[BUG]: Support Google OAuth #515

Closed
opened 2026-02-04 21:00:43 +03:00 by OVERLORD · 13 comments
Owner

Originally created by @TokugawaHeavyIndustries on GitHub (Dec 26, 2022).

Feature detail

Immich currently requires app.immich:/ in the Redirect URIs for mobile application OAuth.

Google requires https for the Redirect URI scheme, per: https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation

Screenshot of Google Cloud console:

image

(note http is not supported for production applications, so disregard that part of the error message in the above screenshot).

Platform

Server

Originally created by @TokugawaHeavyIndustries on GitHub (Dec 26, 2022). ### Feature detail Immich currently requires `app.immich:/` in the Redirect URIs for mobile application OAuth. Google requires https for the Redirect URI scheme, per: https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation Screenshot of Google Cloud console: ![image](https://user-images.githubusercontent.com/18420782/209497846-3401fb8d-c6aa-4664-a191-ff38e7200a15.png) (note http is not supported for production applications, so disregard that part of the error message in the above screenshot). ### Platform Server
Author
Owner

@alextran1502 commented on GitHub (Dec 26, 2022):

Hmm is your username the mix of Borderland 3 and Ieyasu? 😛

@alextran1502 commented on GitHub (Dec 26, 2022): Hmm is your username the mix of Borderland 3 and Ieyasu? 😛
Author
Owner

@jrasm91 commented on GitHub (Dec 26, 2022):

You can register the mobile app redirect URI if you change the client to a mobile app.

https://developers.google.com/identity/protocols/oauth2/native-app

The problem with immich/Google oauth is that Google doesn't allow you to mix redirect URIs between web/mobile. Either the client is a web app with https redirects or a mobile app with custom scheme. You can't mix them.

We'll either have to have separate oauth config for mobile vs web or update the mobile flow to somehow use https and then add a mechanism to the web to automatically redirect to the mobile app afterwards.

I think the later might be possible, but will require some more research.

@jrasm91 commented on GitHub (Dec 26, 2022): You can register the mobile app redirect URI if you change the client to a mobile app. https://developers.google.com/identity/protocols/oauth2/native-app The problem with immich/Google oauth is that Google doesn't allow you to mix redirect URIs between web/mobile. Either the client is a web app with https redirects or a mobile app with custom scheme. You can't mix them. We'll either have to have separate oauth config for mobile vs web or update the mobile flow to somehow use https and then add a mechanism to the web to automatically redirect to the mobile app afterwards. I think the later might be possible, but will require some more research.
Author
Owner

@EnricoBilla commented on GitHub (Dec 27, 2022):

It should be possible to link a HTTP URL to the app (see https://stackoverflow.com/questions/16762357/oauth2-redirect-uri-for-android-application and https://stackoverflow.com/questions/2958701/launch-custom-android-application-from-android-browser). If this is correct it would be possible to keep the web flow and use it on mobile too

@EnricoBilla commented on GitHub (Dec 27, 2022): It should be possible to link a HTTP URL to the app (see https://stackoverflow.com/questions/16762357/oauth2-redirect-uri-for-android-application and https://stackoverflow.com/questions/2958701/launch-custom-android-application-from-android-browser). If this is correct it would be possible to keep the web flow and use it on mobile too
Author
Owner

@jrasm91 commented on GitHub (Dec 27, 2022):

True, it would just be a little tricky to get the right redirect URI. Right now it's not kept in immich anywhere. It comes from the web via window.location, which could be an IP or hostname, Http or https. And it might change depending on what network you access it from. Basically it depends on a lot of things and I'm not sure how to know which one to reflect back to when the flow starts from the mobile app.

