starred/karakeep

Fork 0

mirror of https://github.com/karakeep-app/karakeep.git synced 2026-04-25 07:56:05 +03:00

[GH-ISSUE #898] OAuth login failed: OAuthSignin #589

New issue

Open

opened 2026-03-02 11:51:06 +03:00 by kerem · 8 comments

kerem commented

2026-03-02 11:51:06 +03:00

Owner

Originally created by @JeremyMusick on GitHub (Jan 17, 2025).
Original GitHub issue: https://github.com/karakeep-app/karakeep/issues/898

Describe the Bug

I'm trying to configure OAuth via Authentik. I'm having the error message "OAuth login failed: OAtuhSignIn"

Steps to Reproduce

Compose file:

version: "3.8"
services:
  web:
    image: ghcr.io/hoarder-app/hoarder:${HOARDER_VERSION:-release}
    restart: unless-stopped
    volumes:
      - data:/data
    ports:
      - 3000:3000
    env_file:
      - stack.env
    environment:
      NEXTAUTH_URL: https://hoarder.MyDomain.com
      NEXTAUTH_URL_INTERNAL: http://localhost:3000
      MEILI_ADDR: http://meilisearch:7700
      BROWSER_WEB_URL: http://chrome:9222
      OPENAI_API_KEY: CENSORED
      DATA_DIR: /data
      OAUTH_WELLKNOWN_URL: https://auth.MyDomain.com/application/o/hoarder/.well-known/openid-configuration
      OAUTH_CLIENT_SECRET: CENSORED
      OAUTH_CLIENT_ID: CENSORED
      OAUTH_SCOPE: openid email profile
      OAUTH_PROVIDER_NAME: Authentik
      OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: true
  chrome:
    image: gcr.io/zenika-hub/alpine-chrome:123
    restart: unless-stopped
    command:
      - --no-sandbox
      - --disable-gpu
      - --disable-dev-shm-usage
      - --remote-debugging-address=0.0.0.0
      - --remote-debugging-port=9222
      - --hide-scrollbars
  meilisearch:
    image: getmeili/meilisearch:v1.6
    restart: unless-stopped
    env_file:
      - stack.env
    environment:
      MEILI_NO_ANALYTICS: "true"
    volumes:
      - meilisearch:/meili_data

volumes:
  meilisearch:
    driver: local
    driver_opts:
      type: nfs
      o: addr=IP.IP.IP.IP,rw
      device: :/File/Share
  data:
    driver: local
    driver_opts:
      type: nfs
      o: addr=IP.IP.IP.IP,rw
      device: :/File/Share

Expected Behaviour

Successful login

Screenshots or Additional Context

No response

Device Details

No response

Exact Hoarder Version

0.21.0

Have you checked the troubleshooting guide?

I have checked the troubleshooting guide and I haven't found a solution to my problem

Originally created by @JeremyMusick on GitHub (Jan 17, 2025). Original GitHub issue: https://github.com/karakeep-app/karakeep/issues/898 ### Describe the Bug I'm trying to configure OAuth via Authentik. I'm having the error message "OAuth login failed: OAtuhSignIn" ### Steps to Reproduce Compose file: ``` version: "3.8" services: web: image: ghcr.io/hoarder-app/hoarder:${HOARDER_VERSION:-release} restart: unless-stopped volumes: - data:/data ports: - 3000:3000 env_file: - stack.env environment: NEXTAUTH_URL: https://hoarder.MyDomain.com NEXTAUTH_URL_INTERNAL: http://localhost:3000 MEILI_ADDR: http://meilisearch:7700 BROWSER_WEB_URL: http://chrome:9222 OPENAI_API_KEY: CENSORED DATA_DIR: /data OAUTH_WELLKNOWN_URL: https://auth.MyDomain.com/application/o/hoarder/.well-known/openid-configuration OAUTH_CLIENT_SECRET: CENSORED OAUTH_CLIENT_ID: CENSORED OAUTH_SCOPE: openid email profile OAUTH_PROVIDER_NAME: Authentik OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: true chrome: image: gcr.io/zenika-hub/alpine-chrome:123 restart: unless-stopped command: - --no-sandbox - --disable-gpu - --disable-dev-shm-usage - --remote-debugging-address=0.0.0.0 - --remote-debugging-port=9222 - --hide-scrollbars meilisearch: image: getmeili/meilisearch:v1.6 restart: unless-stopped env_file: - stack.env environment: MEILI_NO_ANALYTICS: "true" volumes: - meilisearch:/meili_data volumes: meilisearch: driver: local driver_opts: type: nfs o: addr=IP.IP.IP.IP,rw device: :/File/Share data: driver: local driver_opts: type: nfs o: addr=IP.IP.IP.IP,rw device: :/File/Share ``` ![Image](https://github.com/user-attachments/assets/52bccde4-52eb-471a-83d0-5715ec51bdb3) ### Expected Behaviour Successful login ### Screenshots or Additional Context _No response_ ### Device Details _No response_ ### Exact Hoarder Version 0.21.0 ### Have you checked the troubleshooting guide? - [x] I have checked the troubleshooting guide and I haven't found a solution to my problem

kerem added the

question

label

2026-03-02 11:51:06 +03:00

kerem commented

2026-03-02 11:51:07 +03:00

Author

Owner

@MohamedBassem commented on GitHub (Jan 18, 2025):

