feat(server)!: oauth encryption algorithm setting #6818
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deploying with
|
| Latest commit: |
2045473
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ba621f74.immich.pages.dev |
| Branch Preview URL: | https://feat-oauth-encryption-algori.immich.pages.dev |
jrasm91
reviewed
Jan 31, 2024
danieldietzler
force-pushed
the
feat/oauth-encryption-algorithm-setting
branch
from
f0d17b7
to
8bb21c5
Compare
jrasm91
force-pushed
the
feat/oauth-encryption-algorithm-setting
branch
from
8bb21c5
to
2045473
Compare
jrasm91
approved these changes
Feb 2, 2024
jrasm91
changed the title
|
Well this was a fun redirect loop. For anyone else surprised by this and disabled local login I'm still trying to figure out how to configure authentik with cert-manager to use rs instead |
|
i'm a noob in outh, how to do "(1) update the signing algorithm in Immich " as mentioned in release note?? |
Log in as the immich admin and click on "Administration" then "Settings" then "OAuth" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Notes from @jrasm91:
Warning
Breaking Change
OAuth setups using
HS256(mainly Authentik) will need to either (1) update the signing algorithm in Immich or (2) specify a signing key in the provider settings (so that it usesRS256instead).Specify a signing key in Authentik:
Screencast.from.02-02-2024.12.05.04.AM.webm
New Immich OAuth Setting
Background
RS256is generally better thanHS256.RS256is pretty much the most commonly used algorithm. The client library we use for open-id defaults toRS256. It's very easy to setup Authentik without specifying a signing key, which will default to useHS256. The original implementation added a hack/fallback toHS256in some conditions to try to handle that situation. The current code removes the fallback, and adds a specificSigning Algortithmsetting which can be explicitly set. Alternatively, the issue could be fixed by specifying a signing key in Authentik.References: