Using Immich with Godoxy and Authentik #60

New Issue

Closed

opened 2025-12-29 14:23:35 +01:00 by adam · 5 comments

adam commented 2025-12-29 14:23:35 +01:00

Owner

Copy Link

Originally created by @reddwarf666 on GitHub (Apr 21, 2025).

I installed Immich today and have a question on how to setup Immich to work with Godoxy and Authentik.
Godoxy is configured with OIDC towards Authentik.

The goal is:

1. Use Immich with a browser, handled by Godoxy. I.e. be able to navigate to https://immich.example.com
2. Not have to login to Immich by means of OIDC/OAuth
3. Be able to use the Immich app on IOS

The browser part is working, I can navigate to https://immich.example.com, Authentik asks for my cedentials and I am then on the start page of Immich where it asks for my credentials. So this is point 1 covered I think.

Point 2 is where I would like the login page to not show, or have OAuth at least.
I read the OIDC/OAuth part of the Immich documentation and this got me an error : "Failed to finish oauth"
For the Immich part I read OAuth Authentication of it to set the config.
I was wondering though if the OIDC settings as done in Godoxy could be an issue?
I also saw this in the logs of Immich

[Nest] 26  - 04/21/2025, 12:01:55 PM   ERROR [Api:ErrorInterceptor~znhk2v7k] Unknown error: RPError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)
RPError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)
    at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:931:13)
    at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:793:60)
    at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:532:18)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:42:28)
    at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:133:25)
    at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)

So not sure if this is related to Godoxy or Authentik or Immich.

For point 3 I wonder if I need to bypass Godoxy as the levels of authentication might hinder contacting Immich from the mobile app?

The docker-compose file for Immich has these labels:

labels:
  proxy.aliases: immich
  proxy.immich.port: 2283
  proxy.immich.scheme: http
  proxy.immich.middlewares.oidc: |
    allowed_users: [steven]
    allowed_groups: [everyone]

NB: should I still have the labels for middlewares in this? Could this be conflicting with the setup in of Immich and Authentik?

Godoxy OIDC config looks like this:

GODOXY_OIDC_ISSUER_URL=https://auth.example.com/application/o/godoxy/
GODOXY_OIDC_CLIENT_ID=<id>
GODOXY_OIDC_CLIENT_SECRET=<secret>
GODOXY_OIDC_REDIRECT_URL=https://godoxy.example.com/api/auth/callback
GODOXY_OIDC_SCOPES=openid, profile, email

I realize this might not at all be related to Godoxy but I wanted to check if my thoughts and settings are in line for making this work when I have Godoxy, Authentik and Immich. Or perhaps there is someone who made this work in a comparable setup?

Cheers

Originally created by @reddwarf666 on GitHub (Apr 21, 2025). I installed Immich today and have a question on how to setup Immich to work with Godoxy and Authentik. Godoxy is configured with OIDC towards Authentik. The goal is: 1. Use Immich with a browser, handled by Godoxy. I.e. be able to navigate to `https://immich.example.com` 2. Not have to login to Immich by means of OIDC/OAuth 3. Be able to use the Immich app on IOS The browser part is working, I can navigate to `https://immich.example.com`, Authentik asks for my cedentials and I am then on the start page of Immich where it asks for my credentials. So this is point 1 covered I think. Point 2 is where I would like the login page to not show, or have OAuth at least. I read the OIDC/OAuth part of the Immich documentation and this got me an error : "Failed to finish oauth" For the Immich part I read [OAuth Authentication](https://immich.app/docs/administration/oauth/) of it to set the config. I was wondering though if the OIDC settings as done in Godoxy could be an issue? I also saw this in the logs of Immich ``` [Nest] 26 - 04/21/2025, 12:01:55 PM ERROR [Api:ErrorInterceptor~znhk2v7k] Unknown error: RPError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded) RPError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded) at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:931:13) at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:793:60) at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:532:18) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:42:28) at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:133:25) at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22) ``` So not sure if this is related to Godoxy or Authentik or Immich. For point 3 I wonder if I need to bypass Godoxy as the levels of authentication might hinder contacting Immich from the mobile app? The docker-compose file for Immich has these labels: ``` labels: proxy.aliases: immich proxy.immich.port: 2283 proxy.immich.scheme: http proxy.immich.middlewares.oidc: | allowed_users: [steven] allowed_groups: [everyone] ``` NB: should I still have the labels for middlewares in this? Could this be conflicting with the setup in of Immich and Authentik? Godoxy OIDC config looks like this: ``` GODOXY_OIDC_ISSUER_URL=https://auth.example.com/application/o/godoxy/ GODOXY_OIDC_CLIENT_ID=<id> GODOXY_OIDC_CLIENT_SECRET=<secret> GODOXY_OIDC_REDIRECT_URL=https://godoxy.example.com/api/auth/callback GODOXY_OIDC_SCOPES=openid, profile, email ``` I realize this might not at all be related to Godoxy but I wanted to check if my thoughts and settings are in line for making this work when I have Godoxy, Authentik and Immich. Or perhaps there is someone who made this work in a comparable setup? Cheers

adam closed this issue 2025-12-29 14:23:36 +01:00

adam commented 2025-12-29 14:23:37 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 21, 2025):

For apps that support OIDC natively, do not use the OIDC middleware but set up inside the app instead.

