Not working OAuth with Keycloak in mobile app

[Bitnik212]

The bug

Got error on sign in by Keycloak sso.

Why is mobile bug:

• Login in web work properly
• I dont have this bug on mobile app in version 1.112.1 build.154

The OS that Immich Server is running on

Ubuntu 20.04

Version of Immich Server

1.113.0

Version of Immich Mobile App

1.113

Platform with the issue

• [ ] Server
• [ ] Web
• [X] Mobile

Your docker-compose.yml content

version: "3.8"

services:

  server:
    image: ghcr.io/immich-app/immich-server:release
    command: [ "start.sh", "immich" ]
    ports:
      - "30010:3001"
      - "30011:2283"
    environment: 
      DB_HOSTNAME: $DB_HOSTNAME
      DB_USERNAME: $DB_USERNAME
      DB_PASSWORD: $DB_PASSWORD
      DB_DATABASE_NAME: $DB_DATABASE_NAME
      UPLOAD_LOCATION: $UPLOAD_LOCATION
      REDIS_HOSTNAME: $REDIS_HOSTNAME
      LOG_LEVEL: $LOG_LEVEL
      TYPESENSE_ENABLED: $TYPESENSE_ENABLED
      TYPESENSE_API_KEY: $TYPESENSE_API_KEY
      TYPESENSE_HOST: $TYPESENSE_HOST
      TYPESENSE_PORT: $TYPESENSE_PORT
      TYPESENSE_PROTOCOL: $TYPESENSE_PROTOCOL
      DISABLE_REVERSE_GEOCODING: $DISABLE_REVERSE_GEOCODING
      REVERSE_GEOCODING_PRECISION: $REVERSE_GEOCODING_PRECISION
      PUBLIC_LOGIN_PAGE_MESSAGE: $PUBLIC_LOGIN_PAGE_MESSAGE
      IMMICH_SERVER_URL: $IMMICH_SERVER_URL
      IMMICH_MACHINE_LEARNING_URL: $IMMICH_MACHINE_LEARNING_URL
      PUBLIC_IMMICH_SERVER_URL: $PUBLIC_IMMICH_SERVER_URL
      IMMICH_API_URL_EXTERNAL: $IMMICH_API_URL_EXTERNAL
      TZ: $TZ
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    depends_on:
      - redis
      - database
    restart: always

  microservices:
    image: ghcr.io/immich-app/immich-server:release
    command: [ "start.sh", "microservices" ]
    environment: 
      DB_HOSTNAME: $DB_HOSTNAME
      DB_USERNAME: $DB_USERNAME
      DB_PASSWORD: $DB_PASSWORD
      DB_DATABASE_NAME: $DB_DATABASE_NAME
      UPLOAD_LOCATION: $UPLOAD_LOCATION
      REDIS_HOSTNAME: $REDIS_HOSTNAME
      LOG_LEVEL: $LOG_LEVEL
      TYPESENSE_ENABLED: $TYPESENSE_ENABLED
      TYPESENSE_API_KEY: $TYPESENSE_API_KEY
      TYPESENSE_HOST: $TYPESENSE_HOST
      TYPESENSE_PORT: $TYPESENSE_PORT
      TYPESENSE_PROTOCOL: $TYPESENSE_PROTOCOL
      DISABLE_REVERSE_GEOCODING: $DISABLE_REVERSE_GEOCODING
      REVERSE_GEOCODING_PRECISION: $REVERSE_GEOCODING_PRECISION
      PUBLIC_LOGIN_PAGE_MESSAGE: $PUBLIC_LOGIN_PAGE_MESSAGE
      IMMICH_SERVER_URL: $IMMICH_SERVER_URL
      IMMICH_MACHINE_LEARNING_URL: $IMMICH_MACHINE_LEARNING_URL
      PUBLIC_IMMICH_SERVER_URL: $PUBLIC_IMMICH_SERVER_URL
      IMMICH_API_URL_EXTERNAL: $IMMICH_API_URL_EXTERNAL
      TZ: $TZ
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    depends_on:
      - redis
      - database
    restart: always

  machine-learning:
    image: ghcr.io/immich-app/immich-machine-learning:release
    ports:
      - "30013:3003"
    environment: 
      DB_HOSTNAME: $DB_HOSTNAME
      DB_USERNAME: $DB_USERNAME
      DB_PASSWORD: $DB_PASSWORD
      DB_DATABASE_NAME: $DB_DATABASE_NAME
      UPLOAD_LOCATION: $UPLOAD_LOCATION
      REDIS_HOSTNAME: $REDIS_HOSTNAME
      LOG_LEVEL: $LOG_LEVEL
      TYPESENSE_ENABLED: $TYPESENSE_ENABLED
      TYPESENSE_API_KEY: $TYPESENSE_API_KEY
      TYPESENSE_HOST: $TYPESENSE_HOST
      TYPESENSE_PORT: $TYPESENSE_PORT
      TYPESENSE_PROTOCOL: $TYPESENSE_PROTOCOL
      DISABLE_REVERSE_GEOCODING: $DISABLE_REVERSE_GEOCODING
      REVERSE_GEOCODING_PRECISION: $REVERSE_GEOCODING_PRECISION
      PUBLIC_LOGIN_PAGE_MESSAGE: $PUBLIC_LOGIN_PAGE_MESSAGE
      IMMICH_SERVER_URL: $IMMICH_SERVER_URL
      IMMICH_MACHINE_LEARNING_URL: $IMMICH_MACHINE_LEARNING_URL
      PUBLIC_IMMICH_SERVER_URL: $PUBLIC_IMMICH_SERVER_URL
      IMMICH_API_URL_EXTERNAL: $IMMICH_API_URL_EXTERNAL
      TZ: $TZ
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - model-cache:/cache
    restart: always

