Introduced DOCKER-OAUTH-FIX.md to address 'Insecure redirect URI' errors when using OAuth from devices other than the Docker host. Updated README.md to reference the new guide for users encountering authentication issues.
64 lines
No EOL
2.2 KiB
Markdown
64 lines
No EOL
2.2 KiB
Markdown
# 🔐 Docker OAuth Authentication Fix
|
|
|
|
## Problem: "Insecure redirect URI" Error
|
|
|
|
When accessing SoulSync from a **different device** than the Docker host, you may encounter:
|
|
- `INVALID_CLIENT: Insecure redirect URI`
|
|
- `Spotify authentication failed: error: invalid_client`
|
|
|
|
**Why this happens:** Spotify requires HTTPS for OAuth callbacks when not using localhost.
|
|
|
|
## ✅ Simple Solution: SSH Port Forwarding
|
|
|
|
### Step 1: Set up SSH tunnel from your device to Docker host
|
|
|
|
**On the device you're browsing from** (laptop/phone/etc):
|
|
|
|
```bash
|
|
# Replace 'user' and 'docker-host-ip' with your actual values
|
|
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 user@docker-host-ip
|
|
|
|
# Example:
|
|
ssh -L 8888:localhost:8888 -L 8889:localhost:8889 john@192.168.1.100
|
|
```
|
|
|
|
**Keep this SSH connection open** while using SoulSync.
|
|
|
|
### Step 2: Configure OAuth redirect URIs
|
|
|
|
**In your Spotify Developer App:**
|
|
- Set redirect URI to: `http://127.0.0.1:8888/callback`
|
|
|
|
**In your Tidal Developer App:**
|
|
- Set redirect URI to: `http://127.0.0.1:8889/tidal/callback`
|
|
|
|
**In SoulSync Settings:**
|
|
- Set Spotify redirect URI to: `http://127.0.0.1:8888/callback`
|
|
- Set Tidal redirect URI to: `http://127.0.0.1:8889/tidal/callback`
|
|
|
|
### Step 3: Use SoulSync normally
|
|
|
|
- Access SoulSync: `http://docker-host-ip:8008` (normal HTTP)
|
|
- OAuth callbacks will tunnel through SSH to localhost
|
|
- Authentication will work without HTTPS requirements
|
|
|
|
## 🖥️ Alternative: Direct Access from Docker Host
|
|
|
|
If you can access SoulSync directly from the Docker host machine:
|
|
- Use: `http://127.0.0.1:8008`
|
|
- Set OAuth redirect URIs to localhost (as above)
|
|
- No SSH tunnel needed
|
|
|
|
## 🔧 For Advanced Users: Reverse Proxy
|
|
|
|
Set up nginx/traefik with proper SSL certificates for true HTTPS support. See community guides for Docker reverse proxy setups.
|
|
|
|
## 📝 Summary
|
|
|
|
The core issue is that **Spotify requires HTTPS for non-localhost** OAuth redirects. The SSH tunnel makes remote devices appear as localhost to bypass this requirement.
|
|
|
|
**Key points:**
|
|
- ✅ Always use `127.0.0.1` in OAuth redirect URIs
|
|
- ✅ Use SSH tunnel when accessing from different device
|
|
- ✅ Keep tunnel open during authentication
|
|
- ✅ Works with existing Docker setup - no changes needed |