4.1 KiB
🔐 Docker OAuth Authentication Fix
Problem: "Insecure redirect URI" Error
When accessing SoulSync from a different device than the Docker host, you may encounter:
INVALID_CLIENT: Insecure redirect URISpotify authentication failed: error: invalid_client
Why this happens: Spotify requires HTTPS for OAuth callbacks when not using localhost.
✅ Simple Solution: SSH Port Forwarding
Step 1: Set up SSH tunnel from your device to Docker host
On the device you're browsing from (laptop/phone/etc):
# Replace 'user' and 'docker-host-ip' with your actual values
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 user@docker-host-ip
# Example:
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 john@192.168.1.100
Keep this SSH connection open while using SoulSync.
Step 2: Configure OAuth redirect URIs
In your Spotify Developer App:
- Set redirect URI to:
http://127.0.0.1:8888/callback
In your Tidal Developer App:
- Set redirect URI to:
http://127.0.0.1:8889/tidal/callback
In SoulSync Settings:
- Set Spotify redirect URI to:
http://127.0.0.1:8888/callback - Set Tidal redirect URI to:
http://127.0.0.1:8889/tidal/callback
Step 3: Use SoulSync normally
- Access SoulSync:
http://docker-host-ip:8008(normal HTTP) - OAuth callbacks will tunnel through SSH to localhost
- Authentication will work without HTTPS requirements
🖥️ Alternative: Direct Access from Docker Host
If you can access SoulSync directly from the Docker host machine:
- Use:
http://127.0.0.1:8008 - Set OAuth redirect URIs to localhost (as above)
- No SSH tunnel needed
🔧 Reverse Proxy Setup (Caddy, Nginx, Traefik)
If you're running SoulSync behind a reverse proxy with HTTPS, you can use the main app port (8008) for OAuth callbacks instead of the standalone port 8888. This is the recommended approach for reverse proxy setups.
Step 1: Set your redirect URI to your proxy URL
In SoulSync Settings:
- Set Spotify redirect URI to:
https://yourdomain.com/callback
In your Spotify Developer Dashboard:
- Add the same redirect URI:
https://yourdomain.com/callback
Step 2: Ensure your reverse proxy forwards to port 8008
Your reverse proxy should forward traffic to SoulSync's main port (8008). The /callback path is handled by the main Flask app — no need to expose port 8888.
Example Caddy config:
soulsync.yourdomain.com {
reverse_proxy localhost:8008
}
Example Nginx config:
server {
listen 443 ssl;
server_name soulsync.yourdomain.com;
location / {
proxy_pass http://localhost:8008;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Step 3: Authenticate normally
Click "Connect Spotify" in SoulSync settings. After authorizing on Spotify, you'll be redirected back through your reverse proxy automatically.
Important notes for reverse proxy users
- The redirect URI must use HTTPS for non-localhost domains (Spotify requirement)
- The redirect URI in SoulSync settings must exactly match the one in your Spotify Dashboard
- Port 8888 is only needed for direct/local access — you do not need to expose it through your proxy
- Make sure your proxy passes query parameters through unmodified (most do by default)
📝 Summary
The core issue is that Spotify requires HTTPS for non-localhost OAuth redirects.
Choose your approach:
- Reverse proxy with HTTPS: Set redirect URI to
https://yourdomain.com/callback(recommended for production) - SSH tunnel: Makes remote devices appear as localhost — set redirect URI to
http://127.0.0.1:8888/callback - Local access: No special config needed — default
http://127.0.0.1:8888/callbackworks
Key points:
- ✅ Reverse proxy users: use
https://yourdomain.com/callbackon port 8008 - ✅ SSH tunnel users: use
http://127.0.0.1:8888/callbackon port 8888 - ✅ Redirect URI must match exactly in SoulSync settings AND Spotify Dashboard
- ✅ Query parameters must be preserved through the redirect chain