Configuring SSO for Immich with Authelia OIDC

In this blog post we will configure Authelia as OIDC provider and use it to enable Single Sign On (SSO) via OIDC/OAuth in Immich.

Configuring Authelia

Authelia's configuration is defined in a configuration.yaml file. Within this file, we can define the necessary OIDC configuration settings such as defining a provider and a client.

Creating an OIDC Provider and Client

Visiting Authelia's public OIDC documentation, we can obtain an example configuration. Within this example configuration, there are multiple parameters that either require a secret value or a certificate.

The secret values and certificates can be securely generated using the Authelia Docker image as follows (see here):

# creating secure secret values
docker run authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric

# creating self-signed certificates and displaying the cert information
# please adjust `authelia.example.com` to your domain
docker run --rm authelia/authelia sh -c "authelia crypto certificate rsa generate --common-name authelia.example.com && cat public.crt && cat private.pem"

Upon creating those secret values and certificate information, we can adjust the provided OIDC example configuration by Authelia. We will insert our self-generated secrets and certificate information and adjust the configuration slightly to be properly alligned for Immich.

identity_providers:
  oidc:
    hmac_secret: this_is_a_secret_abc123abc123abc # provide secure secret
    issuer_certificate_chain: |
      -----BEGIN CERTIFICATE-----
      MIIDBDCCAeygAwIBAgI^invalid INSERT YOUR CERT DATA
      -----END CERTIFICATE-----
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEpAIBAAKCAQEA8qd^invalid INSERT YOUR CERT DATA
      -----END RSA PRIVATE KEY-----
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://immich.example.com # adjust to your immich url
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: immich
        description: Immich OIDC
        secret: 'a-very-secure-secret-properly-generated' # provide secure secret
        sector_identifier: ''
        public: false
        authorization_policy: one_factor # may use two_factor to enforce 2FA
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - groups
          - email
          - profile
        redirect_uris: # adjust to your domains
          - https://authelia.example.com/
          - https://authelia.example.com/oauth2/callback
          - https://immich.example.com/oauth2/callback
          - https://immich.example.com/auth/login
          - https://immich.example.com/user-settings
          - https://immich.example.com
          - app.immich:/
          - https://immich.example.com/api/oauth/mobile-redirect
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none

Ensure to properly adjust the following key parameters:

• hmac_secret
• issuer_certificate_chain
• issuer_private_key
• allowed_origins
• secret
• redirect_uris

Configuring Immich

The configuration of Immich can be adjusted by logging into the web application as admin. Then browse the administration and settings area.

Setting up OAuth

Visit your Immich web instance and login as admin. Then browse the URL /admin/system-settings. You'll find a setting named OAuth Authentication.

Adjust the key parameters as follows:

Here, a short explanation of the key settings:

• ISSUER URL: This is the FQDN of your Authelia instance
• CLIENT ID: This is the client name defined in Authelia's configuration.yml
• CLIENT SECRET: This is the client secret defined in Authelia's configuration.yml
• SCOPE: Can be left unchanged
• STORAGE LABEL CLAIN: Can be left unchanged
• BUTTON TEXT: Your prefered button text shown at the login page
• AUTO REGISTER: Your prefered choice, whether Authelia users are automatically registered/created within Immich if not yet existing. I recommend setting this to false. Create the users manually!
• AUTO LAUNCH: Whether the OAuth/OIDC authentication flow should be started automatically. If enabled, there won't be an option to use the local authentication flow with username and password anymore.
• MOBILE REDIRECT URI OVERRIDE: Must be enabled to support proper redirections from Authelia browser login back to the Immich mobile app.
• MOBILE REDIRECT URI: This is a specific URL provided by Immich, which will open the Immich mobile app if opened. Basically a custom scheme or deep link; see here. It consists of your Immich FQDN and the path /api/oauth/mobile-redirect.

Afterwards, you can hit the save button and test the newly configured OIDC SSO.

Both the web application as well as mobile application of Immich will show a new button to login via OAuth/OIDC. Just hit the button, authenticate against Authelia and you will be redirected to Immich as authenticated user.

Enjoy!