starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[Bug]: OIDC not working in mobile app #2051

New Issue
Closed
opened 2026-04-25 00:02:58 +02:00 by adam · 11 comments
adam commented 2026-04-25 00:02:58 +02:00
Owner
Copy Link
Copy Source

Originally created by @Doug411 on GitHub (Jun 12, 2024).

What happened?

I'm unable to use oath in the mobile app. When I set my redirects in Authentik as you listed (on separate lines).... I get a redirect uri error. I'm using Nginx Proxy Manager. Not sure how to fix it. If I set my redirect URI to * it works, but I don't really want to do that. It has always worked in browser, just not in mobile app unless I set the redirect to *.

Reference...(tried setting redirect in authentik as stated in thread below. Not sure how to check x-forwarded-proto, but i've never had that issue on other OIDC apps.

for Authentik:

To add to this, in Authentik or other SSO software the redirect uri has to be set to:

https://youraudiobookdomain/auth/openid/callback
audiobookshelf://oauth
Don't use wildcards like .*, they are not required.
(In Authentik its seperated by new line, in Keycloak by comma afaik).

Also make sure your reverse proxy creates a X-Forwarded-Proto header correctly, otherwise you might receive a redirect_uri mismatch, because the redirect_uri is set to http even when the request was made using https.

What did you expect to happen?

Successful login in mobile app

Steps to reproduce the issue

  1. open app. click on oath login

Audiobookshelf version

v2.10.1

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

None

Logs

xx

Additional Notes

No response

Originally created by @Doug411 on GitHub (Jun 12, 2024). ### What happened? I'm unable to use oath in the mobile app. When I set my redirects in Authentik as you listed (on separate lines).... I get a redirect uri error. I'm using Nginx Proxy Manager. Not sure how to fix it. If I set my redirect URI to * it works, but I don't really want to do that. It has always worked in browser, just not in mobile app unless I set the redirect to *. Reference...(tried setting redirect in authentik as stated in thread below. Not sure how to check x-forwarded-proto, but i've never had that issue on other OIDC apps. for Authentik: To add to this, in Authentik or other SSO software the redirect uri has to be set to: https://youraudiobookdomain/auth/openid/callback audiobookshelf://oauth Don't use wildcards like .*, they are not required. (In Authentik its seperated by new line, in Keycloak by comma afaik). Also make sure your reverse proxy creates a X-Forwarded-Proto header correctly, otherwise you might receive a redirect_uri mismatch, because the redirect_uri is set to http even when the request was made using https. ### What did you expect to happen? Successful login in mobile app ### Steps to reproduce the issue 1. open app. click on oath login ### Audiobookshelf version v2.10.1 ### How are you running audiobookshelf? Docker ### What OS is your Audiobookshelf server hosted from? Linux ### If the issue is being seen in the UI, what browsers are you seeing the problem on? None ### Logs ```shell xx ``` ### Additional Notes _No response_
adam added the bug label 2026-04-25 00:02:58 +02:00
adam closed this issue 2026-04-25 00:02:58 +02:00
adam commented 2026-04-25 00:02:58 +02:00
Author
Owner
Copy Link
Copy Source

@nichwall commented on GitHub (Jun 12, 2024):

Did you add the mobile-redirect mentioned at the end of the docs?

https://www.audiobookshelf.org/guides/oidc_authentication/

@nichwall commented on GitHub (Jun 12, 2024): Did you add the `mobile-redirect` mentioned at the end of the docs? https://www.audiobookshelf.org/guides/oidc_authentication/
adam commented 2026-04-25 00:02:59 +02:00
Author
Owner
Copy Link
Copy Source

@Doug411 commented on GitHub (Jun 12, 2024):

No I missed that. I just made that change to add the mobile redirect, but kept getting a 400 error.

Then I uninstalled the app and reinstalled it. When I reinstall it, it launches straight away into my audiobookshelf server with my account. It didnt even direct me to authentik to get my login info.

However when I delete my audiobookshelf cache and app data, and try to set it up manually by entering my external audibookshelf url and clicking SSO login, I get a 400 error. Then I uninstall the app, reinstall and it launches right back into my server.

How does it know my server URL and ID from a fresh install. Is my database connection cached somewhere and somehow not fully deleted when i clear data/cache and uninstall the app, and therefore its not really doing a fresh install... Will new users will get the 400 error? Or is it just vudu magic and I can accept that it will work for new users (hopefully it routes them to authentik and they can login successfully)

FYI it was late last night... but I do think it was doing this before I added the mobile redirect... I seem to recall that I deleted the app and when I reinstalled it launched right into my server. I assumed it was still broken because I couldn't manually delete the server and readd it manually.

