OAuth with Android app not working

The bug

After completing the OAuth login process on Android, when returning to the Immich app, the loading indicator is briefly shown instead of the buttons "Login" and "Login with OAuth". But then the buttons appear again and the app remains on the login page, instead of opening the image library.

Authelia logs are showing a successful authentification but then Access to https://immich.xxx.com/api/users/me (method GET) is not authorized to user "anonymous", responding with status code 401, which appears to be the reason for the app staying on the login page. So it appears it may be an issue with the headers?!

OAuth login through the Web App works without any issues.

The OS that Immich Server is running on

Debian GNU/Linux 12 (bookworm)

Version of Immich Server

v1.117.0

Version of Immich Mobile App

v1.117.0

Platform with the issue

[ ] Server
[ ] Web
[X] Mobile

Your docker-compose.yml content

version: "3.8"
networks:
  services-network:
    external: true
name: immich
services:
  immich-server:
    container_name: immich_server
    user: 1000:100
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    #command: [ "start.sh", "immich" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    networks:
      default: null
      services-network:
        ipv4_address: 192.168.xx.xx
    depends_on:
      - redis
      - database
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.monitor-only=true
  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.monitor-only=true
  redis:
    container_name: immich_redis
    image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.monitor-only=true
  database:
    container_name: immich_postgres
    image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: unless-stopped
    labels:
      - com.centurylinklabs.watchtower.monitor-only=true
  backup:
    container_name: immich_db_dumper
    image: prodrigestivill/postgres-backup-local:14
    restart: unless-stopped
    env_file:
      - .env
    environment:
      POSTGRES_HOST: database
      POSTGRES_CLUSTER: "TRUE"
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      SCHEDULE: "@daily"
      POSTGRES_EXTRA_OPTS: --clean --if-exists
      BACKUP_DIR: /db_dumps
    volumes:
      - ${DB_DUMP_LOCATION}:/db_dumps
    depends_on:
      - database
    labels:
      - com.centurylinklabs.watchtower.monitor-only=true
volumes:
  model-cache: null

Your .env content

UPLOAD_LOCATION=/xxx/immich/upload
IMMICH_VERSION=release
DB_PASSWORD=xxx
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
DB_DATA_LOCATION=/xxx/immich/postgres
DB_DUMP_LOCATION=/xxx/backup

Reproduction steps

Click on the "Login with OAuth" button in the Android app
Perform the OAuth steps

Relevant log output

// Immich Android App
2024-10-12 08:11:20.794533 | SEVERE   | AuthenticationNotifier | Unauthorized access, token likely expired. Logging out. |
2024-10-12 08:11:20.647584 | INFO     | LoginForm            | Finished OAuth login with response: xxx@xxx.com |
2024-10-12 08:11:19.881689 | INFO     | OAuthService         | Received OAuth callback: app.immich:///oauth-callback?code=authelia_ac_WvaUZSLLjZxYO_0vI6It8Iqu13FmQ9m9MmI7n-5aM5E.x10OgGEsaTusa1ocTIisAvsp2PFcSqC5eu3-B6XvVaQ&iss=https%3A%2F%2Fauth.xxx.com&scope=openid+email+profile&state=BlqAtAqZR9w4ZbmlhK5-FJ-l5Ccqc5sZ_-74u6JN8Pg |
2024-10-12 08:11:18.926297 | INFO     | OAuthService         | Received Authorization URL: https://auth.xxx.com/api/oidc/authorization?client_id=immich&scope=openid%20email%20profile&response_type=code&redirect_uri=app.immich%3A%2F%2F%2Foauth-callback&state=BlqAtAqZR9w4ZbmlhK5-FJ-l5Ccqc5sZ_-74u6JN8Pg |
2024-10-12 08:11:18.568871 | INFO     | OAuthService         | Starting OAuth flow with redirect URI: app.immich:///oauth-callback |
2024-10-12 08:11:18.370052 | INFO     | ApiService           | Pinging server with response code 200 |

