[Feature] Allow up to a few HTTP redirects while resolving SSO well-known configuration

[Bert-Proesmans]

I have searched the existing feature requests, both open and closed, to make sure this is not a duplicate request.

• Yes

The feature

Context

I'm experimenting with a HTTP-based (not IP-anycast) load-balanced single sign-on provider. The effect is that clients are redirected from a generic URL to a specific URL eg,
idm.mydomain.example into nuremberg.idm.mydomain.example.

Reproduction

Launch Immich-server with a single sign-on configuration that validates but doesn't have to work end-to-end.
Fill in a URL that replies with an HTTP redirect into the setting oauth.issuerUrl eg, oauth.issuerUrl = "https://idm.mydomain.example/<whatever the client-id>/.well-known/openid-configuration";

In the web-server configuration, setup an HTTP redirect (status code 3XX) for host idm.mydomain.example to nuremberg.idm.mydomain.example with retention of path and parameters/arguments.

Behaviour

Immich starts the single sign-on process requesting https://idm.mydomain.example/<whatever the client-id>/.well-known/openid-configuration but the server replies with a redirect. Immich then fails the process.

Systemd log excerpt

aug 16 21:26:47 buddy immich[1801]: [Nest] 1801  - 16/08/2025, 23:26:47   ERROR [Api:OAuthRepository~ln0wp1qf] ClientError: unexpected HTTP response status code
aug 16 21:26:47 buddy immich[1801]:     at e (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:116:12)
aug 16 21:26:47 buddy immich[1801]:     at errorHandler (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:133:23)
aug 16 21:26:47 buddy immich[1801]:     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
aug 16 21:26:47 buddy immich[1801]:     at async performDiscovery (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:266:16)
aug 16 21:26:47 buddy immich[1801]:     at async discovery (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:243:16)
aug 16 21:26:47 buddy immich[1801]:     at async OAuthRepository.getClient (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/repositories/oauth.repository.js:85:20)
aug 16 21:26:47 buddy immich[1801]:     at async OAuthRepository.authorize (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/repositories/oauth.repository.js:25:24)
aug 16 21:26:47 buddy immich[1801]:     at async AuthService.authorize (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/services/auth.service.js:167:16)
aug 16 21:26:47 buddy immich[1801]:     at async OAuthController.startOAuth (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/controllers/oauth.controller.js:36:46)

Example HTTP response

HTTP/2 302 
content-length: 0
location: https://nuremberg.mydomain.example/<whatever the client-id>/.well-known/openid-configuration
cache-control: no-cache
X-Firefox-Spdy: h2

Expected behaviour / feature request

Is it possible to make Immich follow redirects for the openid-configuration file URL? Maybe something like 'up to 3' or so?

Further discussion; the paths returned inside the openid-configuration file might also be generic and must be followed eg,
userinfo_endpoint: "https://idm.mydomain.example/<whatever the client-id>/userinfo" into "https://nuremberg.idm.mydomain.example//userinfo"

Platform

• Server
• Web
• Mobile

[Bert-Proesmans]

Followup when allowing redirects, there are some more validations that fail.
The systemd based error below happens right after accepting questions from the single sign-on provider and being redirected back to immich with an authorization token. As you can see immich attempts to resolve an access token with the authorization token, but fails because it doesn't expect a redirect.

aug 16 21:58:29 buddy immich[4957]: [Nest] 4957  - 16/08/2025, 23:58:29   ERROR [Api:OAuthRepository~yewcm8ro] OAuth login failed: unexpected HTTP response status code
aug 16 21:58:29 buddy immich[4957]: [Nest] 4957  - 16/08/2025, 23:58:29   ERROR [Api:OAuthRepository~yewcm8ro] ClientError: unexpected HTTP response status code
aug 16 21:58:29 buddy immich[4957]:     at e (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:116:12)
aug 16 21:58:29 buddy immich[4957]:     at errorHandler (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:133:23)
aug 16 21:58:29 buddy immich[4957]:     at authorizationCodeGrant (file:///nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/node_modules/openid-client/build/index.js:953:9)
aug 16 21:58:29 buddy immich[4957]:     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
aug 16 21:58:29 buddy immich[4957]:     at async OAuthRepository.getProfile (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/repositories/oauth.repository.js:53:28)
aug 16 21:58:29 buddy immich[4957]:     at async AuthService.callback (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/services/auth.service.js:180:25)
aug 16 21:58:29 buddy immich[4957]:     at async OAuthController.finishOAuth (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/controllers/oauth.controller.js:46:22) {
aug 16 21:58:29 buddy immich[4957]:   code: 'OAUTH_RESPONSE_IS_NOT_CONFORM',
aug 16 21:58:29 buddy immich[4957]:   [cause]: Response {
aug 16 21:58:29 buddy immich[4957]:     status: 302,
aug 16 21:58:29 buddy immich[4957]:     statusText: 'Found',
aug 16 21:58:29 buddy immich[4957]:     headers: Headers {
aug 16 21:58:29 buddy immich[4957]:       'content-length': '0',
aug 16 21:58:29 buddy immich[4957]:       location: 'https://nuremberg.idm.mydomain.example/token',
aug 16 21:58:29 buddy immich[4957]:       'cache-control': 'no-cache'
aug 16 21:58:29 buddy immich[4957]:     },
aug 16 21:58:29 buddy immich[4957]:     body: ReadableStream {
aug 16 21:58:29 buddy immich[4957]:       locked: false,
aug 16 21:58:29 buddy immich[4957]:       state: 'readable',
aug 16 21:58:29 buddy immich[4957]:       supportsBYOB: true
aug 16 21:58:29 buddy immich[4957]:     },
aug 16 21:58:29 buddy immich[4957]:     bodyUsed: false,
aug 16 21:58:29 buddy immich[4957]:     ok: false,
aug 16 21:58:29 buddy immich[4957]:     redirected: false,
aug 16 21:58:29 buddy immich[4957]:     type: 'basic',
aug 16 21:58:29 buddy immich[4957]:     url: 'https://idm.mydomain.example/<whatever the client-id>/token'
aug 16 21:58:29 buddy immich[4957]:   }
aug 16 21:58:29 buddy immich[4957]: }
aug 16 21:58:29 buddy immich[4957]: [Nest] 4957  - 16/08/2025, 23:58:29   ERROR [Api:ErrorInterceptor~yewcm8ro] Unknown error: Error: OAuth login failed
aug 16 21:58:29 buddy immich[4957]: Error: OAuth login failed
aug 16 21:58:29 buddy immich[4957]:     at OAuthRepository.getProfile (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/repositories/oauth.repository.js:69:19)
aug 16 21:58:29 buddy immich[4957]:     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
aug 16 21:58:29 buddy immich[4957]:     at async AuthService.callback (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/services/auth.service.js:180:25)
aug 16 21:58:29 buddy immich[4957]:     at async OAuthController.finishOAuth (/nix/store/1mk6jqhjjq1w6v9lfz9jf837d2nzzfrf-immich-1.137.3/dist/controllers/oauth.controller.js:46:22)

[Bert-Proesmans]

Looks like this is against open-id standards;
Redirects are explicitly not allowed for the well-known configuration url; https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
Redirects are not discussed for the token endpoint; https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse