Using Immich mobile app when the entire domain is protected by Authelia

[markormesher]

(Recently started using Immich, absolutely loving it so far ❤️ Clearly paid-for-quality software and I'm glad there are options to support it!)

I have everything I host sitting behind Authelia for authentication, and for apps that require an OIDC provider I use it for that too - including Immich. That means I'm effectively doing auth twice for these apps, but that way I don't need to trust N different apps to get auth right, just Authelia.

That works fine for Immich on the web, but means the mobile app doesn't work because it hasn't already logged in to Authelia, so all requests are getting blocked (I'm getting this on Android, but I imagine iOS would get the same problem). If I allow-list some paths like /.well-known/immich, /api/oauth and a few others I can get the login flow to work, but obviously the main app still can't talk to the server.

I appreciate this isn't an Immich problem, this is a my setup problem, but I imagine plenty of other people may encounter the same problem if they protect their domains with Authelia, Authentik, Keycloak, etc. Has anyone found a good way to deal with this, or would there be any way to add support in the apps for a "pre-login" phase?

[jrasm91]

I think one solution is to use delegated auth.

The auth service runs in front of the desired application and takes care of authenticating the user. If the user is logged in (authenticated) the request is forwarded to the app with additional headers. The idea being the app has delegated authentication to an upstream server and can trust/infer auth from the headers or other parameters. Something like X-Immich-User=admin. Instead of looking up the user from a session token or similar, it gets the user id directly from the header.

Things to consider:

• Apps (immich) need to support it
• Apps need to have whitelisted IPs that they trust this header coming from
• Still relies on intercepting requests and redirecting to a login portal, so still doesn't work for mobile

This would effectively remove the "auth" layer from Immich and "delegate" it to "Authelia", but it would require a bit of work to implement and still doesn't solve the mobile app issue.

[markormesher]

Delegated/proxy auth would indeed be great - it's what I use for apps that support it, like Gitea and Grafana, but I have a few other apps with the same double-login and it's not a huge pain. Depending on how your proxy is configured you can even avoid IP allow-listing issues, but it's good to have that option.

The only reason I'm looking harder for an answer here is that Immich is the first service I'm hosting with a mobile app I really want to use 😅 I'm going to poke around the request logs and see if it would be possible to do something like allow-listing the paths I listed above, grabbing some of the session/cookie data during the login flow, then applying them to all requests. You'd need to detect when those credentials have expired and re-auth, but I'm a bit surprised the app doesn't do that anyway when it gets a flood of 401s on all requests.

[jrasm91]

Yes, the bigger issue seems to be making anything work with the mobile app itself. There was talk in discord about seeing if the app could be configured to follow redirects during login process and if persisted cookies could be included with future http requests that could be a potential solution.

[maxime1992]

Hi @jrasm91 do you have any links to that discussion by any chance, article or something I could follow? OIDC if really not enough IMO as I have described here and I'd really like to be able to use Immich android app. Thanks!

[kilgil27]

did you ever get anywhere with this?

[markormesher]

There's some discussion on Discord about this (look for "Exposing Immich to the internet") but the short answer is that this requires some dev work. I've worked as a mobile dev before so I am hoping to implement this as a contribution, but it will probably be a little while before I have time.

[MVrauwdeunt]

I use Immich behind Authelia. I just let Authelia handle the login step. And use OAuth for the login in Immich.
This also works great with the app. And adds 2FA if enabled in Authelia.

[markormesher]

That's interesting - you're saying that the Android app works fine even though requests are going through Authelia on your server before hitting Immich? I've just tried that myself on the latest server / app versions and see the same problems described in the original post.

[sannidhyaroy]

That's interesting - you're saying that the Android app works fine even though requests are going through Authelia on your server before hitting Immich?

No, what he's trying to say is he uses Authelia for an OAuth login to Immich. So, that's a single layer of authentication, instead of what's been discussed here, and not exactly relevant to the issue.

[MVrauwdeunt]

Just double checked it to confirm it But yes I can use Authelia to login in the android app of Immich. Latest version of the app and server..

[maxime1992]

Are you talking about using Authelia OIDC mechanism or having Authelia protecting the entire domain (or both)?

For me IODC isn't enough at all, see here. But if you got the app working with Authelia protecting the entire domain, I'd be really interested. Could you share your config if that's the case? Thanks a lot

[dsm1212]

I bypassed authelia because I wanted to share albums. Is there any way for that to work without my having to give an authelia account to everyone?

