I saw a few people within the Discord (and Authentik Discord) of this issue, but still havent had any luck. I've been banging my head at this issue for days now and cannot seem to find a resolution.

I've tried multiple addresses for ISSUER_URL's (both internal and external addresses) - no luck
I've tried adding immich and authentik on the same network and different.
Different browsers, incognito, recreating the apps, changing the redirect uri's. I feel like im at a loss. hopefully someone can help, i'd greatly appreciate it.

`[Nest] 18 - 07/24/2025, 5:26:00 PM ERROR [Api:OAuthRepository~5cp55hic] Error in OAuth discovery: TypeError: fetch failed

[Nest] 18 - 07/24/2025, 5:26:00 PM ERROR [Api:OAuthRepository~5cp55hic] TypeError: fetch failed

at node:internal/deps/undici/undici:13510:13

at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

at async performDiscovery (file:///usr/src/app/server/node_modules/openid-client/build/index.js:266:16)

at async discovery (file:///usr/src/app/server/node_modules/openid-client/build/index.js:243:16)

at async OAuthRepository.getClient (/usr/src/app/server/dist/repositories/oauth.repository.js:85:20)

at async OAuthRepository.authorize (/usr/src/app/server/dist/repositories/oauth.repository.js:25:24)

at async AuthService.authorize (/usr/src/app/server/dist/services/auth.service.js:163:16)

at async OAuthController.startOAuth (/usr/src/app/server/dist/controllers/oauth.controller.js:36:46)`

:wave: Hey @opal river,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker ps -a docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
• Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Checklist

I have...

1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

• Your docker-compose.yml and .env files.
• Logs from all the containers and their status (see above).
• All the troubleshooting steps you've tried so far.
• Any recent changes you've made to Immich or your system.
• Details about your system (both software/OS and hardware).
• Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
• The version of the Immich server, mobile app, and other relevant pieces.
• Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

That's a self-signed cert isn't it? I'm not sure we support that (I'm like 80% we don't)

in the documentation it looks like the same cert is used:
https://immich.app/docs/administration/oauth/

What are you referring to?

I'm talking about the TLS cert used for https://authentik.papi.external

its a different url, verified by Lets Encrypt

its TLS1.3

How so?

.external is not a valid TLD afaik

i meant to withhold the url, but its .miami

Oh that wasn't clear at all 😅

thats on me lol, i should have clarified

So then it's probably some routing-related issues

I'd try pinging authentik inside the Immich container

Or the other way around

Successfully submitted, a tag has been added to inform contributors. :white_check_mark:

ping -c 4 authentik-server-1

PING authentik-server-1 (10.0.0.4) 56(84) bytes of data.
64 bytes from authentik-server-1.auth-net (10.0.0.4): icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from authentik-server-1.auth-net (10.0.0.4): icmp_seq=2 ttl=64 time=0.065 ms
64 bytes from authentik-server-1.auth-net (10.0.0.4): icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from authentik-server-1.auth-net (10.0.0.4): icmp_seq=4 ttl=64 time=0.070 ms

--- authentik-server-1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.061/0.065/0.070/0.003 ms

ping -c 4 immich_server

PING immich_server (10.0.0.9) 56(84) bytes of data.
64 bytes from immich_server.auth-net (10.0.0.9): icmp_seq=1 ttl=64 time=0.119 ms
64 bytes from immich_server.auth-net (10.0.0.9): icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from immich_server.auth-net (10.0.0.9): icmp_seq=3 ttl=64 time=0.078 ms
64 bytes from immich_server.auth-net (10.0.0.9): icmp_seq=4 ttl=64 time=0.071 ms

You're using a different domain there (again)

It needs to be a domain that's accessible by both your browser/app and the container

the immich_server is the name of the container and auth-net is just the network i made in portainer so the apps can talk to one another

are you saying ping the external address?

i can get into both of them externally

Yes

In Immich you need to specify an issuer URL that's accessible both from within the container as well as any client

the thing is that the url won't ping since it is reaching out to an external address that is bound on the same network

if i use an internal ip for the issuer, it redirects and then fails as it doesnt pick up the outpost like its supposed to

Yeah so you need to fix that

One solution might be to have NPM advertise the URL of Immich as another hostname so that DNS resolves to the internal address within the docker network.

There are more solutions though, all of which unrelated to Immich :)

i think you're on to something. i've been using Synology's Reverse Proxy function, but i think i might need to just get NPM. seems innevitable at this point

Oh woops I just assumed it's NPM because it looked like it

You can also use any other reverse proxy :D

But yeah the synology one might be limiting

i just want to say. i appreciate you for being so responsive, means a lot

I try to at least :)

keep being perfect.

im gonna set up NPM anyways and see if it makes a difference once i transition to it

I am definitely not perfect lol

Appreciate it though!

Good luck!

ill keep you posted, im determined to getting this fixed today

just an update. I never found a solution to this. I think the port forwarding needed to be modified on my router, but it's off-site. I ended up just building a new nas system from scratch and locally host immich-authentik