feat(server)!: oauth encryption algorithm setting

[danieldietzler]

Notes from @jrasm91:

Warning

Breaking Change

OAuth setups using HS256 (mainly Authentik) will need to either (1) update the signing algorithm in Immich or (2) specify a signing key in the provider settings (so that it uses RS256 instead).

Specify a signing key in Authentik:

Screencast.from.02-02-2024.12.05.04.AM.webm

New Immich OAuth Setting

Background

RS256 is generally better than HS256. RS256 is pretty much the most commonly used algorithm. The client library we use for open-id defaults to RS256. It's very easy to setup Authentik without specifying a signing key, which will default to use HS256. The original implementation added a hack/fallback to HS256 in some conditions to try to handle that situation. The current code removes the fallback, and adds a specific Signing Algortithm setting which can be explicitly set. Alternatively, the issue could be fixed by specifying a signing key in Authentik.

References:

• https://auth0.com/blog/rs256-vs-hs256-whats-the-difference/
• Fixes [BUG] Supporting multiple OAuth token algorithms #6271

[cloudflare-pages]

Deploying with    Cloudflare Pages

Latest commit:	2045473
Status:	✅  Deploy successful!
Preview URL:	https://ba621f74.immich.pages.dev
Branch Preview URL:	https://feat-oauth-encryption-algori.immich.pages.dev

View logs

[halkeye]

Well this was a fun redirect loop.

For anyone else surprised by this and disabled local login

insert into system_config VALUES ('oauth.signingAlgorithm', '"HS256"');

I'm still trying to figure out how to configure authentik with cert-manager to use rs instead

[muava12]

i'm a noob in outh, how to do "(1) update the signing algorithm in Immich " as mentioned in release note??

[jrasm91]

i'm a noob in outh, how to do "(1) update the signing algorithm in Immich " as mentioned in release note??

Log in as the immich admin and click on "Administration" then "Settings" then "OAuth"