  redis:
    image: redis:6.2
    restart: always

  database:
    image: tensorchord/pgvecto-rs:pg14-v0.2.0
    environment:
      POSTGRES_PASSWORD: $DB_PASSWORD
      POSTGRES_USER: $DB_USERNAME
      POSTGRES_DB: $DB_DATABASE_NAME
      PG_DATA: /var/lib/postgresql/data
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

volumes:
  pgdata:
  model-cache:
  tsdata:

Your .env content

No

Reproduction steps

Open app

1. Enter server url
2. Press login with sso
3. See this error page

Relevant log output

Keycloak error log

2024-09-02 21:15:47,385 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-2) Uncaught server error: java.lang.RuntimeException: empty host name
    at org.keycloak.common.util.KeycloakUriBuilder.buildString(KeycloakUriBuilder.java:464)
    at org.keycloak.common.util.KeycloakUriBuilder.buildFromValuesAsString(KeycloakUriBuilder.java:635)
    at org.keycloak.common.util.KeycloakUriBuilder.buildAsString(KeycloakUriBuilder.java:611)
    at org.keycloak.protocol.oidc.utils.RedirectUtils.decodeRedirectUri(RedirectUtils.java:216)
    at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:115)
    at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:63)
    at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker.checkRedirectUri(AuthorizationEndpointChecker.java:129)
    at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:151)
    at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
    at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
    at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
    at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
    at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
    at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
    at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
    at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.base/java.lang.Thread.run(Thread.java:840)

Additional information

No response

[Bitnik212]

Keycloak version: quay.io/keycloak/keycloak:23.0

[tjhorner]

See the breaking change note:

For OAuth users, please replace app.immich:/ with app.immich:///oauth-callback for the Redirect URI in your OAuth provider settings

[jrasm91]

This looks like it is actually a bug with keycloak

[ppfeister]

Experiencing this with error message:

Unexpected error when handling authentication request to identity provider

Upon clicking the "back to application" link below the error message, it successfully logs into Immich in the pop-up-browser that's used for login, but it doesn't auth in the app itself.

(note that this is already with app.immich:///oauth-callback)

[bo0tzz]

I agree this is a keycloak bug, I recommend reporting it upstream.

[hoppalazi]

Issue in keycloak repository: keycloak/keycloak#32623

[psla]

I see the same issue. It looks like app.immich:///oauth-callback has "empty hostname" but app.immich:/ was fine.

While it's true that it's an issue in keycloak, is there a way/hack/setting to allow the old callback url until keycloak releases a new version with a fix? Or any other work around for logging in to the app in the meantime?

[jrasm91]

This would probably work

https://immich.app/docs/administration/oauth#mobile-redirect-uri

[psla]

Nice! It worked. I did not need to set up another endpoint. I just put app.immich:/ in the mobile redirect url for now. it sounds like the old url still works (for now?)

[Atomique]

This would probably work

https://immich.app/docs/administration/oauth#mobile-redirect-uri

Could someone please explain how this is done? I am in the situation that I need this with my keycloak instance, but I dont know how to accomplish this. How do I create a http(s)-Endpoint and redirect it to app.immich:///oauth-callback ?

Hopefully I am not too confused, not seeing the simple solution.

Thanks a lot

[bo0tzz]

Did you read that link?

Immich has a route (/api/oauth/mobile-redirect) that is already configured to forward requests to app.immich:///oauth-callback, and can be used for step 1.

[Atomique]

Did you read that link?

Immich has a route (/api/oauth/mobile-redirect) that is already configured to forward requests to app.immich:///oauth-callback, and can be used for step 1.

Hi!

yes I did and I tried to add the endpoint as mentioned with https://sub.domain.tld/api/oauth/mobile-redirect to keycloak as valid redirect url. Also enabled the override in immich and added the same url. Afterwards in the keycloak logs it shows the app.immich:///oauth-callback and I dont know why.

[jrasm91]

What version are you on?

[Atomique]

I am sorry for beeing this late. Lot of private stuff going on.

What version are you on?

Immich v1.118.0 and Keycloak Version: 25.0.1

Edit: I could open up my own issue, if this is preferred

[bo0tzz]

Please open a discussion Q&A thread and post all the relevant info there

[Atomique]

Hi, me again. This time with a fix. I was able to fix this with the commit mentioned above. It is already in the new v26.X Releases. I just updated Keycloak to v26.0.5, disabled the setting in Immich to override the mobile redirect URI and added the app.immich:///oauth-callback to keycloak in the valid redirect URIs! It is now working!

Thank you and have a nice weekend