After completing the OAuth login process on Android, when returning to the Immich app, the loading indicator is briefly shown instead of the buttons "Login" and "Login with OAuth". But then the buttons appear again and the app remains on the login page, instead of opening the image library.
Authelia logs are showing a successful authentification but then Access to https://immich.xxx.com/api/users/me (method GET) is not authorized to user "anonymous", responding with status code 401, which appears to be the reason for the app staying on the login page. So it appears it may be an issue with the headers?!
OAuth login through the Web App works without any issues.
The OS that Immich Server is running on
Debian GNU/Linux 12 (bookworm)
Version of Immich Server
v1.117.0
Version of Immich Mobile App
v1.117.0
Platform with the issue
[ ] Server
[ ] Web
[X] Mobile
Your docker-compose.yml content
version: "3.8"
networks:
services-network:
external: true
name: immich
services:
immich-server:
container_name: immich_server
user: 1000:100
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
#command: [ "start.sh", "immich" ]
volumes:
- ${UPLOAD_LOCATION}:/usr/src/app/upload
- /etc/localtime:/etc/localtime:ro
env_file:
- .env
networks:
default: null
services-network:
ipv4_address: 192.168.xx.xx
depends_on:
- redis
- database
restart: unless-stopped
labels:
- com.centurylinklabs.watchtower.monitor-only=true
immich-machine-learning:
container_name: immich_machine_learning
# For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
# Example tag: ${IMMICH_VERSION:-release}-cuda
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
# extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- model-cache:/cache
env_file:
- .env
restart: unless-stopped
labels:
- com.centurylinklabs.watchtower.monitor-only=true
redis:
container_name: immich_redis
image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5
restart: unless-stopped
labels:
- com.centurylinklabs.watchtower.monitor-only=true
database:
container_name: immich_postgres
image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
volumes:
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
restart: unless-stopped
labels:
- com.centurylinklabs.watchtower.monitor-only=true
backup:
container_name: immich_db_dumper
image: prodrigestivill/postgres-backup-local:14
restart: unless-stopped
env_file:
- .env
environment:
POSTGRES_HOST: database
POSTGRES_CLUSTER: "TRUE"
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_PASSWORD: ${DB_PASSWORD}
SCHEDULE: "@daily"
POSTGRES_EXTRA_OPTS: --clean --if-exists
BACKUP_DIR: /db_dumps
volumes:
- ${DB_DUMP_LOCATION}:/db_dumps
depends_on:
- database
labels:
- com.centurylinklabs.watchtower.monitor-only=true
volumes:
model-cache: null
Click on the "Login with OAuth" button in the Android app
Perform the OAuth steps
Relevant log output
// Immich Android App
2024-10-12 08:11:20.794533 | SEVERE | AuthenticationNotifier | Unauthorized access, token likely expired. Logging out. |
2024-10-12 08:11:20.647584 | INFO | LoginForm | Finished OAuth login with response: xxx@xxx.com |
2024-10-12 08:11:19.881689 | INFO | OAuthService | Received OAuth callback: app.immich:///oauth-callback?code=authelia_ac_WvaUZSLLjZxYO_0vI6It8Iqu13FmQ9m9MmI7n-5aM5E.x10OgGEsaTusa1ocTIisAvsp2PFcSqC5eu3-B6XvVaQ&iss=https%3A%2F%2Fauth.xxx.com&scope=openid+email+profile&state=BlqAtAqZR9w4ZbmlhK5-FJ-l5Ccqc5sZ_-74u6JN8Pg |
2024-10-12 08:11:18.926297 | INFO | OAuthService | Received Authorization URL: https://auth.xxx.com/api/oidc/authorization?client_id=immich&scope=openid%20email%20profile&response_type=code&redirect_uri=app.immich%3A%2F%2F%2Foauth-callback&state=BlqAtAqZR9w4ZbmlhK5-FJ-l5Ccqc5sZ_-74u6JN8Pg |
2024-10-12 08:11:18.568871 | INFO | OAuthService | Starting OAuth flow with redirect URI: app.immich:///oauth-callback |
2024-10-12 08:11:18.370052 | INFO | ApiService | Pinging server with response code 200 |
// OAuth Provider (Authelia)
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server/version (method GET).","time":"2024-10-12T08:30:59+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server/features (method GET).","time":"2024-10-12T08:30:59+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server/config (method GET).","time":"2024-10-12T08:30:59+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server-info/ping (method GET).","time":"2024-10-12T08:31:02+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/.well-known/immich (method GET).","time":"2024-10-12T08:31:02+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/oauth/authorize (method POST).","time":"2024-10-12T08:31:02+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id 'b52681eb-89fe-477a-938f-17323c550206' on client with id 'immich' is being processed","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:03+02:00"}
