Implementing Scope Mapping in Authentik for Shared Family Access to Immich

Guides & Tutorials
,
1

To achieve your goal of using Immich for family photo sharing while maintaining individual user logins via Authentik, you can implement a solution involving scope mapping. This approach allows multiple family members to log in with their individual credentials but still share a single Immich account for photo and metadata access.

Proposed Solution

Step 1: Configure Authentik for Scope Mapping

  1. Create a New Scope Mapping:

    • Navigate to the Customization > Property Mappings section in Authentik.
    • Create a new scope mapping with the following details:
      • Name: Choose an appropriate name (e.g., “Immich Family OAuth”).
      • Scope Name: Set this to email.
      • Expression: Use an expression that maps all family users to a single shared email address. For example:
        if request.user.email in ['user1@example.com', 'user2@example.com']:
    return 'familylogin@email.com'
else:
    return request.user.email
    • This expression checks if the logged-in user is one of the family members and returns the shared email for Immich.

  2. Configure OAuth Provider Settings:

    • Go to your Immich OAuth provider settings in Authentik.
    • Under Advanced Settings > Scopes, ensure that you keep the necessary scopes (like openid) and add your newly created scope mapping.

Step 2: Modify Immich OAuth Settings

  1. Update Immich Configuration:

    • In your Immich instance, navigate to the OAuth settings.
    • Ensure that the OAuth provider is set up to accept the new scope mapping you created in Authentik.

  2. Testing:

    • Have each family member log in using their individual Authentik credentials.
    • Verify that upon logging into Immich, they are recognized as the shared user (familylogin@email.com).

Step 3: Set Up Guest Access

  1. Create a Guest User:

    • In Immich, create a separate user account for guests (e.g., guestuser@email.com).
    • Limit permissions appropriately so that guests can view but not modify shared content.

  2. Configure Guest Access in Authentik:

    • You can set up another scope mapping or rule that directs any guest login attempts to this guest user account.

Additional Considerations

  • User Permissions: Ensure that permissions are correctly set so that family members can upload and manage photos while maintaining privacy from guests.
  • Testing and Iteration: After setting up, conduct thorough testing with different user scenarios to ensure that all mappings work as intended.

By following these steps, you can effectively manage a shared photo library in Immich while allowing individual logins through Authentik, thus simplifying photo sharing and metadata access for your family.