[Guide] Cloudflare Tunnels with SSO/OAuth working for immich #8299
Replies: 20 comments 32 replies
-
Can confirm that this works great. Thanks so much! |
Beta Was this translation helpful? Give feedback.
-
thanks, it works for me. though I have to set the the override redirect url https://immich.kerbalrocket.com/api/oauth/mobile-redirect to make it work |
Beta Was this translation helpful? Give feedback.
-
@shanelord01 would you be willing to write this up for the Guides section of the docs? |
Beta Was this translation helpful? Give feedback.
-
So far I've been using Cloudflare tunnel to enable me to set up a custom domain name for my self-hosted apps. This has worked pretty well with Immich. But the way it works is that I still have to enter a password and username. If I understand this tutorial, this would use Cloudflare to bypass the Immich login screen, which sounds great. But I'm presented by options I don't understand. On the very first page of "Add an application" (after selecting SaaS under Access), it asks me whether I want SAML or OIDC. I don't know what to choose so I pick SAML. Then I see this (and more). I'm not sure how to proceed. ps I'm not sure how to "Follow the OAuth setup for immich here" |
Beta Was this translation helpful? Give feedback.
-
It works great. Thank you!! |
Beta Was this translation helpful? Give feedback.
-
Thanks for your guide! Until now I wasn't able to setup Cloudflare Zero Trust with Immich. Does your proposed solution also work with the mobile app? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
-
Just wanted to say thanks! Confirmed it works on web and mobile |
Beta Was this translation helpful? Give feedback.
-
Unfortunately, it doesn't work for me. The following error message is displayed:
https://immich.xxx.de |
Beta Was this translation helpful? Give feedback.
-
This works great! Thank you very much! |
Beta Was this translation helpful? Give feedback.
-
This is the best writeup I've seen for getting OAuth to work. Thank-you @bryan065! Upon selecting "Login with OAuth" button, select google account, enter password. I am returned to the login page with the message: "Error in OAuth discovery: AggregateError." Have others come across this? I have double-checked my work against these instructions, and I can't see what I may have fat-fingered. From my windows desktop, i start edge browser, enter my App Launcher URL as specified in cloudflare tunnel configuration. The cloudflare tunnel is linked to a my NAS running openmediavault. The log with bitdefender enabled The log with bitdefender disabled |
Beta Was this translation helpful? Give feedback.
-
Great article. So i got this working and with multiple email addresses. I am using Google in cloudflare as the auth provider but I have 2 questions.
|
Beta Was this translation helpful? Give feedback.
-
I'm hoping someone can help spot my silly mistake somewhere please because I can't find where the problem is... Basically I get the following error: I can browse to the URL and see the Immich logon prompt where I select "Login with OAuth" (which at least indicates the public hostname tunnel is working ok). I click the link and I'm prompted to sign in with Google as my OAuth provider. It then redirects me to the above error message. Here are my Cloudflare redirect URLs: Within Immich I've double checked the Issuer URL is correct: The Policy looks ok: Plus Authentication is set up to use Google which looks ok too. I honestly can't spot the problem so apologies if I've missed something obvious. :) |
Beta Was this translation helpful? Give feedback.
-
I have followed the guide and was able to set this up correctly for the web links. I am having trouble setting up for the mobile. When I enter the server endpoint URL into the app, using the same link as i would on the web, it brings me to the (Email/Password) screen. I have disabled this to only allow the oauth login method. I also do not have the option to use the oauth login method in the app. Did I miss a step in setting this up? my redirects for set up in cloudflare are the 5 listed in the original post and also the http://domain/api/oauth/mobile-redirect link. (domain being my specific domain) |
Beta Was this translation helpful? Give feedback.
-
Great article, managed to get this to work after figuring out I fat-fingured the redirect URLS. For those that are getting "Invalid redirect_uri" you might want to double check the redirect URL entries. That was causing the error when accessing the site. One question, I'm trying to determine the best way to log IP addresses from clients accessing the site. Are the two option availble include:
|
Beta Was this translation helpful? Give feedback.
-
Hi, |
Beta Was this translation helpful? Give feedback.
-
The Guide perfectly works. Thank you so much. I would like to add a few points |
Beta Was this translation helpful? Give feedback.
-
Just swapped from a local Authentik instance to CF. Works great and I can MFA though Azure AD in addition to email. Good write up! Easy to follow. |
Beta Was this translation helpful? Give feedback.
-
+1 for this guide working for me, you're awesome! |
Beta Was this translation helpful? Give feedback.
-
Hello Everyone, Thanks for the great guide. I have followed it and I'm very close to getting it working however I'm unable to login via OAuth using Google. I'm getting the following error in the Immich Server:
If anyone can help me solve this error it would be greatly appreciated. TIA |
Beta Was this translation helpful? Give feedback.
-
Just figured out what my issue was. Went into CF SAAS and reset the Client Secret. Copied the new Client Secret into Immich and I was good to go. |
Beta Was this translation helpful? Give feedback.
-
I've just set this up using Cloudflare Tunnels and a SaaS App for immich. This assumes you've setup an Auth Provider in Cloudflare Zero Trust Settings/Authentication already. Example setup for Google here.
In Cloudflare Zero Trust / Networks
In Cloudflare Access, setup a SaaS application called immich
Follow the OAuth setup for immich here.
In Cloudflare setup the redirect URI's for Mobile, Local IP and Hostname ("public hostname" set in step 1 above)
openid
email
profile
Disable "Proof Key for Code Exchange (PKCE)"
Set your App Launcher URL to your https://immich.yourdomain.com/ set in step 1.
Add a custom icon link.
Under "Policies", add a policy:
Under Authentication, set it to whichever Identity Providers you want to support.
In immich:
Once tested working, you can do the following final steps in immich:
- Enable "Auto Launch" to streamline things.
- Under "Password Authentication", disable it (forcing users to use OAuth).
Working perfectly for me and works with the app too!
Beta Was this translation helpful? Give feedback.
All reactions