feat(server,web): migrate oauth settings from env to system config (#1061)

2025-08-07 23:03:36 +02:00 · 2022-12-09 15:51:42 -05:00
parent cefdd86b7f
commit 5e680551b9
69 changed files with 2079 additions and 1229 deletions
--- a/docs/docs/usage/oauth.md
+++ b/docs/docs/usage/oauth.md
@ -28,13 +28,13 @@ Before enabling OAuth in Immich, a new client application needs to be configured

 2. Configure Redirect URIs/Origins

-  The **Sign-in redirect URIs** should include:
+The **Sign-in redirect URIs** should include:
+
+- All URLs that will be used to access the login page of the Immich web client (eg. `http://localhost:2283/auth/login`, `http://192.168.0.200:2283/auth/login`, `https://immich.example.com/auth/login`)
+- Mobile app redirect URL `app.immich:/`

-  * All URLs that will be used to access the login page of the Immich web client (eg. `http://localhost:2283/auth/login`, `http://192.168.0.200:2283/auth/login`, `https://immich.example.com/auth/login`)
-  * Mobile app redirect URL `app.immich:/`
-  
 :::caution
-You **MUST** include `app.immich:/` as the redirect URI for iOS and Android mobile app to work properly. 
+You **MUST** include `app.immich:/` as the redirect URI for iOS and Android mobile app to work properly.

 **Authentik example**
 <img src={require('./img/authentik-redirect.png').default} title="Authentik Redirection URL" width="80%" />
@ -42,17 +42,17 @@ You **MUST** include `app.immich:/` as the redirect URI for iOS and Android mobi

 ## Enable OAuth

-Once you have a new OAuth client application configured, Immich can be configured using the following environment variables:
+Once you have a new OAuth client application configured, Immich can be configured using the Administration Settings page, available on the web (Administration -> Settings).

-| Key                 | Type    | Default              | Description                                                               |
+| Setting             | Type    | Default              | Description                                                               |
 | ------------------- | ------- | -------------------- | ------------------------------------------------------------------------- |
-| OAUTH_ENABLED       | boolean | false                | Enable/disable OAuth2                                                     |
-| OAUTH_ISSUER_URL    | URL     | (required)           | Required. Self-discovery URL for client (from previous step)              |
-| OAUTH_CLIENT_ID     | string  | (required)           | Required. Client ID (from previous step)                                  |
-| OAUTH_CLIENT_SECRET | string  | (required)           | Required. Client Secret (previous step)                                    |
-| OAUTH_SCOPE         | string  | openid email profile | Full list of scopes to send with the request (space delimited)            |
-| OAUTH_AUTO_REGISTER | boolean | true                 | When true, will automatically register a user the first time they sign in |
-| OAUTH_BUTTON_TEXT   | string  | Login with OAuth     | Text for the OAuth button on the web                                      |
+| OAuth enabled       | boolean | false                | Enable/disable OAuth2                                                     |
+| OAuth issuer URL    | URL     | (required)           | Required. Self-discovery URL for client (from previous step)              |
+| OAuth client ID     | string  | (required)           | Required. Client ID (from previous step)                                  |
+| OAuth client secret | string  | (required)           | Required. Client Secret (previous step)                                   |
+| OAuth scope         | string  | openid email profile | Full list of scopes to send with the request (space delimited)            |
+| OAuth button text   | string  | Login with OAuth     | Text for the OAuth button on the web                                      |
+| OAuth auto register | boolean | true                 | When true, will automatically register a user the first time they sign in |

 :::info
 The Issuer URL should look something like the following, and return a valid json document.
@ -63,14 +63,4 @@ The Issuer URL should look something like the following, and return a valid json
 The `.well-known/openid-configuration` part of the url is optional and will be automatically added during discovery.
 :::

-Here is an example of a valid configuration for setting up Immich to use OAuth with Authentik:
-
-```
-OAUTH_ENABLED=true
-OAUTH_ISSUER_URL=http://192.168.0.187:9000/application/o/immich
-OAUTH_CLIENT_ID=f08f9c5b4f77dcfd3916b1c032336b5544a7b368
-OAUTH_CLIENT_SECRET=6fe2e697644da6ff6aef73387a457d819018189086fa54b151a6067fbb884e75f7e5c90be16d3c688cf902c6974817a85eab93007d76675041eaead8c39cf5a2
-OAUTH_BUTTON_TEXT=Login with Authentik
-```
-
 [oidc]: https://openid.net/connect/