@Doug411 commented on GitHub (Jun 12, 2024): No I missed that. I just made that change to add the mobile redirect, but kept getting a 400 error. Then I uninstalled the app and reinstalled it. When I reinstall it, it launches straight away into my audiobookshelf server with my account. It didnt even direct me to authentik to get my login info. However when I delete my audiobookshelf cache and app data, and try to set it up manually by entering my external audibookshelf url and clicking SSO login, I get a 400 error. Then I uninstall the app, reinstall and it launches right back into my server. How does it know my server URL and ID from a fresh install. Is my database connection cached somewhere and somehow not fully deleted when i clear data/cache and uninstall the app, and therefore its not really doing a fresh install... Will new users will get the 400 error? Or is it just vudu magic and I can accept that it will work for new users (hopefully it routes them to authentik and they can login successfully) FYI it was late last night... but I do think it was doing this before I added the mobile redirect... I seem to recall that I deleted the app and when I reinstalled it launched right into my server. I assumed it was still broken because I couldn't manually delete the server and readd it manually.
adam commented 2026-04-25 00:02:59 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Jun 12, 2024):

Make sure to restart the server after making changes to the OIDC settings. Updating that after it is initialized is a work in progress.

After a successful login the users api token is used for authentication for all future auth attempts. The api token is cached but uninstalling and clearing data will remove it.

@advplyr commented on GitHub (Jun 12, 2024): Make sure to restart the server after making changes to the OIDC settings. Updating that after it is initialized is a work in progress. After a successful login the users api token is used for authentication for all future auth attempts. The api token is cached but uninstalling and clearing data will remove it.
adam commented 2026-04-25 00:02:59 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Jun 17, 2024):

Is this still an issue?

@advplyr commented on GitHub (Jun 17, 2024): Is this still an issue?
adam commented 2026-04-25 00:02:59 +02:00
Author
Owner
Copy Link
Copy Source

@JorisM commented on GitHub (Jun 19, 2024):

@advplyr for me yes, with the latest docker version and the latest android app i get the same behaviour as described by @Doug411

@JorisM commented on GitHub (Jun 19, 2024): @advplyr for me yes, with the latest docker version and the latest android app i get the same behaviour as described by @Doug411
adam commented 2026-04-25 00:03:00 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Aug 1, 2024):

Probably access logs would be helpful (the one from the reverse proxy in front of authentik and the one in front of abs). I suspect a mismatch between http and https. Is x-forward-proto set correctly?

@JorisM

@Sapd commented on GitHub (Aug 1, 2024): Probably access logs would be helpful (the one from the reverse proxy in front of authentik and the one in front of abs). I suspect a mismatch between http and http**s**. Is x-forward-proto set correctly? @JorisM
adam commented 2026-04-25 00:03:00 +02:00
Author
Owner
Copy Link
Copy Source

@JorisM commented on GitHub (Aug 5, 2024):

@Sapd

I have authentik + adb behind the same traefik instance. If clicked on the login button, the access log for traefik spit out:

x.x.x.x - - [05/Aug/2024:07:18:26 +0000] "GET /auth/openid?code_challenge=1bTiYLr3VIWx5sy-IV6Yf9gPtv4vm2-trQYkYi5bWU4&code_challenge_method=S256&redirect_uri=audiobookshelf%3A%2F%2Foauth&client_id=Audiobookshelf-App&response_type=code HTTP/1.1" 400 20 "-" "-" 3534 "audiobookshelf@docker" "http://192.168.1.216:80" 6ms

where 192.168.1.216 is the audiobookshelf instance ip.

authentik doesn't show any logs related to adb.

on the adb logs view, i see the following:

[Auth] Invalid redirect_uri=audiobookshelf://oauth

which is not what i have set though:

image
image

maybe the android client sends a hardcoded value?

let me know if this helps or i can provide something else

@JorisM commented on GitHub (Aug 5, 2024): @Sapd I have authentik + adb behind the same traefik instance. If clicked on the login button, the access log for traefik spit out: x.x.x.x - - [05/Aug/2024:07:18:26 +0000] "GET /auth/openid?code_challenge=1bTiYLr3VIWx5sy-IV6Yf9gPtv4vm2-trQYkYi5bWU4&code_challenge_method=S256&redirect_uri=audiobookshelf%3A%2F%2Foauth&client_id=Audiobookshelf-App&response_type=code HTTP/1.1" 400 20 "-" "-" 3534 "audiobookshelf@docker" "http://192.168.1.216:80" 6ms where 192.168.1.216 is the audiobookshelf instance ip. authentik doesn't show any logs related to adb. on the adb logs view, i see the following: [Auth] Invalid redirect_uri=audiobookshelf://oauth which is not what i have set though: ![image](https://github.com/user-attachments/assets/4d7753cc-bbb7-4812-8068-cd31d6f86db4) ![image](https://github.com/user-attachments/assets/5260bebf-3512-49ee-92a2-8715fb46b2ac) maybe the android client sends a hardcoded value? let me know if this helps or i can provide something else
adam commented 2026-04-25 00:03:00 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Aug 5, 2024):

@JorisM The redirect URls you specified is incorrect.

