#Web app OAuth with Entra not working on v1.132.3

Sadly even after updating to v1.132.3, OAuth is not working in the web app. After downgrading to v1.131.3, it works.

[Nest] 17  - 04/28/2025, 2:52:03 PM   ERROR [Api:OAuthRepository~sentehmf] Error in OAuth discovery: TypeError: fetch failed
[Nest] 17  - 04/28/2025, 2:52:03 PM   ERROR [Api:OAuthRepository~sentehmf] TypeError: fetch failed
    at node:internal/deps/undici/undici:13502:13
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async performDiscovery (file:///usr/src/app/node_modules/openid-client/build/index.js:266:16)
    at async discovery (file:///usr/src/app/node_modules/openid-client/build/index.js:243:16)
    at async OAuthRepository.getClient (/usr/src/app/dist/repositories/oauth.repository.js:86:20)
    at async OAuthRepository.authorize (/usr/src/app/dist/repositories/oauth.repository.js:24:24)
    at async AuthService.authorize (/usr/src/app/dist/services/auth.service.js:124:16)
    at async OAuthController.startOAuth (/usr/src/app/dist/controllers/oauth.controller.js:36:46)

:wave: Hey @celest trench,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker ps -a docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
• Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Checklist

I have...

1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

• Your docker-compose.yml and .env files.
• Logs from all the containers and their status (see above).
• All the troubleshooting steps you've tried so far.
• Any recent changes you've made to Immich or your system.
• Details about your system (both software/OS and hardware).
• Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
• The version of the Immich server, mobile app, and other relevant pieces.
• Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

Successfully submitted, a tag has been added to inform contributors. :white_check_mark:

Having the same issue with Authentik.

The container cannot reach the issuer URL

Whelp it worked after downgrading the other day but now it does not. I will have to do some more digging.

There have been OAuth issues that were fixed with today's release, but the error you got clearly says it's just a connection issue

I can curl the URL from outside the container but not inside so something is obviously wrong with my setup, though I am not sure what changed

What's the error you're getting?

DNS?

Yeah "could not resolve host". OAuth was definitely broken with 1.132 but this is obviously some other issue I need to sort out

Well that's strange, if I exec into my Gitea container for example, it works

After down and up the curl works but there is still a problem

[Nest] 17  - 04/28/2025, 3:41:17 PM   ERROR [Api:ErrorInterceptor~o7amz1qg] Unknown error: ResponseBodyError: server responded with an error in the response body
ResponseBodyError: server responded with an error in the response body
    at checkOAuthBodyError (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:865:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async processGenericAccessTokenResponse (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:1141:5)
    at async processAuthorizationCodeOAuth2Response (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:1373:20)
    at async authorizationCodeGrant (file:///usr/src/app/node_modules/openid-client/build/index.js:850:18)
    at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:52:28)
    at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:137:25)
    at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:46:22)

Check the logs of your IDP?

It's Microsoft Entra so I don't think there is much I can see other than "successful login." However now if I downgrade back to v1.131.3, it works.

Microsoft

Lol

It's free and I like Microsoft Authenticator :)

Is this error only thrown when logging in with mobile?

Wait a week they will call it something else.

What does Microsoft authenticator have to do with using entra

You can self-host any IDP, it's also free

Web, app doesn't work but I haven't looked at the logs

How do your entra settings look like?

Authenticator lets you do passwordless auth with push notifications

May I introduce you to: webauthn/passkeys? :P

Any settings in particular? There aren't very many, just the redirect URIs and secret

Yes, the authentication method

I saw the discussion around that for Authelia but I don't see a similar option anywhere in Entra
Does this help? https://login.microsoftonline.com/048699d0-4e5d-4e9b-9187-bab11918ee4d/v2.0/.well-known/openid-configuration

So you should be able to change it to _post

I have no clue how you can configure that in the worst IDP in existence though

I am not following, isn't client_secret_post the desired setting?

If I am interpreting the metadata correctly that is currently a supported method

Correct, that's what it should be

Entra supports it, which is what I said, yes

You'll probably need to configure it to use it though

I am not sure if controlling that is possible

I guess I am going back to password login, unless there is some magic setting I don't know about

Not sure what else to say, I have 23 other apps doing SSO with Microsoft that work

Can you share a screenshot of the app configuration screen on entra?