Can you share the logs of the web container after the login attempt?

@MohamedBassem commented on GitHub (Jan 18, 2025): Can you share the logs of the web container after the login attempt?

kerem commented

2026-03-02 11:51:07 +03:00

Author

Owner

@JeremyMusick commented on GitHub (Jan 18, 2025):

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error self-signed certificate {
  error: {
    message: 'self-signed certificate',
    stack: 'Error: self-signed certificate\n' +
      '    at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)\n' +
      '    at TLSSocket.emit (node:events:524:28)\n' +
      '    at TLSSocket._finishInit (node:_tls_wrap:1078:8)\n' +
      '    at ssl.onhandshakedone (node:_tls_wrap:864:12)\n' +
      '    at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)',
    name: 'Error'
  },
  providerId: 'custom',
  message: 'self-signed certificate'
}

@JeremyMusick commented on GitHub (Jan 18, 2025): ``` [next-auth][error][SIGNIN_OAUTH_ERROR] https://next-auth.js.org/errors#signin_oauth_error self-signed certificate { error: { message: 'self-signed certificate', stack: 'Error: self-signed certificate\n' + ' at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)\n' + ' at TLSSocket.emit (node:events:524:28)\n' + ' at TLSSocket._finishInit (node:_tls_wrap:1078:8)\n' + ' at ssl.onhandshakedone (node:_tls_wrap:864:12)\n' + ' at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17)', name: 'Error' }, providerId: 'custom', message: 'self-signed certificate' } ```

kerem commented

2026-03-02 11:51:07 +03:00

Author

Owner

@iamdangry commented on GitHub (Apr 19, 2025):

I know it is a few months down the track, but I had this issue. Unsure of your exact stack, mine is SWAG, Authentik & Karakeep all on the same host. What it turned out to be is Karakeep would resolve my Authentik domain to the public IP of my host (as expected), but for whatever reason would result in HTTP500 (some loopback shenanigans I expect, didn't dig too deep).

I added an alias to my SWAG container for my Authentik FQDN and OAuth now works with Karakeep resolving to a private address.

@iamdangry commented on GitHub (Apr 19, 2025): I know it is a few months down the track, but I had this issue. Unsure of your exact stack, mine is SWAG, Authentik & Karakeep all on the same host. What it turned out to be is Karakeep would resolve my Authentik domain to the public IP of my host (as expected), but for whatever reason would result in HTTP500 (some loopback shenanigans I expect, didn't dig too deep). I added an alias to my SWAG container for my Authentik FQDN and OAuth now works with Karakeep resolving to a private address.

kerem commented

2026-03-02 11:51:07 +03:00

Author

Owner

@HavocWyrm commented on GitHub (Aug 17, 2025):

I'm having the same issue, but a different error in the logs. Not sure why it is timing out - I've confirmed the OIDC provider is up and running and other services can log in via it. I did have this working on Karakeep previously and haven't changed the .env values recently.

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error outgoing request timed out after 3500ms {
  error: {
    message: 'outgoing request timed out after 3500ms',
    stack: 'n: outgoing request timed out after 3500ms\n' +
      '    at /app/apps/web/.next/server/chunks/8169.js:36:37481\n' +
      '    at async g.discover (/app/apps/web/.next/server/chunks/8169.js:36:42202)\n' +
      '    at async s (/app/apps/web/.next/server/chunks/8169.js:3:37788)\n' +
      '    at async o (/app/apps/web/.next/server/chunks/8169.js:3:30145)\n' +
      '    at async Object.o (/app/apps/web/.next/server/chunks/8169.js:27:8657)\n' +
      '    at async g (/app/apps/web/.next/server/chunks/8169.js:3:15688)\n' +
      '    at async a (/app/apps/web/.next/server/chunks/8169.js:27:19776)\n' +
      '    at async e.length.t (/app/apps/web/.next/server/chunks/8169.js:27:21265)\n' +
      '    at async /app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38411\n' +
      '    at async e_.execute (/app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27880)',
    name: 'n'
  },
  providerId: 'custom',
  message: 'outgoing request timed out after 3500ms'
}