[Irda13]

I'm a bit late here, but you can have authelia to bypass only the share path with something like that:

access_control:
  default_policy: 'deny'
  rules:
    # This allows to bypass authelia for immich.example.com/share
    - domain: 'immich.example.com'
      policy: 'bypass'
      resources:
        - '^/share'
    # But have it activated on everything else
    - domain: '*.example.com'
      policy: 'two_factor'

[tanmaychimurkar]

Hey @Irda13, thanks for your reply.

I tried the above with the latest authelia version, but it seems that I cannot get this to work. When I create a shared album link and access it via incongnito or on a different device, immich returns Error - Something went wrong.

Immich logs are all normal, nothing seems weird, not even Websocket Connect or anything. In authelia however, I see the following logs:

`time="2024-04-11T11:57:54+02:00" level=info msg="Access to https://immich.mydomain.url.org/custom.css (method GET) is not authorized to user , responding with status code 401 with location redirect to https://authelia.mydomain.url.org/?rd=https%3A%2F%2Fimmich.mydomain.url.org%2Fcustom.css&rm=GET" method=GET path=/api/authz/auth-request remote_ip=194.xxx.xxx.x

time="2024-04-11T11:57:55+02:00" level=info msg="Access to https://immich.mydomain.url.org/_app/immutable/assets/slideshow.Ms20_H8Y.css (method GET) is not authorized to user , responding with status code 401 with location redirect to https://authelia.mydomain.url.org/?rd=https%3A%2F%2Fimmich.mydomain.url.org%2F_app%2Fimmutable%2Fassets%2Fslideshow.Ms20_H8Y.css&rm=GET" method=GET path=/api/authz/auth-request remote_ip=194.xxx.xxx.x

time="2024-04-11T11:57:55+02:00" level=info msg="Access to https://immich.mydomain.url.org/_app/immutable/assets/asset-viewer.CeAujpVS.css (method GET) is not authorized to user , responding with status code 401 with location redirect to https://authelia.mydomain.url.org/?rd=https%3A%2F%2Fimmich.mydomain.url.org%2F_app%2Fimmutable%2Fassets%2Fasset-viewer.CeAujpVS.css&rm=GET" method=GET path=/api/authz/auth-request remote_ip=194.xxx.xxx.x

time="2024-04-11T11:57:55+02:00" level=info msg="Access to https://immich.mydomain.url.org/_app/version.json (method GET) is not authorized to user , responding with status code 401 with location redirect to https://authelia.mydomain.url.org/?rd=https%3A%2F%2Fimmich.mydomain.url.org%2F_app%2Fversion.json&rm=GET" method=GET path=/api/authz/auth-request remote_ip=194.xxx.xxx.x

time="2024-04-11T11:57:55+02:00" level=info msg="Access to https://immich.mydomain.url.org/_app/version.json (method GET) is not authorized to user , responding with status code 401 with location redirect to https://authelia.mydomain.url.org/?rd=https%3A%2F%2Fimmich.mydomain.url.org%2F_app%2Fversion.json&rm=GET" method=GET path=/api/authz/auth-request remote_ip=194.xxx.xxx.x

time="2024-04-11T11:57:55+02:00" level=info msg="Access to https://immich.mydomain.url.org/manifest.json (method GET) is not authorized to user , responding with status code 401 with location redirect to https://authelia.mydomain.url.org/?rd=https%3A%2F%2Fimmich.mydomain.url.org%2Fmanifest.json&rm=GET" method=GET path=/api/authz/auth-request remote_ip=194.xxx.xxx.x`

I used the same access control rule as above, and this is what happens in authelia when I try to access shared folder. Any pointers on this?

Thanks

[chain710]

I'm using authelia too. My suggestion is don't protect the whole domain with authelia, instead use oauth and disable Immich password login

[maxime1992]

This really isn't enough IMO. It does reduce the login surface attack, but it's not the most important one and it's not enough.

If you self host services, hopefully you have something like fail2ban to avoid brute force attack. So if one was to try to login into Immich x times without success, they should be banned. In that case, oauth doesn't matter that much it's just a convenience to avoid login in twice.

For me the point of Authelia is that it'll block access to the entire app (if not logged into Authelia ofc), making it a lot more secure to open to the web. Imagine for a second that Immich forgot to implement an auth check on an endpoint to list and download pictures for example. Anyone could scan the web searching for Immich app and list + download all pictures of users exposing Immich. OAuth login would not help you in any way at all here. Authelia blocking any external access for non Authelia users would.

I think it's essential to have a dedicated security layer ahead of all the apps like Immich.

