Missing Google OAuth 2.0 Account Selection When Multiple Accounts Are Signed In

[alice2o25]

Missing Google OAuth 2.0 Account Selection When Multiple Accounts Are Signed In

Description

When attempting to log in to Immich via Google OAuth 2.0, the application does not prompt the user to select a Google account if multiple accounts are signed in within the browser or mobile app. Instead, it automatically uses the primary (default) Google account. If this account is not registered in Immich and auto-registering is disabled, the login fails with the error message: "User does not exist and auto registering is disabled."

This behavior causes issues for users who are signed into multiple Google accounts in their browser (e.g., for other applications like Gmail or Google Drive) or in the Immich mobile app. They are not given the option to choose the correct account for Immich, leading to a failed login unless they sign out of other Google accounts or use an incognito browser tab/mobile app instance.

Steps to Reproduce

1. Ensure multiple Google accounts are signed in within the same browser (e.g., via Gmail or another Google service) or in the Immich mobile app.
2. Navigate to the Immich login page (/auth/login) on the web or initiate Google OAuth 2.0 login in the Immich mobile app.
3. Observe that no account selection prompt is shown, and Immich attempts to authenticate with the primary Google account.
4. If the primary Google account is not registered in Immich and AUTO REGISTER is set to false, the error "User does not exist and auto registering is disabled" is displayed.

Expected Behavior

• When multiple Google accounts are signed in, Immich should prompt the user to select the desired Google account for authentication (e.g., by including the prompt=select_account parameter in the Google OAuth request) on both the web and mobile app.
• This would allow users to choose the correct account without needing to sign out of other Google accounts or use an incognito tab/mobile app instance.

Actual Behavior

• Immich automatically uses the primary Google account without offering a selection prompt in both the web interface and the mobile app.
• If the primary account is not registered and auto-registering is disabled, the login fails with the error: "User does not exist and auto registering is disabled."

Environment

• Immich Version: [Insert your Immich version, e.g., v1.137.0]
• Deployment Method: [e.g., Docker, self-hosted]
• Browser: [e.g., Chrome 129.0, Firefox 132.0]
• Mobile App: Issue occurs in the Immich mobile app (iOS/Android) when multiple Google accounts are signed in.
• OAuth Configuration: Google OAuth 2.0 enabled, AUTO REGISTER set to false
• Server Logs: [Include relevant logs if available, e.g., from docker logs immich_server]

Suggested Fix

• Add the prompt=select_account parameter to the Google OAuth 2.0 authentication request to ensure users are prompted to select a Google account, even if multiple accounts are signed in, on both the web and mobile app.
• Alternatively, provide an option in the Immich OAuth configuration to enable account selection explicitly.

Workaround

• Users must sign out of all other Google accounts in the browser or mobile app or use an incognito tab/mobile app instance to log in with the correct account.
• As an admin, manually registering user accounts or enabling AUTO REGISTER resolves the issue but may not be desirable for controlled environments.

Additional Context

• This issue affects both admin and regular users of the Immich instance on both the web and mobile app.
• The lack of an account selection prompt creates a poor user experience, especially for users with multiple Google accounts.
• Similar issues have been reported in other applications using Google OAuth, where adding prompt=select_account resolved the problem.

Thank you for addressing this issue. Please let me know if additional details or logs are needed to assist with debugging.

[bo0tzz]

Immich has no hand in whether a user select screen is shown, this seems like an issue in your config on the oauth provider side.

[alice2o25]

Thank you for the response. I’ve verified the Google OAuth configuration in the Google Cloud Console, and the Client ID, Client Secret, and Redirect URIs are correctly set up (e.g., Redirect URI: https://my-domain.com/auth/login for web, app.immich:///oauth-callback for mobile; Scopes: openid, profile, email). The issue persists on both the web and mobile app when multiple Google accounts are signed in, as Immich uses the primary account without prompting for account selection.

According to Google’s OAuth 2.0 documentation, the prompt=select_account parameter can be included in the authentication request to force an account selection prompt. This parameter is set by the client application (Immich) during the OAuth flow, not in the Google Cloud Console. Could you confirm whether Immich currently includes this parameter in its OAuth request? If not, adding prompt=select_account (or making it configurable in the OAuth settings) would resolve the issue for users with multiple Google accounts.

[alice2o25]

On Immich v1.138.0, OAuth reset done, issue persists. Incognito mode (one Google account) logs in fine. Normal mode with multiple accounts skips the selection prompt, login fails (auto-register disabled). Redirect URIs are correct: https://my-domain.com/auth/login, .../user-settings, .../api/oauth/mobile-redirect. Adding ?prompt=select_account causes "Error 400: invalid_request". Can Immich add prompt=select_account to force the account picker?