@HavocWyrm commented on GitHub (Aug 17, 2025): I'm having the same issue, but a different error in the logs. Not sure why it is timing out - I've confirmed the OIDC provider is up and running and other services can log in via it. I did have this working on Karakeep previously and haven't changed the .env values recently. ``` [next-auth][error][SIGNIN_OAUTH_ERROR] https://next-auth.js.org/errors#signin_oauth_error outgoing request timed out after 3500ms { error: { message: 'outgoing request timed out after 3500ms', stack: 'n: outgoing request timed out after 3500ms\n' + ' at /app/apps/web/.next/server/chunks/8169.js:36:37481\n' + ' at async g.discover (/app/apps/web/.next/server/chunks/8169.js:36:42202)\n' + ' at async s (/app/apps/web/.next/server/chunks/8169.js:3:37788)\n' + ' at async o (/app/apps/web/.next/server/chunks/8169.js:3:30145)\n' + ' at async Object.o (/app/apps/web/.next/server/chunks/8169.js:27:8657)\n' + ' at async g (/app/apps/web/.next/server/chunks/8169.js:3:15688)\n' + ' at async a (/app/apps/web/.next/server/chunks/8169.js:27:19776)\n' + ' at async e.length.t (/app/apps/web/.next/server/chunks/8169.js:27:21265)\n' + ' at async /app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38411\n' + ' at async e_.execute (/app/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27880)', name: 'n' }, providerId: 'custom', message: 'outgoing request timed out after 3500ms' } ```

kerem commented

2026-03-02 11:51:07 +03:00

Author

Owner

@Eragos commented on GitHub (Aug 18, 2025):

@HavocWyrm within a different error (log) it mustn't be the same issue :-D

To help you, we need some more information:

The Docker Compose incl. envoirement
The OICD provider config would be truly helpful

Please x-out the private/security parts. Maybe it's a good idea to use the discussion section for that ;-)

PS: Timeout is possible eg. when you have a wrong OICD redirect URL or other stuff.

Best, Michael

@Eragos commented on GitHub (Aug 18, 2025): @HavocWyrm within a different error (log) it mustn't be the same issue :-D **To help you, we need some more information:** - The Docker Compose incl. envoirement - The OICD provider config would be truly helpful Please x-out the private/security parts. Maybe it's a good idea to use the discussion section for that ;-) PS: Timeout is possible eg. when you have a wrong OICD redirect URL or other stuff. Best, Michael

kerem commented

2026-03-02 11:51:08 +03:00

Author

Owner

@HavocWyrm commented on GitHub (Sep 7, 2025):

@Eragos Sorry for the delay in answering you. I've started a discussion thread here with the information you requested

@HavocWyrm commented on GitHub (Sep 7, 2025): @Eragos Sorry for the delay in answering you. I've started a discussion thread [here](https://github.com/karakeep-app/karakeep/discussions/1906) with the information you requested

kerem commented

2026-03-02 11:51:08 +03:00

Author

Owner

@the-mentor commented on GitHub (Sep 30, 2025):

I had a similar issue and it looks like there might be something going on with karakeep and "Lets Encrypt Root CAs"

I worked around the issue by adding the following environment variable NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/e6-cross.crt after mounting the lets encrypt certificate (in my case E6 was needed) you can check here https://letsencrypt.org/certificates/
you need to download the pem cert and mount it as crt.

I hope it helps

@the-mentor commented on GitHub (Sep 30, 2025): I had a similar issue and it looks like there might be something going on with karakeep and "Lets Encrypt Root CAs" I worked around the issue by adding the following environment variable `NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/e6-cross.crt` after mounting the lets encrypt certificate (in my case E6 was needed) you can check here [https://letsencrypt.org/certificates/](https://letsencrypt.org/certificates/) you need to download the pem cert and mount it as crt. I hope it helps

kerem commented

2026-03-02 11:51:08 +03:00

Author

Owner

@randomthought commented on GitHub (Jan 2, 2026):

Does your NEXTAUTH_URL have a valid certificate? If not, that might be the issue.
I had this issue on my test env, I was able to resolve it be adding the following environment

NODE_TLS_REJECT_UNAUTHORIZED: 0

Please note, this type of setting should be only set in test environments.

Good luck

@randomthought commented on GitHub (Jan 2, 2026): Does your `NEXTAUTH_URL` have a valid certificate? If not, that might be the issue. I had this issue on my test env, I was able to resolve it be adding the following environment ``` NODE_TLS_REJECT_UNAUTHORIZED: 0 ``` Please note, this type of setting should be only set in test environments. Good luck

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/karakeep#589

No description provided.

Rows
Columns