After update to v1.124.0 I'm unable to login with authelia

[dvdzara]

The bug

After updating my immich instance to v1.124.0 I'm not able to login with authelia anymore.

Logging in with password works fine.

The OS that Immich Server is running on

Fedora 41

Version of Immich Server

v1.124.2

Version of Immich Mobile App

v1.124.0

Platform with the issue

• Server
• Web
• Mobile

Your docker-compose.yml content

networks:
  traefik_default:
    external: true

services:
  immich-machine-learning:
    cap_drop:
      - ALL
    image: ghcr.io/immich-app/immich-machine-learning:v1.124.0@sha256:ca74b8c58e745dda0fa4a3321bfa517dd85fb5b055760bd13dcbbe9dc526c788
    read_only: true
    restart: always
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /.cache:uid=8723,gid=8723
      - /tmp:uid=8723,gid=8723
    user: 8723:8723
    volumes:
      - machine-learning-cache:/cache

  immich-server:
    cap_drop:
      - ALL
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    env_file: .env
    environment:
      - DB_HOSTNAME=postgres
      - REDIS_HOSTNAME=redis
      - DB_DATABASE_NAME=${POSTGRES_DB}
      - DB_PASSWORD=${POSTGRES_PASSWORD}
      - DB_USERNAME=${POSTGRES_USER}
    image: ghcr.io/immich-app/immich-server:v1.124.0@sha256:80e0f8a9520db3536c91fadedc369a30080d6fd9df046e0f2f03210755ddf55d
    labels:
      traefik.enable: true
      # The app connects via http, it's less resource intensive and encryption
      # is provided by tailscale anyway.
      traefik.http.routers.immich.entrypoints: https,http
      traefik.http.routers.immich.rule: Host(`photos.example.com`)
      traefik.http.services.immich.loadbalancer.server.port: 2283
    networks:
      - default
      - traefik_default
    restart: always
    security_opt:
      - no-new-privileges:true
    user: 5551:5551
    volumes:
      - data:/usr/src/app/upload

  postgres:
    cap_drop:
      - ALL
    env_file: .env
    environment:
      PGUSER: ${POSTGRES_USER}
    healthcheck:
      interval: 10s
      retries: 5
      test:
        - CMD
        - pg_isready
      timeout: 5s
    image: docker.io/tensorchord/pgvecto-rs:pg16-v0.3.0-rootless@sha256:d125f3aec02bfa66764432eae76e1098a3b0c6f8bf13db38f5af1156499c90b5
    read_only: true
    restart: always
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /tmp:uid=70,gid=70
      - /var/run/postgresql:uid=70,gid=70
    # User has to be 70, otherwise the container tries to chown the postgres
    # volume but fails due to insufficient permissions.
    user: 70:70
    volumes:
      - postgres:/var/lib/postgresql/data

  redis:
    cap_drop:
      - ALL
    healthcheck:
      interval: 10s
      retries: 5
      test:
        - CMD
        - redis-cli
        - ping
      timeout: 5s
    image: docker.io/library/redis:7.4.2-alpine@sha256:86c23b252bbdaa1a867e0e360480de1aaea96e6ab3b1e69743c626c07a2a0c17
    read_only: true
    restart: always
    security_opt:
      - no-new-privileges:true
    user: 9243:9243
    volumes:
      - redis:/data

volumes:
  data: {}
  machine-learning-cache: {}
  postgres: {}
  redis: {}

Your .env content

POSTGRES_USER=secret
POSTGRES_DB=secret
POSTGRES_PASSWORD=secret

Reproduction steps

1. Logout from the web interface or from the app
2. Try to login again with oauth

Relevant log output

immich-server-1            | [Nest] 17  - 01/09/2025, 10:34:31 AM   ERROR [Api:ErrorInterceptor~gbbaupts] Unknown error: OPError: expected 200 OK, got: 301 Moved Permanently
immich-server-1            | OPError: expected 200 OK, got: 301 Moved Permanently
immich-server-1            |     at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
immich-server-1            |     at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1381:22)
immich-server-1            |     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
immich-server-1            |     at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:520:24)
immich-server-1            |     at async OAuthRepository.getProfile (/usr/src/app/dist/repositories/oauth.repository.js:45:28)
immich-server-1            |     at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:136:25)
immich-server-1            |     at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)

Additional information

Here is the part of the configuration where authentication is configured:

{
  "oauth": {
    "autoLaunch": false,
    "autoRegister": true,
    "buttonText": "Login with Authelia",
    "clientId": "secret",
    "clientSecret": "secret",
    "defaultStorageQuota": 0,
    "enabled": true,
    "issuerUrl": "https://auth.example.com/.well-known/openid-configuration",
    "mobileOverrideEnabled": false,
    "mobileRedirectUri": "",
    "profileSigningAlgorithm": "none",
    "scope": "openid email profile",
    "signingAlgorithm": "RS256",
    "storageLabelClaim": "preferred_username",
    "storageQuotaClaim": "immich_quota"
  },
  "passwordLogin": {
    "enabled": false
  },
}

[bo0tzz]

expected 200 OK, got: 301 Moved Permanently

Authelia (or your reverse proxy) is returning a redirect on one of the requests. That probably suggests a misconfigured URL.

[dvdzara]

Ok I discovered that, due to some changes I made, I had to pass the X-Forwarded-Proto=https header to authelia, so the problem was a misconfiguration.

Thank you! And sorry for the disturbance.