@yusing commented on GitHub (Apr 21, 2025):  For apps that support OIDC natively, do not use the OIDC middleware but set up inside the app instead.

adam commented 2025-12-29 14:23:37 +01:00

Author

Owner

Copy Link

@reddwarf666 commented on GitHub (Apr 21, 2025):

I thought it had to be something like that!
Changed the labels and took away middlewares.oidc ones.
Restarted the container (down & up) and tried and still got the "Failed to finish oauth" in combination with that jwks error in the Immich log.

I will check on the Immich site and ask for help over there.
Just to be sure, does Godoxy send the headers as Immich/Authentik expects do you think? I read that the reverse proxy needs to forward all headers:
Immich Reverse Proxy
Just wanted to double check as this will probably come up when I ask for help with this on the Immich side of things.

Cheers!

@reddwarf666 commented on GitHub (Apr 21, 2025): I thought it had to be something like that! Changed the labels and took away middlewares.oidc ones. Restarted the container (down & up) and tried and still got the "Failed to finish oauth" in combination with that jwks error in the Immich log. I will check on the Immich site and ask for help over there. Just to be sure, does Godoxy send the headers as Immich/Authentik expects do you think? I read that the reverse proxy needs to forward all headers: [Immich Reverse Proxy](https://immich.app/docs/administration/reverse-proxy/) Just wanted to double check as this will probably come up when I ask for help with this on the Immich side of things. Cheers!

adam commented 2025-12-29 14:23:37 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 21, 2025):

If you still got the error it means you have'nt configured immich oauth correctly. How GoDoxy handles header is similar to the others.

@yusing commented on GitHub (Apr 21, 2025): If you still got the error it means you have'nt configured immich oauth correctly. How GoDoxy handles header is similar to the others.

adam commented 2025-12-29 14:23:37 +01:00

Author

Owner

Copy Link

@reddwarf666 commented on GitHub (Apr 21, 2025):

Ok, thanks!

@reddwarf666 commented on GitHub (Apr 21, 2025): Ok, thanks!

adam commented 2025-12-29 14:23:38 +01:00

Author

Owner

Copy Link

@reddwarf666 commented on GitHub (Apr 21, 2025):

Update! This might help someone at some point in some timeline 😀

By some odd reason I had the setting "Encryption Key" set in my Authentik provider for Immich with "authentik Self-signed Certificate".

This caused the JWT error TypeError: encrypted JWTs cannot be decoded
Makes sense as the origin never encoded the JWT with that self signed authentik certificate and it was also not expected to be encoded.

Your "Signing Key" in Authentik should be set, but not the option "Encryption Key"

I will close this thread as it is a) resolved and b) had nothing to do with Godoxy

@reddwarf666 commented on GitHub (Apr 21, 2025): Update! This might help someone at some point in some timeline 😀 By some odd reason I had the setting "Encryption Key" set in my Authentik provider for Immich with "authentik Self-signed Certificate". This caused the JWT error `TypeError: encrypted JWTs cannot be decoded` Makes sense as the origin never encoded the JWT with that self signed authentik certificate and it was also not expected to _be_ encoded. Your "Signing Key" in Authentik should be set, but **_not_** the option "Encryption Key" I will close this thread as it is a) resolved and b) had nothing to do with Godoxy

adam referenced this issue 2025-12-29 14:25:43 +01:00

[PR #60] [MERGED] Feat/fileserver #154

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

compat

feat/agent-stream

dev

main-backup

feat/custom-json-marshaling

feat/non-root-non-host-mode

v0.24.0

v0.23.1

v0.23.0

v0.22.1

v0.22.0

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.14

v0.20.13

v0.20.12

v0.20.11

v0.20.10

v0.20.9

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.6

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.2

v0.16.0-pathfix

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.9

v0.11.8

v0.11.7

v0.11.6-buildfix

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2-2

v0.11.2-1

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.10

v0.9.9-1

v0.9.9

v0.9.8

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4-1

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.1

0.8.0

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.4-1

0.6.4

0.6.3

0.6.2

0.6.1

0.6

0.6-rp1

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.5.0-rc6

0.5.0-rc5

0.5.0-rc4

0.5.0-rc3

0.5.0-rc2

0.5.0-rc1

0.5.0-beta3

0.5.0-beta2

0.5.0-beta

0.4.8-1

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.1

0.3

0.2.2

0.2.1

0.2-alpha

0.1-stable

Labels

Clear labels

bug

enhancement

pull-request

Mirrored from GitHub Pull Request

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/godoxy-yusing#60