hhf/cloudflare-tunnels-with-sso-oauth
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Cloudflare Tunnels with SSO/OAuth working for immich
1 commit 1 branch 0 tags 27 KiB
Find a file
hhf 215b0b6593 Add README.md
2024-10-07 13:20:56 +05:30
README.md Add README.md 2024-10-07 13:20:56 +05:30

README.md

I've just set this up using Cloudflare Tunnels and a SaaS app for Immich. This assumes you've already set up an Auth Provider in Cloudflare Zero Trust Settings/Authentication. An example setup for Google can be found here.

Cloudflare Zero Trust / Networks Configuration

  1. Setup a Public Hostname
    Create a public hostname in Networks/Tunnels for your tunnel (e.g., immich.yourdomain.com) with no access control.

  2. Create a SaaS Application
    In Cloudflare Access, set up a SaaS application called Immich.

  3. OAuth Setup
    Follow the OAuth setup for Immich as detailed here.

  4. Redirect URIs Configuration
    In Cloudflare, configure the redirect URIs for Mobile, Local IP, and Hostname (the "public hostname" set in step 1):

    • https://immich.yourdomain.com/api/oauth/mobile-redirect
    • http://local_IP:2283/auth/login
    • http://local_IP:2283/user-settings
    • https://immich.yourdomain.com/auth/login
    • https://immich.yourdomain.com/user-settings

    Note: Replace local_IP with the local LAN IP address for the Immich server, and immich.yourdomain.com with your public domain.

  5. OpenID Connect (OIDC) Configuration

    • Choose OpenID Connect (OIDC).
    • Set Scopes to openid email profile.
    • Ensure you have at least the following Redirect URIs/Origins configured:
      • https://immich.yourdomain.com/api/oauth/mobile-redirect
      • http://local_IP:2283/auth/login
      • http://local_IP:2283/user-settings
      • https://immich.yourdomain.com/auth/login
      • https://immich.yourdomain.com/user-settings

  6. Disable PKCE
    Disable Proof Key for Code Exchange (PKCE).

  7. App Launcher URL
    Set your App Launcher URL to your public hostname: https://immich.yourdomain.com/.

  8. Custom Icon Link
    Add a custom icon link.

Policy Setup

Under Policies, add a policy:

  • Policy Name: email
  • Action: Allow
  • Create Additional Rules: Include Login Methods: Your Auth Provider

Under Authentication, set it to whichever Identity Providers you want to support.

Immich Configuration

  1. Navigate to Administration/Settings/OAuth Authentication.
  2. Input the values provided by Cloudflare Access for:
    • Issuer (Issuer URL)
    • Client ID
    • Client Secret
  3. Click Save.

Final Steps in Immich

Once tested and confirmed working, you can do the following:

  • Enable Auto Launch to streamline the process.
  • Under Password Authentication, disable it (this will force users to use OAuth).

This setup is working perfectly for me and integrates seamlessly with the app!

Citations: [1] https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/ [2] https://developers.cloudflare.com/cloudflare-one/setup/ [3] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/ [4] https://developers.cloudflare.com/learning-paths/secure-internet-traffic/initial-setup/create-zero-trust-org/ [5] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/ [6] https://www.youtube.com/watch?v=XYWJcS31PwI [7] https://developers.cloudflare.com/cloudflare-one/policies/gateway/initial-setup/ [8] https://community.cloudflare.com/t/how-do-i-set-up-zero-trust-step-by-step/658465