3 min read

Configuring SSO for Immich with Authelia OIDC

Setting up Authelia as OIDC provider for Immich to enable Single-Sign-On (SSO).
Configuring SSO for Immich with Authelia OIDC
Photo by Darya Tryfanava / Unsplas

In this blog post we will configure Authelia as OIDC provider and use it to enable Single Sign On (SSO) via OIDC/OAuth in Immich.

In this guide I will not focus on setting up Authelia or Immich. I will just outline how to enable Authelia as OIDC provider and how to make the relevant changes in Immich to enable OAuth authentication.

Configuring Authelia

Authelia's configuration is defined in a configuration.yaml file. Within this file, we can define the necessary OIDC configuration settings such as defining a provider and a client.

Creating an OIDC Provider and Client

Visiting Authelia's public OIDC documentation, we can obtain an example configuration. Within this example configuration, there are multiple parameters that either require a secret value or a certificate.

The secret values and certificates can be securely generated using the Authelia Docker image as follows (see here):

# creating secure secret values
docker run authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric

# creating self-signed certificates and displaying the cert information
# please adjust `authelia.example.com` to your domain
docker run --rm authelia/authelia sh -c "authelia crypto certificate rsa generate --common-name authelia.example.com && cat public.crt && cat private.pem"

Upon creating those secret values and certificate information, we can adjust the provided OIDC example configuration by Authelia. We will insert our self-generated secrets and certificate information and adjust the configuration slightly to be properly alligned for Immich.

Ensure to correctly copy paste the certificate information. The content of public.crt must be defined in issuer_certificate_chain. The content of private.pem must be defined in issuer_private_key.

Replace all entries with example.com to your domains.
    hmac_secret: this_is_a_secret_abc123abc123abc # provide secure secret
    issuer_certificate_chain: |
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
        - authorization
        - token
        - revocation
        - introspection
        - https://immich.example.com # adjust to your immich url
      allowed_origins_from_client_redirect_uris: false
      - id: immich
        description: Immich OIDC
        secret: 'a-very-secure-secret-properly-generated' # provide secure secret
        sector_identifier: ''
        public: false
        authorization_policy: one_factor # may use two_factor to enforce 2FA
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
          - openid
          - groups
          - email
          - profile
        redirect_uris: # adjust to your domains
          - https://authelia.example.com/
          - https://authelia.example.com/oauth2/callback
          - https://immich.example.com/oauth2/callback
          - https://immich.example.com/auth/login
          - https://immich.example.com/user-settings
          - https://immich.example.com
          - app.immich:/
          - https://immich.example.com/api/oauth/mobile-redirect
          - refresh_token
          - authorization_code
          - code
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none

Authelia OIDC configuration for Immich

Ensure to properly adjust the following key parameters:

  • hmac_secret
  • issuer_certificate_chain
  • issuer_private_key
  • allowed_origins
  • secret
  • redirect_uris

Configuring Immich

The configuration of Immich can be adjusted by logging into the web application as admin. Then browse the administration and settings area.

Setting up OAuth

Visit your Immich web instance and login as admin. Then browse the URL /admin/system-settings. You'll find a setting named OAuth Authentication.

Adjust the key parameters as follows:

Here, a short explanation of the key settings:

  • ISSUER URL: This is the FQDN of your Authelia instance
  • CLIENT ID: This is the client name defined in Authelia's configuration.yml
  • CLIENT SECRET: This is the client secret defined in Authelia's configuration.yml
  • SCOPE: Can be left unchanged
  • STORAGE LABEL CLAIN: Can be left unchanged
  • BUTTON TEXT: Your prefered button text shown at the login page
  • AUTO REGISTER: Your prefered choice, whether Authelia users are automatically registered/created within Immich if not yet existing. I recommend setting this to false. Create the users manually!
  • AUTO LAUNCH: Whether the OAuth/OIDC authentication flow should be started automatically. If enabled, there won't be an option to use the local authentication flow with username and password anymore.
  • MOBILE REDIRECT URI OVERRIDE: Must be enabled to support proper redirections from Authelia browser login back to the Immich mobile app.
  • MOBILE REDIRECT URI: This is a specific URL provided by Immich, which will open the Immich mobile app if opened. Basically a custom scheme or deep link; see here. It consists of your Immich FQDN and the path /api/oauth/mobile-redirect.

Afterwards, you can hit the save button and test the newly configured OIDC SSO.

Both the web application as well as mobile application of Immich will show a new button to login via OAuth/OIDC. Just hit the button, authenticate against Authelia and you will be redirected to Immich as authenticated user.