Immich - Inviting Users

This guide covers the complete process for giving a new user access to Immich at https://photos.wighttrash.uk. The user authenticates with their Google or Microsoft account via Keycloak, which acts as the identity broker.

Access is controlled at two independent points: Keycloak (who can sign in) and Immich (who has an account). Both must be configured correctly or the user will be blocked.

The user visits https://photos.wighttrash.uk. Auto Launch redirects immediately to the Keycloak login page. The user clicks Sign in with Google or Sign in with Microsoft and authenticates with their social provider.

Keycloak then checks whether a user with that email exists in the wighttrash realm. If not, sign-in is blocked at this point. If the user exists, Keycloak issues a token and redirects back to Immich. Immich reads the email from the token and looks for a matching account. If no Immich account exists, sign-in is blocked here.

Two independent gates exist: Keycloak and Immich. Both must pass.

Inviting a user

Complete both parts in order. Do not skip either step.

Part 1 - Create the user in Keycloak

Step 1. Go to https://auth.wighttrash.uk/admin/master/console and sign in.

Step 2. Switch to the wighttrash realm using the top-left dropdown.

Step 3. Go to Users and click Create user.

Step 4. Fill in the following fields and click Create. Do not set a password - the account uses social login only.

Field	Value
Email	The user’s email address. Must match the Google or Microsoft account they will use.
Email verified	On
First name / Last name	Their name
Enabled	On

Part 2 - Create the Immich account

Because Auto Register is Off, the Immich account must exist before the user’s first sign-in.

Step 1. Open https://photos.wighttrash.uk and sign in as admin. Use ?autoLaunch=0 if the login page skips directly to Keycloak.

Step 2. Go to Administration - Users and click Create user.

Step 3. Fill in the following fields and click Create user. Leave the password field blank.

Field	Value
Email	The user’s email address - must match the Keycloak entry exactly
Name	Their display name
Role	Editor (or as appropriate)

The email address is the matching key between Keycloak and Immich. If the emails do not match exactly, sign-in will fail at the Immich stage even after Keycloak authenticates successfully.

Part 3 - Notify the user

Send the user the following:

URL: https://photos.wighttrash.uk
Tell them to click Login with Wight Trash and sign in with their Google or Microsoft account
They should use the exact email address you registered

Do not send a password. There is no password for their account.

Removing a user

Remove from both systems. Removing from only one is not sufficient.

Remove from Keycloak (blocks sign-in immediately):

Step 1. Go to https://auth.wighttrash.uk/admin/master/console and switch to the wighttrash realm.

Step 2. Go to Users, find the user, and delete them.

Remove from Immich:

Step 1. Open https://photos.wighttrash.uk and sign in as admin.

Step 2. Go to Administration - Users, find the user, and delete or disable their account.

Recovery procedure

If the login page auto-launches directly to Keycloak and you cannot reach the Immich login page:

https://photos.wighttrash.uk/auth/login?autoLaunch=0

This bypasses the auto-launch and shows the standard Immich login page where a local admin account can be used.

Security checklist

Check	Where to verify
Auto Launch is On	Immich - Administration - Settings - OAuth Authentication
Auto Register is Off	Immich - Administration - Settings - OAuth Authentication
User exists in Keycloak wighttrash realm	Keycloak Admin - wighttrash - Users
User email verified is On in Keycloak	Keycloak Admin - wighttrash - Users - [user]
User has no password set in Keycloak	Keycloak Admin - wighttrash - Users - [user] - Credentials
Immich account email matches social provider email exactly	Immich - Administration - Users
Immich account has no password set	Immich - Administration - Users - [user]