[Guide] Cloudflare Tunnels with SSO/OAuth working for immich #8299
Replies: 44 comments 69 replies
-
Can confirm that this works great. Thanks so much! |
Beta Was this translation helpful? Give feedback.
-
thanks, it works for me. though I have to set the the override redirect url https://immich.xxx.com/api/oauth/mobile-redirect to make it work |
Beta Was this translation helpful? Give feedback.
-
@shanelord01 would you be willing to write this up for the Guides section of the docs? |
Beta Was this translation helpful? Give feedback.
-
So far I've been using Cloudflare tunnel to enable me to set up a custom domain name for my self-hosted apps. This has worked pretty well with Immich. But the way it works is that I still have to enter a password and username. If I understand this tutorial, this would use Cloudflare to bypass the Immich login screen, which sounds great. But I'm presented by options I don't understand. On the very first page of "Add an application" (after selecting SaaS under Access), it asks me whether I want SAML or OIDC. I don't know what to choose so I pick SAML. Then I see this (and more). I'm not sure how to proceed. ps I'm not sure how to "Follow the OAuth setup for immich here" |
Beta Was this translation helpful? Give feedback.
-
It works great. Thank you!! |
Beta Was this translation helpful? Give feedback.
-
Thanks for your guide! Until now I wasn't able to setup Cloudflare Zero Trust with Immich. Does your proposed solution also work with the mobile app? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
-
Just wanted to say thanks! Confirmed it works on web and mobile |
Beta Was this translation helpful? Give feedback.
-
Unfortunately, it doesn't work for me. The following error message is displayed:
https://immich.xxx.de |
Beta Was this translation helpful? Give feedback.
-
This works great! Thank you very much! |
Beta Was this translation helpful? Give feedback.
-
This is the best writeup I've seen for getting OAuth to work. Thank-you @bryan065! Upon selecting "Login with OAuth" button, select google account, enter password. I am returned to the login page with the message: "Error in OAuth discovery: AggregateError." Have others come across this? I have double-checked my work against these instructions, and I can't see what I may have fat-fingered. From my windows desktop, i start edge browser, enter my App Launcher URL as specified in cloudflare tunnel configuration. The cloudflare tunnel is linked to a my NAS running openmediavault. The log with bitdefender enabled The log with bitdefender disabled |
Beta Was this translation helpful? Give feedback.
-
Great article. So i got this working and with multiple email addresses. I am using Google in cloudflare as the auth provider but I have 2 questions.
|
Beta Was this translation helpful? Give feedback.
-
I'm hoping someone can help spot my silly mistake somewhere please because I can't find where the problem is... Basically I get the following error: I can browse to the URL and see the Immich logon prompt where I select "Login with OAuth" (which at least indicates the public hostname tunnel is working ok). I click the link and I'm prompted to sign in with Google as my OAuth provider. It then redirects me to the above error message. Here are my Cloudflare redirect URLs: Within Immich I've double checked the Issuer URL is correct: The Policy looks ok: Plus Authentication is set up to use Google which looks ok too. I honestly can't spot the problem so apologies if I've missed something obvious. :) |
Beta Was this translation helpful? Give feedback.
-
I have followed the guide and was able to set this up correctly for the web links. I am having trouble setting up for the mobile. When I enter the server endpoint URL into the app, using the same link as i would on the web, it brings me to the (Email/Password) screen. I have disabled this to only allow the oauth login method. I also do not have the option to use the oauth login method in the app. Did I miss a step in setting this up? my redirects for set up in cloudflare are the 5 listed in the original post and also the http://domain/api/oauth/mobile-redirect link. (domain being my specific domain) |
Beta Was this translation helpful? Give feedback.
-
Great article, managed to get this to work after figuring out I fat-fingured the redirect URLS. For those that are getting "Invalid redirect_uri" you might want to double check the redirect URL entries. That was causing the error when accessing the site. One question, I'm trying to determine the best way to log IP addresses from clients accessing the site. Are the two option availble include:
|
Beta Was this translation helpful? Give feedback.
-
Hi, |
Beta Was this translation helpful? Give feedback.
-
Thank you sooo much for this. Got it up and running perfectly. Questions though:
Thank you! |
Beta Was this translation helpful? Give feedback.
-
Thanks for guide, I am a noob and I got briefly stuck on three points. #1 Invalid redirect URL You can't enter the "Redirect URLs" until you enter the "App launcher URL" which is further down the page. After you enter the "app launcher URL", you can scroll back up to the top and input the Redirect URLs. #2 Got an error when I tried to save the new app configuration I had to remove the "app.immich:/" redirect URL to allow me to save the app. #3 I got failed to finish auth error when I tried to login to immich using oauth. This is because to get a client secret for the first time you have to click the reset client secret button, to generate the initial client secret (by default it is set to just 4 stars). |
Beta Was this translation helpful? Give feedback.
-
I set this up as per guide, but using this guide anyone can access the immich login page, this seems really bad, wouldn't it be better if you had to authenticate with cloudflare before being shown the immich login? |
Beta Was this translation helpful? Give feedback.
-
I just spent hours to set this up, just to realize that there is a 100MB upload size cap. It's probably a deal-breaker for anyone who wants to upload videos as well. I think this should be noted at the very beginning. |
Beta Was this translation helpful? Give feedback.
-
Thanks! |
Beta Was this translation helpful? Give feedback.
-
Works great thank you :) did have to untick "Auto Register" to stop people being able to make accounts |
Beta Was this translation helpful? Give feedback.
-
Amazing! Cloudflare now middleware the login page and it works great with mobile app too. Thanks again! |
Beta Was this translation helpful? Give feedback.
-
Awesome. It worked. I followed these steps except I used Cloudflare OneTime email password instead of using Google Authentication. This makes things easier for me in terms of configurations that I need to maintain. |
Beta Was this translation helpful? Give feedback.
-
For those using this, can you confirm what size of video you are able to upload to immich through cloudflare? There is supposed to be a max, something like 250 or 500MB, I'd be interested in hearing some real world experience with this. |
Beta Was this translation helpful? Give feedback.
-
I may know the answer to my own question.... I use NGINX proxy manager (NPM) to forward traffic arriving from the cloudflare (CF) tunnel. NPM and CF run on the same virtual machine so the CF configuration file (/etc/cloudflared/config.yml) is exceedingly simple:
CF forwards everything to the local NPM which is then configured to send stuff to my other services. I assume inserting NPM in the middle of this integration of CF tunnels, SSO/Oauth, and Immich will break something. But, can I make this solution work by simply making the CF tunnel forward Immich traffic directly to my Immich instance, like this?
Thank you... |
Beta Was this translation helpful? Give feedback.
-
In Cloudflare tunnel it didn't allow call back. So I have to enable below settings in Immich to make it work for my iPhone. |
Beta Was this translation helpful? Give feedback.
-
For the SaaS application option, here are few things I did in addition to tighten things up:
I would appreciate community feedback of any other POST/PUT endpoints that process authentication so I can consider blocking them as well. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the guide, got everything setup and working except everyone could logon. I was having an issue that I did not want happening, and that was any user with a google account, would automatically be able to logon to my server, and have an account created in Immich. So in my SaaS app on Cloudflare, I added an email rule so that you have to use Google to authenticate, AND your google account email, must be allowed as well, so only emails I specifically allow, will be allowed to access the server, through cloudflare, and google auth. This seems to be working as far as I can tell with testing it on th eCF policy test page, and I had a friend try to access it both ways and the only way that works, is the way I want where you have to have your email, and use google auth. |
Beta Was this translation helpful? Give feedback.
-
I did everything strictly according to the instructions. Through WEB it works well include oauth, but I cannot login in mobile app. There is an error
|
Beta Was this translation helpful? Give feedback.
-
Exposing your private instance to public, is this secure or recommended by the devs considering the app is under heavy development and doesn't have a stable release yet. I see a lot of people here in the thread have already set it up, are they just accepting the risks involved or aren't aware of these risks 🤔 |
Beta Was this translation helpful? Give feedback.
-
I've just set this up using Cloudflare Tunnels and a SaaS App for immich. This assumes you've setup an Auth Provider in Cloudflare Zero Trust Settings/Authentication already. Example setup for Google here.
In Cloudflare Zero Trust / Networks
In Cloudflare Access, setup a SaaS application called immich
Follow the OAuth setup for immich here.
In Cloudflare setup the redirect URI's for Mobile, Local IP and Hostname ("public hostname" set in step 1 above)
openid
email
profile
Disable "Proof Key for Code Exchange (PKCE)"
Set your App Launcher URL to your https://immich.yourdomain.com/ set in step 1.
Add a custom icon link.
Under "Policies", add a policy:
Under Authentication, set it to whichever Identity Providers you want to support.
In immich:
Once tested working, you can do the following final steps in immich:
- Enable "Auto Launch" to streamline things.
- Under "Password Authentication", disable it (forcing users to use OAuth).
Working perfectly for me and works with the app too!
Beta Was this translation helpful? Give feedback.
All reactions