhyn got 😅

Can you log in with post on web right now?

let me switch back to post so i can login

is the docker image pr-17860 or pr-17881?

as directed i used immich:pr-17860, but i can change to immich:pr-17881

same

😄

i believe here

@tranquil anvil need to bring out of draft to get it built I believe

nvm

I see it was built

Oh wait did I mess up and gave you the wrong tag?

seems like it

Yeah please change to 17881

Mb

Apologies for the confusion :/

lol

need coffee man

pulling

No coffee after 4pm!

its Friyayy

Hehe fair :P

yay, now web works with basic. mobile is still broken

with the correct tag web is working with basic

Wait what mobile is still broken?

What's the error message there now?

authelia | time="2025-04-25T10:54:21-04:00" level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token remote_ip=192.168.2.2

same error as client post now

yeah same as before

Could you post your current authelia configs again?

it is the same as in github issue but with basic

https://private-user-images.githubusercontent.com/1535845/437440359-78ddc5a1-db6a-4a65-9105-dd2dc785a3db.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDU1OTMyOTcsIm5iZiI6MTc0NTU5Mjk5NywicGF0aCI6Ii8xNTM1ODQ1LzQzNzQ0MDM1OS03OGRkYzVhMS1kYjZhLTRhNjUtOTEwNS1kZDJkYzc4NWEzZGIuanBnP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MDQyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTA0MjVUMTQ1NjM3WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmEwOGY0YzEyM2IzNTFjOGFmZTg5NjI4MDBkMjIxMGVjMDEyNWNkYTlkYzFkODBlZGQ3ZTA1MjFiMDhkMGQ1MSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ._dUGCQI7lAXkRAEWkCZ54H6OzO1CVypsMH5Q6GP7muM

• client_id: immich
  client_name: Immich
  client_secret: redacted
  public: false
  authorization_policy: household #this doesnt matter for debuging
  consent_mode: implicit
  redirect_uris:
  - app.immich:///oauth-callback
  - https://photos.example.com/auth/login
  - https://photos.example.com/user-settings
  scopes:
  - openid
  - profile
  - email
  userinfo_signed_response_alg: "none"
  token_endpoint_auth_method: "client_secret_basic"

same

ohh, i also deleted offline access from scopes

I don't think you should be changing response modes

The response should be code with basic auth

But idk what that translates to in authelia, I'd just comment out that block for now I think

Also, userinfo_signed_response_alg should be RS256 I think

ill try that

ill check

ill keep it rs256, but same error. still works in web, mobile has statuscode 500

authelia | time="2025-04-25T11:03:59-04:00" level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token remote_ip=192.168.2.2

i have to go.. good luck with the debugging

in immich settings, do i need a profile signing algorithm?

currently is "none"

Yes! That should also be RS256

RS256 means the userinfo/profile is signed. I don't think that's normally the case.

It is for me at least 😅

Hey can you setup an account for me on your instance? and DM me the info, let me try logging in with mobile and trace the debug message

yup, will do in 10 min, finishing up lunch

no problem

just DM me

it seems to be hitting this case:
https://github.com/ory/fosite/blob/master/handler/pkce/handler.go#L179-L181

seems like I got unlucky settin OIDC 😄

If you're using authelia it's a bit of a bad timing, yes 😅

ahahah

yes

I just set it

pr-17860 fixes it?

level=error msg="Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The PKCE code verifier must only contain [a-Z], [0-9], '-', '.', '_', '~'." method=POST path=/api/oidc/token

Nope

#17886 fixes it, but you'll need to wait for the mobile release there

[Pull Request] fix: Authelia OAuth code verifier value contains invalid characters (immich-app/immich#17886)