// OAuth Provider (Authelia)
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server/version (method GET).","time":"2024-10-12T08:30:59+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server/features (method GET).","time":"2024-10-12T08:30:59+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server/config (method GET).","time":"2024-10-12T08:30:59+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/server-info/ping (method GET).","time":"2024-10-12T08:31:02+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/.well-known/immich (method GET).","time":"2024-10-12T08:31:02+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/oauth/authorize (method POST).","time":"2024-10-12T08:31:02+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id 'b52681eb-89fe-477a-938f-17323c550206' on client with id 'immich' is being processed","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:03+02:00"}
{"level":"debug","method":"POST","msg":"Mark 1FA authentication attempt made by user 'xxx'","path":"/api/firstfactor","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:08+02:00"}
{"level":"debug","method":"POST","msg":"Successful 1FA authentication attempt made by user 'xxx'","path":"/api/firstfactor","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:08+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' is being processed","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:09+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' using consent mode 'pre-configured' proceeding to generate a new consent session","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10->
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' using consent mode 'pre-configured' authentication level 'one_factor' is insufficient for client level 'two_factor'","path":"/api/oidc/authorization","remote_ip">
{"level":"debug","method":"GET","msg":"Authorization Request with id '56f78e60-db99-4a64-b06b-e30d11c5dc93' on client with id 'immich' using consent mode 'pre-configured' is being redirected to 'https://auth.xxx.com/?workflow=openid_connect\u0026workflow_id=c588e666-8865-4723-b58e-159a5075930>
{"level":"debug","method":"POST","msg":"Mark TOTP authentication attempt made by user 'xxx'","path":"/api/secondfactor/totp","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"POST","msg":"Successful TOTP authentication attempt made by user 'xxx'","path":"/api/secondfactor/totp","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' is being processed","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'immich' and subject 'cf138bbe-7367-4a61-82ce-06b4d9ade>
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'immich' and subject 'cf138bbe-7367-4a61-82ce-06b4d>
{"level":"debug","method":"GET","msg":"Authorization Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' was successfully processed, proceeding to build Authorization Response","path":"/api/oidc/authorization","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:1>
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/oauth/callback (method POST).","time":"2024-10-12T08:31:14+02:00"}
{"level":"debug","method":"POST","msg":"Access Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' is being processed","path":"/api/oidc/token","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"POST","msg":"Access Request with id '5f018f08-1cf9-4251-b655-1c358e47a9c8' on client with id 'immich' has successfully been processed","path":"/api/oidc/token","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"GET","msg":"UserInfo Request with id '33bddbbd-0957-43de-86c1-e0accb4fbcca' is being processed","path":"/api/oidc/userinfo","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"GET","msg":"UserInfo Request with id '33bddbbd-0957-43de-86c1-e0accb4fbcca' on client with id 'immich' is being returned unsigned as per the registered client configuration","path":"/api/oidc/userinfo","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","method":"GET","msg":"UserInfo Request with id '33bddbbd-0957-43de-86c1-e0accb4fbcca' on client with id 'immich' was successfully processed","path":"/api/oidc/userinfo","remote_ip":"XXX.XXX.XXX.XXX","time":"2024-10-12T08:31:15+02:00"}
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/users/me (method GET).","time":"2024-10-12T08:31:15+02:00"}
{"level":"info","method":"GET","msg":"Access to https://immich.xxx.com/api/users/me (method GET) is not authorized to user \u003canonymous\u003e, responding with status code 401 with location redirect to https://auth.xxx.com/?rd=https%3A%2F%2Fimmich.xxx.com%2Fapi%2Fusers%2Fme\u0026rm=GE>
{"level":"debug","msg":"Check authorization of subject username= groups= ip=XXX.XXX.XXX.XXX and object https://immich.xxx.com/api/users/me/preferences (method GET).","time":"2024-10-12T08:31:15+02:00"}
{"level":"info","method":"GET","msg":"Access to https://immich.xxx.com/api/users/me/preferences (method GET) is not authorized to user \u003canonymous\u003e, responding with status code 401 with location redirect to https://auth.xxx.com/?rd=https%3A%2F%2Fimmich.xxx.com%2Fapi%2Fusers%2Fm>

Additional information

No response

immich-app / immich