[gonsalvesc]

@chain710 @MVrauwdeunt I was able to get Authelia to work on the web but can't get the app to work. What server endpoint URL are you using on the app? And which credentials are you using? Authelia or Immich? Would you mind sharing the oidc section of your authelia configuration.yml file?

[chain710]

use nginx as reverse proxy

But if I use the FQDN, then it throws an error say "Error logging using OAuth, check server URL"

Make sure that the domain you used exists in allowed_origins and restart authelia

[gonsalvesc]

Yup, did that. Now it takes me to the Immich authentication page and asks for my Immich email and password, even though I have Password Authentication turned off

[chain710]

immich side oauth config, hope it helps:

ISSUER URL: https://auth.example.com/.well-known/openid-configuration

CLIENT ID: immich

CLIENT SECRET: yoursecret

SCOPE: openid email profile

STORAGE LABEL CLAIM: preferred_username

AUTO REGISTER: yes

AUTO LAUNCH: yes

[Irda13]

I have the same issue, traefik + authelia + immich, web works fine, but in order to make the app to work I had to bypass authelia for - '^/.well-known/immich' and full - '^/api'
I don't really like having authelia bypassed for full /api path, but that was the only way I made the app work. With OAuth activated you can then login to the app using authelia login, but you have to rely on Immich handling security instead of Authelia.
I don't know if there's other ways, it would be nice if Immich could handle this better.

[epd5]

I have the same issue, traefik + authelia + immich, web works fine, but in order to make the app to work I had to bypass authelia for - '^/.well-known/immich' and full - '^/api' I don't really like having authelia bypassed for full /api path, but that was the only way I made the app work. With OAuth activated you can then login to the app using authelia login, but you have to rely on Immich handling security instead of Authelia. I don't know if there's other ways, it would be nice if Immich could handle this better.

Thanks very much for this info. Managed to get the mobile app working with Traefik + Authentik
Here's the entries in docker compose for Immich if it's any use to anyone -

           - traefik.enable=true

           - traefik.http.routers.immichmobile.rule=Host(`immich.domain.com`) && (PathPrefix(`/.well-known/immich`) || PathPrefix(`/api`))
           - traefik.http.routers.immichmobile.service=immich-server
           - traefik.http.routers.immichmobile.entrypoints=websecure
           - traefik.http.routers.immichmobile.middlewares=mymiddleware

           - traefik.http.routers.immich.rule=Host(`immich.domain.com`)
           - traefik.http.routers.immich.service=immich-server
           - traefik.http.routers.immich.entrypoints=websecure
           - traefik.http.services.immich-server.loadbalancer.server.port=3001
           - traefik.http.routers.immich.middlewares=authentik,mymiddleware

[dsm1212]

Have you guys tried this? https://blog.lrvt.de/configuring-authelia-oidc-for-immich/

It appears the app does support it if you set up correctly.

I'm wondering if that blog plus the share bypass would get shares working at least on the web.

[l4rm4nd]

I've updated the blog post to reflect some latest configuration changes by Authelia.

Works again for Immich v1.111.0 and Authelia v4.38.9

[gonsalvesc]

Hello everyone:
I was able to get it to work. I'm using Caddy + Authelia + Crowdsec
Got it working for both mobile app and desktop. Happy to assist if anyone has any specific questions.

[mrkaryo]

Hello @gonsalvesc !

Are you protecting the whole domain with Authelia for your setup above?
I managed to get everything working if the immich domain is bypassed in Authelia, then I have disabled the password login in immich and I use only OIDC via Authelia.

If i try to protect the whole domain under Authelia, the OIDC button never appears in the app. Logging-in via password in the app in that instance also doesnt work.

[gonsalvesc]

Hi @mrkaryo

So sorry for the late reply. No, I am not protecting the whole domain - just Immich. Immich is the only app I have that is exposed to the internet.

[princejosuah]

Hello everyone (...) I'm using Caddy + Authelia + Crowdsec (...)

Hi @gonsalvesc

Apologies for resurrecting and hijacking this thread, the part I've quoted is what made me stop.
I'm trying to make Caddy + Authelia + Crowdsec work together.
I've been scouring the Internet and going through trials and errors for more than 1 month now, to no avail.

I'd be immensely thankful if you could share with me your (redacted, of course) compose file and Caddyfile.
Thanks in advance

[gonsalvesc]

Sure thing!
I've uploaded the compose files into this repo.

Good luck and let me know how it goes!

[maxime1992]

No, I am not protecting the whole domain - just Immich. Immich is the only app I have that is exposed to the internet

I don't think you're protecting much by doing that. I've explained more here #3118 (reply in thread)