I've just set this up using Cloudflare Tunnels and a SaaS app for Immich. This assumes you've already set up an Auth Provider in Cloudflare Zero Trust Settings/Authentication. An example setup for Google can be found [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/). ## Cloudflare Zero Trust / Networks Configuration 1. **Setup a Public Hostname** Create a public hostname in `Networks/Tunnels` for your tunnel (e.g., `immich.yourdomain.com`) with no access control. 2. **Create a SaaS Application** In Cloudflare Access, set up a SaaS application called **Immich**. 3. **OAuth Setup** Follow the OAuth setup for Immich as detailed [here](https://developers.cloudflare.com/cloudflare-one/setup/). 4. **Redirect URIs Configuration** In Cloudflare, configure the redirect URIs for Mobile, Local IP, and Hostname (the "public hostname" set in step 1): - `https://immich.yourdomain.com/api/oauth/mobile-redirect` - `http://local_IP:2283/auth/login` - `http://local_IP:2283/user-settings` - `https://immich.yourdomain.com/auth/login` - `https://immich.yourdomain.com/user-settings` **Note:** Replace `local_IP` with the local LAN IP address for the Immich server, and `immich.yourdomain.com` with your public domain. 5. **OpenID Connect (OIDC) Configuration** - Choose **OpenID Connect (OIDC)**. - Set **Scopes** to `openid email profile`. - Ensure you have at least the following Redirect URIs/Origins configured: - `https://immich.yourdomain.com/api/oauth/mobile-redirect` - `http://local_IP:2283/auth/login` - `http://local_IP:2283/user-settings` - `https://immich.yourdomain.com/auth/login` - `https://immich.yourdomain.com/user-settings` 6. **Disable PKCE** Disable **Proof Key for Code Exchange (PKCE)**. 7. **App Launcher URL** Set your App Launcher URL to your public hostname: `https://immich.yourdomain.com/`. 8. **Custom Icon Link** Add a custom icon link. ## Policy Setup Under **Policies**, add a policy: - **Policy Name:** email - **Action:** Allow - **Create Additional Rules:** Include Login Methods: Your Auth Provider Under Authentication, set it to whichever Identity Providers you want to support. ## Immich Configuration 1. Navigate to **Administration/Settings/OAuth Authentication**. 2. Input the values provided by Cloudflare Access for: - Issuer (Issuer URL) - Client ID - Client Secret 3. Click **Save**. ### Final Steps in Immich Once tested and confirmed working, you can do the following: - Enable **Auto Launch** to streamline the process. - Under **Password Authentication**, disable it (this will force users to use OAuth). This setup is working perfectly for me and integrates seamlessly with the app! Citations: [1] https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/ [2] https://developers.cloudflare.com/cloudflare-one/setup/ [3] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/ [4] https://developers.cloudflare.com/learning-paths/secure-internet-traffic/initial-setup/create-zero-trust-org/ [5] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/ [6] https://www.youtube.com/watch?v=XYWJcS31PwI [7] https://developers.cloudflare.com/cloudflare-one/policies/gateway/initial-setup/ [8] https://community.cloudflare.com/t/how-do-i-set-up-zero-trust-step-by-step/658465