Using Immich mobile app when the entire domain is protected by Authelia #3118
Replies: 10 comments 26 replies
-
I think one solution is to use delegated auth. The auth service runs in front of the desired application and takes care of authenticating the user. If the user is logged in (authenticated) the request is forwarded to the app with additional headers. The idea being the app has delegated authentication to an upstream server and can trust/infer auth from the headers or other parameters. Something like Things to consider:
This would effectively remove the "auth" layer from Immich and "delegate" it to "Authelia", but it would require a bit of work to implement and still doesn't solve the mobile app issue. |
Beta Was this translation helpful? Give feedback.
-
Delegated/proxy auth would indeed be great - it's what I use for apps that support it, like Gitea and Grafana, but I have a few other apps with the same double-login and it's not a huge pain. Depending on how your proxy is configured you can even avoid IP allow-listing issues, but it's good to have that option. The only reason I'm looking harder for an answer here is that Immich is the first service I'm hosting with a mobile app I really want to use 😅 I'm going to poke around the request logs and see if it would be possible to do something like allow-listing the paths I listed above, grabbing some of the session/cookie data during the login flow, then applying them to all requests. You'd need to detect when those credentials have expired and re-auth, but I'm a bit surprised the app doesn't do that anyway when it gets a flood of 401s on all requests. |
Beta Was this translation helpful? Give feedback.
-
did you ever get anywhere with this? |
Beta Was this translation helpful? Give feedback.
-
I use Immich behind Authelia. I just let Authelia handle the login step. And use OAuth for the login in Immich. |
Beta Was this translation helpful? Give feedback.
-
Just double checked it to confirm it But yes I can use Authelia to login in the android app of Immich. Latest version of the app and server.. |
Beta Was this translation helpful? Give feedback.
-
I bypassed authelia because I wanted to share albums. Is there any way for that to work without my having to give an authelia account to everyone? |
Beta Was this translation helpful? Give feedback.
-
I'm using authelia too. My suggestion is don't protect the whole domain with authelia, instead use oauth and disable Immich password login |
Beta Was this translation helpful? Give feedback.
-
@chain710 @MVrauwdeunt I was able to get Authelia to work on the web but can't get the app to work. What server endpoint URL are you using on the app? And which credentials are you using? Authelia or Immich? Would you mind sharing the oidc section of your authelia configuration.yml file? |
Beta Was this translation helpful? Give feedback.
-
Have you guys tried this? https://blog.lrvt.de/configuring-authelia-oidc-for-immich/ It appears the app does support it if you set up correctly. I'm wondering if that blog plus the share bypass would get shares working at least on the web. |
Beta Was this translation helpful? Give feedback.
-
Hello everyone: |
Beta Was this translation helpful? Give feedback.
-
(Recently started using Immich, absolutely loving it so far ❤️ Clearly paid-for-quality software and I'm glad there are options to support it!)
I have everything I host sitting behind Authelia for authentication, and for apps that require an OIDC provider I use it for that too - including Immich. That means I'm effectively doing auth twice for these apps, but that way I don't need to trust N different apps to get auth right, just Authelia.
That works fine for Immich on the web, but means the mobile app doesn't work because it hasn't already logged in to Authelia, so all requests are getting blocked (I'm getting this on Android, but I imagine iOS would get the same problem). If I allow-list some paths like
/.well-known/immich
,/api/oauth
and a few others I can get the login flow to work, but obviously the main app still can't talk to the server.I appreciate this isn't an Immich problem, this is a my setup problem, but I imagine plenty of other people may encounter the same problem if they protect their domains with Authelia, Authentik, Keycloak, etc. Has anyone found a good way to deal with this, or would there be any way to add support in the apps for a "pre-login" phase?
Beta Was this translation helpful? Give feedback.
All reactions