docs: add Immich OIDC integration guide

[demsking]

This PR adds a new documentation page explaining how to integrate Immich with Tinyauth as an OpenID Connect provider.

What’s Included

• New Immich integration guide under the integrations docs section
• Step-by-step Tinyauth client creation commands (Docker and binary)
• Required Tinyauth OIDC environment variables for Immich
• Immich OAuth admin settings mapping (issuer URL, client ID/secret, scopes)
• Notes for web, account-linking, and mobile redirect URI behavior
• Guidance for mobile redirect override via Immich endpoint when custom scheme redirects are not accepted

Why

This fills a gap in integrations documentation and makes it easier to deploy SSO for Immich with Tinyauth.

Validation

• Confirmed the new MDX document has no diagnostics errors in the workspace.

Summary by CodeRabbit

• Documentation
  • Added comprehensive documentation for integrating Immich with Tinyauth using OpenID Connect authentication. The guide provides setup prerequisites, detailed configuration instructions for both Tinyauth and Immich instances, redirect URI configuration for web and mobile clients, necessary environment variable specifications, and outlines the expected complete end-to-end authentication and redirection workflow.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new integration guide documenting how to configure OpenID Connect authentication between Immich and Tinyauth, covering OIDC client creation, environment variable setup, Immich OAuth configuration, and the complete authentication flow.

Changes

Immich OIDC integration documentation

Layer / File(s)	Summary
Immich integration guide src/content/docs/docs/integrations/immich.mdx	Complete integration documentation with prerequisites, step-by-step OIDC client creation instructions (Docker and binary methods), required environment variables, redirect URI configuration for web and mobile, Immich-side OAuth settings (issuer, client credentials, scope, and optional UI customization), and expected authentication redirect flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding documentation for Immich OIDC integration with Tinyauth.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/content/docs/docs/integrations/immich.mdx`:
- Line 46: The example trusted-redirects env var
TINYAUTH_OIDC_CLIENTS_IMMICH_TRUSTEDREDIRECTURIS is missing the primary mobile
URI (app.immich:///oauth-callback) and only shows the fallback override; update
the example by adding app.immich:///oauth-callback to the comma-separated list
alongside https://immich.example.com/api/oauth/mobile-redirect, or alternatively
change the explanatory note to explicitly state this example is for an
"override-only" setup—edit the line containing
TINYAUTH_OIDC_CLIENTS_IMMICH_TRUSTEDREDIRECTURIS in immich.mdx accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: cab60e62-b65c-4f65-add8-1a48a44bb860

📥 Commits

Reviewing files that changed from the base of the PR and between b34cd53 and 0885d2f.

📒 Files selected for processing (1)

• src/content/docs/docs/integrations/immich.mdx

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check Immich's official documentation or codebase for OAuth mobile redirect URI configuration

# Search for OAuth/OIDC redirect configuration in Immich docs
rg -i -C5 'oauth.*redirect|redirect.*uri|app\.immich' --type=md

# Look for mobile OAuth implementation or configuration examples
rg -i -C5 'mobile.*oauth|oauth.*mobile|app\.immich:\/\/\/' --type=md

Repository: tinyauthapp/docs

Length of output: 213

---

🌐 Web query:

Immich OAuth mobile redirect URI app.immich:/// configuration

💡 Result:

The official OAuth redirect URI for the Immich mobile application is app.immich:///oauth-callback [1][2]. The three forward slashes are required to ensure the path is correctly parsed by the mobile operating systems [3]. If your OAuth provider does not support custom schemes like app.immich:///, Immich provides a mechanism to use a standard HTTP/HTTPS URL as an override [1][2]. To configure this alternative: 1. Use the built-in Immich endpoint, which is located at /api/oauth/mobile-redirect [1][2]. This endpoint is specifically designed to forward requests to the required app.immich:///oauth-callback scheme [1][2]. 2. Whitelist this HTTP/HTTPS endpoint (e.g., https://your-immich-domain.com/api/oauth/mobile-redirect) in your OAuth provider settings [1][2]. 3. In your Immich OAuth settings, enable the Mobile Redirect URI Override option and enter the full URL of this endpoint into the Mobile Redirect URI field [1][4].

Citations:

• 1: https://docs.immich.app/administration/oauth/
• 2: https://github.com/immich-app/immich/blob/main/docs/docs/administration/oauth.md
• 3: fix(mobile): use a valid OAuth callback URL immich-app/immich#10832
• 4: https://docs.immich.app/administration/oauth

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Show the relevant portion of the docs around the cited lines
nl -ba src/content/docs/docs/integrations/immich.mdx | sed -n '35,75p'

Repository: tinyauthapp/docs

Length of output: 103

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Print relevant range with line numbers using cat -n if available; fallback to sed-only
if command -v cat >/dev/null 2>&1 && cat -n src/content/docs/docs/integrations/immich.mdx >/dev/null 2>&1; then
  cat -n src/content/docs/docs/integrations/immich.mdx | sed -n '35,75p'
else
  sed -n '35,75p' src/content/docs/docs/integrations/immich.mdx
fi

Repository: tinyauthapp/docs

Length of output: 2091

---

Add the primary mobile redirect URI to TINYAUTH_OIDC_CLIENTS_IMMICH_TRUSTEDREDIRECTURIS

src/content/docs/docs/integrations/immich.mdx documents that the mobile app’s redirect URI is app.immich:///oauth-callback (primary) and only uses https://immich.example.com/api/oauth/mobile-redirect as a fallback override. But the trusted redirect allowlist example only includes the override URL (line 46) and omits app.immich:///oauth-callback—so the common/default mobile flow will fail unless the override path is used.

Either include app.immich:///oauth-callback in the trusted list alongside the override, or change the note/example to match an “override-only” setup.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/docs/integrations/immich.mdx` at line 46, The example
trusted-redirects env var TINYAUTH_OIDC_CLIENTS_IMMICH_TRUSTEDREDIRECTURIS is
missing the primary mobile URI (app.immich:///oauth-callback) and only shows the
fallback override; update the example by adding app.immich:///oauth-callback to
the comma-separated list alongside
https://immich.example.com/api/oauth/mobile-redirect, or alternatively change
the explanatory note to explicitly state this example is for an "override-only"
setup—edit the line containing TINYAUTH_OIDC_CLIENTS_IMMICH_TRUSTEDREDIRECTURIS
in immich.mdx accordingly.

[steveiliop56]

Thank you for the pull request @demsking! Just some small nitpicks and we can merge.

[steveiliop56]

Any chance we could also add the browser form?

  <TabItem label="Browser">
    <CreateOidcClientTool />
  </TabItem>

Make sure to import it with import CreateOidcClientTool from "../../../../components/create-oidc-client-tool.astro";.

[steveiliop56]

Tinyauth shouldn't have any issues with the app.immich one but let's just use the generic https://immich.example.com/api/oauth/mobile-redirect to avoid any confusion.

[steveiliop56]

Please add the link to the astro.config.mjs file so that it can be displayed in the documentation ; ). Check the example with Beszel https://github.com/tinyauthapp/docs/blob/main/astro.config.mjs#L125-L134.