{"level":"debug","method":"POST","msg":"Mark 1FA authentication attempt made by user 'xxx'","path":"/api/firstfactor","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:08+02:00"}
{"level":"debug","method":"POST","msg":"Successful 1FA authentication attempt made by user 'xxx'","path":"/api/firstfactor","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:08+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' is being processed","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:09+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' using consent mode 'pre-configured' proceeding to generate a new consent session","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10->
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' using consent mode 'pre-configured' authentication level 'one_factor' is insufficient for client level 'two_factor'","path":"/api/oidc/authorization","remote_ip">
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' using consent mode 'pre-configured' is being redirected to 'https://auth.xxx.com/?workflow=openid_connect\u0026workflow_id=c588e666-8865-4723-b58e-159a5075930>
{"level":"debug","method":"POST","msg":"Mark TOTP authentication attempt made by user 'xxx'","path":"/api/secondfactor/totp","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"POST","msg":"Successful TOTP authentication attempt made by user 'xxx'","path":"/api/secondfactor/totp","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' is being processed","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'immich' and subject 'cf138bbe-7367-4a61-82ce-06b4d9ade>
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'immich' and subject 'cf138bbe-7367-4a61-82ce-06b4d>
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' was successfully processed, proceeding to build Authorization Response","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:1>
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/oauth/callback (method POST).","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"POST","msg":"Access Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' is being processed","path":"/api/oidc/token","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"POST","msg":"Access Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' has successfully been processed","path":"/api/oidc/token","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"GET","msg":"UserInfo Request with id '33bddbbd-0957-43de-86c1-e0accb4fbcca' is being processed","path":"/api/oidc/userinfo","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"GET","msg":"UserInfo Request with id '33bddbbd-0957-43de-86c1-e0accb4fbcca' on client with id 'immich' is being returned unsigned as per the registered client configuration","path":"/api/oidc/userinfo","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"GET","msg":"UserInfo Request with id '33bddbbd-0957-43de-86c1-e0accb4fbcca' on client with id 'immich' was successfully processed","path":"/api/oidc/userinfo","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/users/me (method GET).","time":"2024-10-12T08:31:15+02:00"}
{"level":"info","method":"GET","msg":"Access to https://immich.xxx.com/api/users/me (method GET) is not authorized to user \u003canonymous\u003e, responding with status code 401 with location redirect to https://auth.xxx.com/?rd=https%3A%2F%2Fimmich.xxx.com%2Fapi%2Fusers%2Fme\u0026rm=GE>
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/users/me/preferences (method GET).","time":"2024-10-12T08:31:15+02:00"}
{"level":"info","method":"GET","msg":"Access to https://immich.xxx.com/api/users/me/preferences (method GET) is not authorized to user \u003canonymous\u003e, responding with status code 401 with location redirect to https://auth.xxx.com/?rd=https%3A%2F%2Fimmich.xxx.com%2Fapi%2Fusers%2Fm>
We have users that use Authelia and haven't seen this issue reported. Perhaps you can find more answer from asking the community on Discord about your config
The bug
After completing the OAuth login process on Android, when returning to the Immich app, the loading indicator is briefly shown instead of the buttons "Login" and "Login with OAuth". But then the buttons appear again and the app remains on the login page, instead of opening the image library.
Authelia logs are showing a successful authentification but then
Access to https://immich.xxx.com/api/users/me (method GET) is not authorized to user "anonymous", responding with status code 401
, which appears to be the reason for the app staying on the login page. So it appears it may be an issue with the headers?!OAuth login through the Web App works without any issues.
The OS that Immich Server is running on
Debian GNU/Linux 12 (bookworm)
Version of Immich Server
v1.117.0
Version of Immich Mobile App
v1.117.0
Platform with the issue
Your docker-compose.yml content
Your .env content
Reproduction steps
Relevant log output
Additional information
No response