Authentik OAuth2 404 Errors Connecting to Immich

[ryphez]

I'm trying to set up Immich with OAuth2. I have had Authentik setup with SWAG for other apps like code-server and fresh rss which all work fine with a Proxy Provider. I followed the guide https://dev.to/rzumbado/immich-sso-with-authentik-2gi9 which seemed to all setup correctly, but when I hit my "photos.domain.com", I get 500 Internal Service Error

In the authentik logs I get this with no redirection to log in like usual

{
   "auth_via": "unauthenticated",
   "domain_url": "photos.domain.com",
   "event": "/outpost.goauthentik.io/auth/nginx",
   "host": "photos.domain.com",
   "level": "info",
   "logger": "authentik.asgi",
   "method": "GET",
   "pid": 46,
   "remote": "192.168.1.233",
   "request_id": "6aaea770e4bd444085003469d0cc48d3",
   "runtime": 8,
   "schema_name": "public",
   "scheme": "https",
   "status": 404,
   "timestamp": "2025-02-22T07:08:32.119602",
   "user": "",
   "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0"
 }    

My swag config for Immich (photos) is

    ## Version 2025/01/30
    # make sure that your immich container is named immich_server
    # make sure that your dns has a cname set for immich
    # immich v1.118+ only. For earlier versions, change $upstream_port to 3001 
    
    server {
        listen 443 ssl;
        listen [::]:443 ssl;
    
        server_name photos.*;
    
        include /config/nginx/ssl.conf;
    
        client_max_body_size 0;
    
        # enable for ldap auth (requires ldap-location.conf in the location block)
        #include /config/nginx/ldap-server.conf;
    
        # enable for Authelia (requires authelia-location.conf in the location block)
        #include /config/nginx/authelia-server.conf;
    
        # enable for Authentik (requires authentik-location.conf in the location block)
        include /config/nginx/authentik-server.conf;
    
        location / {
            # enable the next two lines for http auth
            #auth_basic "Restricted";
            #auth_basic_user_file /config/nginx/.htpasswd;
    
            # enable for ldap auth (requires ldap-server.conf in the server block)
            #include /config/nginx/ldap-location.conf;
    
            # enable for Authelia (requires authelia-server.conf in the server block)
            #include /config/nginx/authelia-location.conf;
    
            # enable for Authentik (requires authentik-server.conf in the server block)
            include /config/nginx/authentik-location.conf;
    
            include /config/nginx/proxy.conf;
            include /config/nginx/resolver.conf;
            set $upstream_app 192.168.1.69;
            set $upstream_port 2283;
            set $upstream_proto http;
            proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    
        }
    
        location ~ (/immich)?/api {
            include /config/nginx/proxy.conf;
            include /config/nginx/resolver.conf;
            set $upstream_app 192.168.1.69;
            set $upstream_port 2283;
            set $upstream_proto http;
            proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    
        }
    }
    ```

Lastly my authentik config in swag is

## Version 2023/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authentik-server.conf.sample
# Make sure that your authentik container is in the same user defined bridge network and is named authentik-server
# Rename /config/nginx/proxy-confs/authentik.subdomain.conf.sample to /config/nginx/proxy-confs/authentik.subdomain.conf

# location for authentik subfolder requests
location ^~ /outpost.goauthentik.io {
    auth_request off; # requests to this subfolder must be accessible without authentication
    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authentik authentik-server;
    proxy_pass http://$upstream_authentik:9000;
}

# location for authentik auth requests
location = /outpost.goauthentik.io/auth/nginx {
    internal;

    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_authentik authentik-server;
    proxy_pass http://$upstream_authentik:9000;

    ## Include the Set-Cookie header if present
    auth_request_set $set_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $set_cookie;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

# virtual location for authentik 401 redirects
location @goauthentik_proxy_signin {
    internal;

    ## Include the Set-Cookie header if present
    auth_request_set $set_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $set_cookie;

    ## Set the $target_url variable based on the original request
    set_escape_uri $target_url $scheme://$http_host$request_uri;

    ## Set the $signin_url variable
    set $signin_url https://$http_host/outpost.goauthentik.io/start?rd=$target_url;

    ## Redirect to login
    return 302 $signin_url;
}

Happy to try anything out or give more logs if needed.

[dominic-r]

I don't recommend following external documentation for this type of thing. The GitHub linked in the blog post uses outdated compose files and versions. You should instead set authentik up using official documentation. Then, you can follow Immich's docs to set it up. By looking at your logs, you are using an outpost which is not needed as immich offers sso https://immich.app/docs/administration/oauth/. . Here's our official guide: https://docs.goauthentik.io/integrations/services/immich/ Using an outpost will most probably break things such as the mobile app. LMk if you have any questions or need any clarifications. I'd be happy to help you out!

[ryphez]

I have Authentik setup via Unraid using the image someone made. I could swap to docker-compose if needed but my existing Proxy Providers all work fine with no issue.

I just re-did the setup instructions you outlined and saw no Application was created for the Provider. Is that intentional?

[ryphez]

Application:

Provider:

That's the provider. I'm using "photos" instead of immich but everything is configured that way. If it matters, I can swap it

[rissson]

Please don't share secrets in screenshots, I highly recommend you rotate that client secret.

[rissson]

Here are my authentik and immich settings

[ryphez]

I updated my secrets and will hide them moving forward, but my provider looks the exact same. I'm on Authentik 2025.2.0 if that matters.

Did you have an application associated with the provider?

[ryphez]

This seems like it may be relevant, https://www.reddit.com/r/selfhosted/comments/1gav8bl/swagnginx_authentik_oauth2/

[rissson]

Did you have an application associated with the provider?

Yes, that's necessary for the provider to do anything

[ryphez]

Okay, so I'm stumped about how to proceed. I'm guessing it's the interaction between SWAG and Authentik regarding this particular path