Add Docker OAuth authentication troubleshooting guide

Introduced DOCKER-OAUTH-FIX.md to address 'Insecure redirect URI' errors when using OAuth from devices other than the Docker host. Updated README.md to reference the new guide for users encountering authentication issues.
This commit is contained in:
Broque Thomas 2025-09-13 08:24:40 -07:00
parent 21d016fcbd
commit 19583a2d28
2 changed files with 65 additions and 0 deletions

64
DOCKER-OAUTH-FIX.md Normal file
View file

@ -0,0 +1,64 @@
# 🔐 Docker OAuth Authentication Fix
## Problem: "Insecure redirect URI" Error
When accessing SoulSync from a **different device** than the Docker host, you may encounter:
- `INVALID_CLIENT: Insecure redirect URI`
- `Spotify authentication failed: error: invalid_client`
**Why this happens:** Spotify requires HTTPS for OAuth callbacks when not using localhost.
## ✅ Simple Solution: SSH Port Forwarding
### Step 1: Set up SSH tunnel from your device to Docker host
**On the device you're browsing from** (laptop/phone/etc):
```bash
# Replace 'user' and 'docker-host-ip' with your actual values
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 user@docker-host-ip
# Example:
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 john@192.168.1.100
```
**Keep this SSH connection open** while using SoulSync.
### Step 2: Configure OAuth redirect URIs
**In your Spotify Developer App:**
- Set redirect URI to: `http://127.0.0.1:8888/callback`
**In your Tidal Developer App:**
- Set redirect URI to: `http://127.0.0.1:8889/tidal/callback`
**In SoulSync Settings:**
- Set Spotify redirect URI to: `http://127.0.0.1:8888/callback`
- Set Tidal redirect URI to: `http://127.0.0.1:8889/tidal/callback`
### Step 3: Use SoulSync normally
- Access SoulSync: `http://docker-host-ip:8008` (normal HTTP)
- OAuth callbacks will tunnel through SSH to localhost
- Authentication will work without HTTPS requirements
## 🖥️ Alternative: Direct Access from Docker Host
If you can access SoulSync directly from the Docker host machine:
- Use: `http://127.0.0.1:8008`
- Set OAuth redirect URIs to localhost (as above)
- No SSH tunnel needed
## 🔧 For Advanced Users: Reverse Proxy
Set up nginx/traefik with proper SSL certificates for true HTTPS support. See community guides for Docker reverse proxy setups.
## 📝 Summary
The core issue is that **Spotify requires HTTPS for non-localhost** OAuth redirects. The SSH tunnel makes remote devices appear as localhost to bypass this requirement.
**Key points:**
- ✅ Always use `127.0.0.1` in OAuth redirect URIs
- ✅ Use SSH tunnel when accessing from different device
- ✅ Keep tunnel open during authentication
- ✅ Works with existing Docker setup - no changes needed

View file

@ -164,6 +164,7 @@ docker run -d -p 8008:8008 boulderbadgedad/soulsync:latest
- **Docker uses separate database** from GUI/WebUI versions
- **Transfer path** should point to your media server music library
- **FLAC preferred** but supports all common formats
- **OAuth from different devices:** See [DOCKER-OAUTH-FIX.md](DOCKER-OAUTH-FIX.md) if you get "Insecure redirect URI" errors
## 🏗️ Architecture