@jrasm91 commented on GitHub (Dec 27, 2022): True, it would just be a little tricky to get the right redirect URI. Right now it's not kept in immich anywhere. It comes from the web via window.location, which could be an IP or hostname, Http or https. And it might change depending on what network you access it from. Basically it depends on a lot of things and I'm not sure how to know which one to reflect back to when the flow starts from the mobile app.
Author
Owner

@EnricoBilla commented on GitHub (Dec 27, 2022):

And also I just forgot that URL must be set at compile time. With Immich everyone has a different URL to use, so it isn't possible

@EnricoBilla commented on GitHub (Dec 27, 2022): And also I just forgot that URL must be set at compile time. With Immich everyone has a different URL to use, so it isn't possible
Author
Owner

@jrasm91 commented on GitHub (Dec 29, 2022):

I think I have this fixed now. It's possible using a redirect like you originally suggested. It's just the URL needs to come from the user, so I added a setting/field for just that:

image

@jrasm91 commented on GitHub (Dec 29, 2022): I think I have this fixed now. It's possible using a redirect like you originally suggested. It's just the URL needs to come from the user, so I added a setting/field for just that: ![image](https://user-images.githubusercontent.com/4334196/209977986-2719b333-3b1b-4497-8c10-dbdeeec08343.png)
Author
Owner

@TokugawaHeavyIndustries commented on GitHub (Dec 29, 2022):

This is awesome @jrasm91 . Thank you so much for the amazingly fast turnaround on this.

@TokugawaHeavyIndustries commented on GitHub (Dec 29, 2022): This is awesome @jrasm91 . Thank you so much for the amazingly fast turnaround on this.
Author
Owner

@TokugawaHeavyIndustries commented on GitHub (Dec 29, 2022):

@alextran1502 haha nah, username is from Metal Gear Solid :P

@TokugawaHeavyIndustries commented on GitHub (Dec 29, 2022): @alextran1502 haha nah, username is from Metal Gear Solid :P
Author
Owner

@jrasm91 commented on GitHub (Dec 29, 2022):

This is awesome @jrasm91 . Thank you so much for the amazingly fast turnaround on this.

There is a docker tag with the PR number if you want to test it BTW.

@jrasm91 commented on GitHub (Dec 29, 2022): > This is awesome @jrasm91 . Thank you so much for the amazingly fast turnaround on this. There is a docker tag with the PR number if you want to test it BTW.
Author
Owner

@waclaw66 commented on GitHub (Jul 25, 2023):

Hello @TokugawaHeavyIndustries, could you please provide Immich OAuth configuration for Google? I don't know what's ISSUER URL in this case. Thanks.

@waclaw66 commented on GitHub (Jul 25, 2023): Hello @TokugawaHeavyIndustries, could you please provide Immich OAuth configuration for Google? I don't know what's ISSUER URL in this case. Thanks.
Author
Owner

@jrasm91 commented on GitHub (Jul 25, 2023):

Hello @TokugawaHeavyIndustries, could you please provide Immich OAuth configuration for Google? I don't know what's ISSUER URL in this case. Thanks.

https://accounts.google.com/.well-known/openid-configuration

@jrasm91 commented on GitHub (Jul 25, 2023): > Hello @TokugawaHeavyIndustries, could you please provide Immich OAuth configuration for Google? I don't know what's ISSUER URL in this case. Thanks. https://accounts.google.com/.well-known/openid-configuration
Author
Owner

@waclaw66 commented on GitHub (Jul 26, 2023):

@jrasm91 Thanks, I was able to setup Google OAuth. The ISSUER URL for Google is just https://accounts.google.com. I would suggest to add more examples to docs.

@waclaw66 commented on GitHub (Jul 26, 2023): @jrasm91 Thanks, I was able to setup Google OAuth. The ISSUER URL for Google is just `https://accounts.google.com`. I would suggest to add more examples to docs.
Author
Owner

@jrasm91 commented on GitHub (Jul 26, 2023):

Feel free to open a PR. Also the Google issuer url is already listed on the oauth docs page.

@jrasm91 commented on GitHub (Jul 26, 2023): Feel free to open a PR. Also the Google issuer url is already listed on the oauth docs page.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#515