aherman
/
SoulSync
mirror of https://github.com/Nezreka/SoulSync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '44a8be4469'
${ noResults }
SoulSync/Support/DOCKER-OAUTH-FIX.md

114 lines
4.1 KiB
Raw Blame History

# 🔐 Docker OAuth Authentication Fix
## Problem: "Insecure redirect URI" Error
When accessing SoulSync from a **different device** than the Docker host, you may encounter:
- `INVALID_CLIENT: Insecure redirect URI`
- `Spotify authentication failed: error: invalid_client`
**Why this happens:** Spotify requires HTTPS for OAuth callbacks when not using localhost.
## ✅ Simple Solution: SSH Port Forwarding
### Step 1: Set up SSH tunnel from your device to Docker host
**On the device you're browsing from** (laptop/phone/etc):
```bash
# Replace 'user' and 'docker-host-ip' with your actual values
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 user@docker-host-ip
# Example:
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 john@192.168.1.100
```
**Keep this SSH connection open** while using SoulSync.
### Step 2: Configure OAuth redirect URIs
**In your Spotify Developer App:**
- Set redirect URI to: `http://127.0.0.1:8888/callback`
**In your Tidal Developer App:**
- Set redirect URI to: `http://127.0.0.1:8889/tidal/callback`
**In SoulSync Settings:**
- Set Spotify redirect URI to: `http://127.0.0.1:8888/callback`
- Set Tidal redirect URI to: `http://127.0.0.1:8889/tidal/callback`
### Step 3: Use SoulSync normally
- Access SoulSync: `http://docker-host-ip:8008` (normal HTTP)
- OAuth callbacks will tunnel through SSH to localhost
- Authentication will work without HTTPS requirements
## 🖥️ Alternative: Direct Access from Docker Host
If you can access SoulSync directly from the Docker host machine:
- Use: `http://127.0.0.1:8008`
- Set OAuth redirect URIs to localhost (as above)
- No SSH tunnel needed
## 🔧 Reverse Proxy Setup (Caddy, Nginx, Traefik)
If you're running SoulSync behind a reverse proxy with HTTPS, you can use the **main app port (8008)** for OAuth callbacks instead of the standalone port 8888. This is the recommended approach for reverse proxy setups.
### Step 1: Set your redirect URI to your proxy URL
**In SoulSync Settings:**
- Set Spotify redirect URI to: `https://yourdomain.com/callback`
**In your Spotify Developer Dashboard:**
- Add the same redirect URI: `https://yourdomain.com/callback`
### Step 2: Ensure your reverse proxy forwards to port 8008
Your reverse proxy should forward traffic to SoulSync's main port (8008). The `/callback` path is handled by the main Flask app — no need to expose port 8888.
**Example Caddy config:**
```
soulsync.yourdomain.com {
reverse_proxy localhost:8008
}
```
**Example Nginx config:**
```nginx
server {
listen 443 ssl;
server_name soulsync.yourdomain.com;
location / {
proxy_pass http://localhost:8008;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### Step 3: Authenticate normally
Click "Connect Spotify" in SoulSync settings. After authorizing on Spotify, you'll be redirected back through your reverse proxy automatically.
### Important notes for reverse proxy users
- The redirect URI **must use HTTPS** for non-localhost domains (Spotify requirement)
- The redirect URI in SoulSync settings **must exactly match** the one in your Spotify Dashboard
- Port 8888 is only needed for direct/local access — you do **not** need to expose it through your proxy
- Make sure your proxy passes query parameters through unmodified (most do by default)
## 📝 Summary
The core issue is that **Spotify requires HTTPS for non-localhost** OAuth redirects.
**Choose your approach:**
- **Reverse proxy with HTTPS**: Set redirect URI to `https://yourdomain.com/callback` (recommended for production)
- **SSH tunnel**: Makes remote devices appear as localhost — set redirect URI to `http://127.0.0.1:8888/callback`
- **Local access**: No special config needed — default `http://127.0.0.1:8888/callback` works
**Key points:**
- ✅ Reverse proxy users: use `https://yourdomain.com/callback` on port 8008
- ✅ SSH tunnel users: use `http://127.0.0.1:8888/callback` on port 8888
- ✅ Redirect URI must match exactly in SoulSync settings AND Spotify Dashboard
- ✅ Query parameters must be preserved through the redirect chain
Reference in new issue View Git Blame Copy Permalink