It also looks like entra supports pkce so if you change the app type to that I believe it might just start working as well

I also have issues with entra id after upgrading to 1.132.3, My app config on entra looks like this. And I get the error [Nest] 17 - 04/29/2025, 7:03:41 AM ERROR [Api:ErrorInterceptor~3umswvnq] Unknown error: ResponseBodyError: server responded with an error in the response body
ResponseBodyError: server responded with an error in the response body
at checkOAuthBodyError (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:865:19)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async processGenericAccessTokenResponse (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:1141:5)
at async processAuthorizationCodeOAuth2Response (file:///usr/src/app/node_modules/oauth4webapi/build/index.js:1373:20)
at async authorizationCodeGrant (file:///usr/src/app/node_modules/openid-client/build/index.js:850:18)
at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:52:28) in the immich-server container when trying to authenicate. The only log I can find on the entra side says that the login went fine...

Or rather like this works on earlier version but neither way works on 1.132.3

This was the one I tested but when troubleshooting but that didn't work with either 1.132.3 or 1.131.3 but gave different issues.

Where do you get that from? The well known endpoint doesn't imply that

What options do you get when clicking on "add platform"?

Is what I get as options.

Ah hm that doesn't really help :/

No not really sadly :/

Id like to figure out what the problem is. Is there any way you can create a test account that I can use to login with?

I am having this issue as well, did you figure anything out?

I have not, I tried the recent merge that is supposed to have fixed it but either I didn't have the right combination of settings or it is still broken. As a bonus I couldn't downgrade afterwards and had to do a database restore.

Possibly fixed with https://github.com/immich-app/immich/pull/17968

[Pull Request] feat: configure token endpoint auth method (immich-app/immich#17968)

(Wait for new release)

I have same problem with authelia! It works before upgrade

Still no luck after today's update, it very may well be a configuration issue at this point but I am at a loss when it comes to what the correct combination of settings is

error_description: 'AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE. Trace ID: 963ae881-839d-41bd-bb47-2a36e35ab300 Correlation ID: 7022d882-beb8-457b-8737-3b67d8f7a7cb Timestamp: 2025-05-21 22:17:29Z'

Is this on mobile?

Web

This is a different error and unrelated to other things we have fixed.

We can probably help you address it but we'd need more details.

Sure, one sec

All the settings are as they were when it last worked a few versions ago
Metadata endpoint: https://login.microsoftonline.com/048699d0-4e5d-4e9b-9187-bab11918ee4d/v2.0/.well-known/openid-configuration

Does entra support PKCE?

I don't understand why it has an error saying the code challenge is invalid

We have rolled out PKCE and it works seemingly with every other provider, so it seems odd that entra says we're implementing it incorrectly.

Do you want to try setting up a new client and see if there is an alternative set of options for a PKCE flow instead of an authorization code flow?

My understanding is that it does support PKCE when the "single-page application" type is used vs. "web," however I get the same result with that. If I try https://oidcdebugger.com/ with a simple app in Entra with the single-page application type, it works and says PKCE works.

In fact, while using the same Immich app in Entra with oidcdebugger, just adding the redirect URI for it, it works and says PKCE works

As a "me too" here, I joined Discord because I'm also trying to get Immich configured with EntraID and running into the same issues as described in this thread..

possibly relevant issue/thread at Microsoft? https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/5044

i am receiving this same error with Entra ID

worked before the release before this that broke it

been chatting with Claude and he had this to say if it helps at all:

## What This Reveals

**With "Allow public client flows" = No (original setting):**
- PKCE error (code_verifier mismatch)

**With "Allow public client flows" = Yes:**
- Client secret error

This suggests Immich might be incorrectly treating this as a **public client flow** in the recent update, when it should be using the **confidential client flow**.

## Key Insight

The fact that enabling public client flows changes the error from PKCE to client secret suggests:

1. **Immich may have changed its OAuth flow logic** - it might now be trying to use PKCE when it should be using client credentials
2. **Public clients don't use client secrets** - so when you enable public flows, Entra ID rejects the client secret that Immich is still sending

## For the Bug Report

This is valuable info for the devs! The issue appears to be that Immich is now:
- Sending PKCE parameters (code_challenge/code_verifier) 
- **AND** sending client secret
- But possibly implementing the PKCE flow incorrectly

**Revert back to "Allow public client flows" = No** (your original working setting) and report to the devs that:

1. The integration tries to use PKCE but implements it incorrectly (PKCE mismatch error)
2. When forced into public client mode, it still tries to send client secret (which public clients shouldn't do)
3. This suggests Immich is mixing confidential and public client OAuth patterns

This should help them identify exactly what changed in their OAuth implementation!```

That sounds plausible. Can you delete the client secret from the immich config and try again?

removing the client secret from immich throws this:

'AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE. Trace ID: 597120a5-8a0b-4343-91c6-8247cdac4c00 Correlation ID: 234b2ce9-639a-410d-bd89-55ba10f34184 Timestamp: 2025-05-22 06:31:35Z'

Joined to say I am having the same issue with Entra as well. Code_verifier does not match the code_challenge.

im down to screen share if anyone wants to gather some more information, lmk

I'm on vacation now otherwise I'd suggest setting up a second client that I could play around with

I run into this same issue but i am using ADFS as my authentication backend.

immich_server | cause: {
immich_server | error: 'invalid_grant',
immich_server | error_description: 'MSIS9720: Unable to validate code_verifier.'
immich_server | },
immich_server | code: 'OAUTH_RESPONSE_BODY_ERROR',
immich_server | error: 'invalid_grant',
immich_server | status: 400,
immich_server | error_description: 'MSIS9720: Unable to validate code_verifier.'
immich_server | }
immich_server | [Nest] 17 - 05/25/2025, 12:39:30 AM ERROR [Api:ErrorInterceptor~ci14jdpy] Unknown error: Error: OAuth login failed
immich_server | Error: OAuth login failed

Take look to this https://discord.com/channels/979116623879368755/1369195328418353152

I had same problem but now with this solution works well for me

ok, it was not listed as a breaking change but in the version v1.132.3 is a warning:

Please update your Authelia config with the following property
token_endpoint_auth_method: "client_secret_post"

https://github.com/immich-app/immich/pull/18725

[Pull Request] fix: oauth (immich-app/immich#18725)

but I honestly don't care if they're too incompetent to serve a correct openid-configuration
based

Can someone confirm, that OAuth with Entra ID is working again with 1.134.0?
For me it does not. Same configuration as with 1.131.3.

That is my Immich OAuth config (removed sensitive information):

"oauth": {
"autoLaunch": false,
"autoRegister": true,
"buttonText": "Login with Entra ID",
"clientId": "<client-id>",
"clientSecret": "<client-secret>",
"defaultStorageQuota": 10,
"enabled": true,
"issuerUrl": "https://login.microsoftonline.com/<tenant-id>/v2.0",
"mobileOverrideEnabled": true,
"mobileRedirectUri": "https://<immich-url>/api/oauth/mobile-redirect",
"profileSigningAlgorithm": "none",
"scope": "openid email profile",
"signingAlgorithm": "RS256",
"storageLabelClaim": "preferred_username",
"storageQuotaClaim": "immich_quota",
"tokenEndpointAuthMethod": "client_secret_post"
},

Thank you

#18725 has not been released yet

[Pull Request] fix: oauth (immich-app/immich#18725)

Thank you Daniel. As it is merged I assumed it would be part of 1.134.0.

Any schedule for the release of #17825?

[Issue] Oauth fails on mobile with 1.132.0 (immich-app/immich#17825)

👀

We don't have a plan for a next release yet, no

To bad. Thanks

Do we think this is likely to fix adfs also?

Idek what ADFS is, but it's possible

I would guess "probably" that this'll fix ADFS.. and for those interested, ADFS is "Active Directory Federation Services" which is basically Microsoft's on-premises SAML/OIDC server.. built on top of IIS 😱 https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview

Hey again! We just released 1.135.0 which finally has the Entra OAuth fix 🎉

Confirmed, thank you

It didn't work at first and I was about to scream but I had just forgotten to change it back to a web application instead of single page in Entra

Confirmed, thanks

Works for me too 🙂

With adfs i get a response back that the profile doesnt include email. I used to get this before also, but was able to resolve it with the claims but now using the same claims as before its back to doing this. There is a claim transform that converts the email to name id, which is what got it going previously. has this changed?

What is Immich expecting to get the email address named as in the claim?

We're expecting a claim called email, which is in line with the specs

ok

So, my rule is configured so that the incoming claim type "E-Mail Address" is sent as a claim type "Name ID", with the format being "Email" so this seems like Name ID should be Email.

This sounds very complicated for a simple thing lol. May I ask why you're using active directory shit in the first place? lol

Because i work in a legacy corporate world my friend 🙂

Oh you're using Immich in an enterprise? 👀

This is as much me not knowing exactly what im doing as anything else. i also dont want to trust my authentication to 3rd party services. i can do it in house. No this is my homelab and i choose adfs since i have to deal with it at work

Tbh if you're free what to choose there are much better alternatives

Anyways, your decision 😅

Yes, well that would be like a car mechanic choosing to take his car to the shop.

You can be good at something and still choose an easier path privately because you have the choice

true.

but where is the education in that