Payload Logo

Photoprism using Authentik oauth/oidc identity provider

Author

Norbert Takács

Date Published

Prerequisites

To be able to enable external auth with Photoprism. Both Authentik and Photoprism have to be running with a valid SSL certificate (I achieved this with swag nginx reverse proxy)

Create a confidential application, this application will be using the provider we created earlier. The slug is important since it will be used for /.well-known/ url. In the UI settings you can set the icon that will be visible in the authentik dashboard.

Create a photoprism provider. The redirect url should be set to https://photoprism.domain/api/v1/oidc/redirect. If the slug was set to photoprism the well-known url needed for the flow will be:

1// https://authentik.domain/application/o/photoprism/.well-known/openid-configuration
2

3// With the following url-s inside
4

5{
6  "issuer": "https://authentik.domain/application/o/photoprism/",
7  "authorization_endpoint": "https://authentik.domain/application/o/authorize/",
8  "token_endpoint": "https://authentik.domain/application/o/token/",
9  "userinfo_endpoint": "https://authentik.domain/application/o/userinfo/",
10  "end_session_endpoint": "https://authentik.domain/application/o/photoprism/end-session/",
11  "introspection_endpoint": "https://authentik.domain/application/o/introspect/",
12  "revocation_endpoint": "https://authentik.domain/application/o/revoke/",
13  "device_authorization_endpoint": "https://authentik.domain/application/o/device/"
14// ...
15}

The docker variables then will look like following: 

1docker run
2  -d
3  --name='photoprism'
4  --pids-limit 2048
5  -e TZ="Europe/Berlin"
6  -e 'PHOTOPRISM_OIDC_URI'='https://authentik.domain/application/o/photoprism/'
7  -e 'PHOTOPRISM_OIDC_CLIENT'='client'
8  -e 'PHOTOPRISM_OIDC_SECRET'='secret'
9  -e 'PHOTOPRISM_OIDC_PROVIDER'='authentik'
10  -e 'PHOTOPRISM_OIDC_REDIRECT'='true'
11  -e 'PHOTOPRISM_OIDC_REGISTER'='true'
12  -e 'PHOTOPRISM_OIDC_ICON'='/static/img/oidc.svg'
13  -e 'PHOTOPRISM_OIDC_USERNAME'='email'
14  -e 'PHOTOPRISM_DISABLE_TLS'='true'
15  -e 'PHOTOPRISM_SITE_URL'='https://photoprism.domain'

Redirect allows us to redirect the user to the auth page in case they are not authorised.

At this point you should be able to see the authentik button on the login page. If not, double check all the properties. Especially the SSL certificates. Also the trailing slashes in the issuer have to be matching the format that are in the well-known url.

Upon logging in a new guest user will be created with no access to the photos. You will want to tie this user to the admin user which is already registered. We will do that next.

1photoprism users ls (shows users)
1photoprism users show user@gmail.com (Copy AuthId Value of your user)
2photoprism users rm user@gmail.com (Delete "new" user. Its not needed.)
3

4photoprism users mod --auth-id AuthId --auth oidc your_old_username (Update old username with copied OIDC details
5

Log in via OIDC, and you will be in your old profile with admin access.

Join the Discussion on github