The ones you specified have to go into the Authentik configuration.

If you want to use the official app, you just have to specify in Audiobookshelf: audiobookshelf://oauth if you also for example want to allow the 3rd party app plappa you have to also specify plappa://oauth

The reason why you have to do this, is because Audiobookshelf itself (when you use the app) acts as a kind of oauth2 server, acting as middleman for your identity provider. It will replace the callback URL of the app audiobookshelf://oauth with the mobile-redirect URL against the iDP, because some identity providers do not like App-URL schemes. We also cannot allow every URL on default, as this would pose an open-redirect security vulnerability.

@Sapd commented on GitHub (Aug 5, 2024): @JorisM The redirect URls you specified is incorrect. The ones you specified have to go into the Authentik configuration. If you want to use the official app, you just have to specify **in Audiobookshelf**: `audiobookshelf://oauth` if you also for example want to allow the 3rd party app plappa you have to also specify `plappa://oauth` The reason why you have to do this, is because Audiobookshelf itself (when you use the app) acts as a kind of oauth2 server, acting as middleman for your identity provider. It will replace the callback URL of the app `audiobookshelf://oauth` with the mobile-redirect URL against the iDP, because some identity providers do not like App-URL schemes. We also cannot allow every URL on default, as this would pose an open-redirect security vulnerability.
adam commented 2026-04-25 00:03:00 +02:00
Author
Owner
Copy Link
Copy Source

@JorisM commented on GitHub (Aug 5, 2024):

ah you are right. sorry about that and thanks for the explanation! makes sense now. seems fixed for us. thanks again!

@JorisM commented on GitHub (Aug 5, 2024): ah you are right. sorry about that and thanks for the explanation! makes sense now. seems fixed for us. thanks again!
adam commented 2026-04-25 00:03:00 +02:00
Author
Owner
Copy Link
Copy Source

@jvines commented on GitHub (Mar 24, 2025):

Hi! I'm still having this problem 😓 I have both redirect URIs and it works from my desktop, but not from iOS using Chrome or Safari, as I get a 403 error.

It does work with '.*' but I obviously don't want to do that.

Could you help me out?

Image
@jvines commented on GitHub (Mar 24, 2025): Hi! I'm still having this problem 😓 I have both redirect URIs and it works from my desktop, but not from iOS using Chrome or Safari, as I get a 403 error. It does work with '.*' but I obviously don't want to do that. Could you help me out? <img width="1050" alt="Image" src="https://github.com/user-attachments/assets/86b8be15-0cbc-4139-9e8f-7bdceb4d3b24" />
adam commented 2026-04-25 00:03:00 +02:00
Author
Owner
Copy Link
Copy Source

@jmadden91 commented on GitHub (Apr 1, 2025):

Hi! I'm still having this problem 😓 I have both redirect URIs and it works from my desktop, but not from iOS using Chrome or Safari, as I get a 403 error.

It does work with '.*' but I obviously don't want to do that.

Could you help me out?

Image

@jvines You probably need: to add /audiobookshelf

Like this:

https://absurl.com/audiobookshelf/auth/openid/callback
https://absurl.com/audiobookshelf/auth/openid/mobile-redirect

Due to this setting:

Image
@jmadden91 commented on GitHub (Apr 1, 2025): > Hi! I'm still having this problem 😓 I have both redirect URIs and it works from my desktop, but not from iOS using Chrome or Safari, as I get a 403 error. > > It does work with '.*' but I obviously don't want to do that. > > Could you help me out? > > <img alt="Image" width="1050" src="https://private-user-images.githubusercontent.com/20781020/425886447-86b8be15-0cbc-4139-9e8f-7bdceb4d3b24.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDM1MDgyMDcsIm5iZiI6MTc0MzUwNzkwNywicGF0aCI6Ii8yMDc4MTAyMC80MjU4ODY0NDctODZiOGJlMTUtMGNiYy00MTM5LTllOGYtN2JkY2ViNGQzYjI0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA0MDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwNDAxVDExNDUwN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTMxMjNjNjI5MWI0MjJhN2Q0Nzc5M2I4Y2EyMGEzN2Q4MjA1YmI2MjdmMWExNGY4OGExNDAyMDQ5MGQ0MzM3NTkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.Ss7rOyQQxLlrPH87JbsvFkRrgHSktgV1lDkLMLGN0cI"> @jvines You probably need: to add `/audiobookshelf` Like this: ``` https://absurl.com/audiobookshelf/auth/openid/callback https://absurl.com/audiobookshelf/auth/openid/mobile-redirect ``` Due to this setting: <img width="798" alt="Image" src="https://github.com/user-attachments/assets/c2d3bd74-a8cd-4776-ad76-d2e5c4f36c42" />
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#2051
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?