OAUTH with Authentik - user invalid!

[Warrior01017]

I've spent quite a bit of time trying to figure out why I cannot get TriliumNext to work with Authentik. All my settings seem right, from checking the docs to viewing many other peoples configurations and even trying to go back and forth with AI.

Issue:
When authenticating with Authentik, I get the "Sign in with Authentik", then I get redirected to Authentik saying "You're about to sign into TriliumNext Notes". When clicking continue I get a 502 Bad Gateway at the url https://notes.domain.tld/callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and invalid user in the docker logs.

Configuration:
Nginx Proxy Manager in front of Trilium - standard config, OAUTH works with other containers using this same proxy

TRILIUM_OAUTH_BASE_URL=https://notes.domain.tld
TRILIUM_OAUTH_ISSUER_BASE_URL=https://authentik.domain.tld:8443/application/o/trilium/
TRILIUM_OAUTH_ISSUER_ICON=https://authentik.domain.tld:8443/static/dist/assets/icons/icon.png
TRILIUM_OAUTH_ISSUER_NAME=Authentik
NODE_EXTRA_CA_CERTS=/etc/ssl/certs/authentik_ca.crt
TRILIUM_OAUTH_CLIENT_ID=jrpzmqXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TRILIUM_OAUTH_CLIENT_SECRET=<secret>

Authentik:
Client type: Confidential
Redirect URI: https://notes.domain.tld/callback
Signing Key: authentik
Scope: email, openid, profile
Subject mode: Based on the User's hashed ID
Include claims in id_token is turned on

Logs:
When debug is not turned on the ONLY thing in the logs is 'user invalid!'. Makes for troubleshooting very difficult. When debug is turned on I get the below.

2025-09-14T16:18:54.471Z router <anonymous>  : /authenticate
2025-09-14T16:18:54.471Z router r  : /authenticate
2025-09-14T16:18:54.471Z router dispatching GET /authenticate
2025-09-14T16:18:54.471Z router <anonymous>  : /authenticate
2025-09-14T16:18:54.471Z router <anonymous>  : /authenticate
2025-09-14T16:18:54.471Z body-parser:urlencoded skip empty body
2025-09-14T16:18:54.471Z express-openid-connect:context req.oidc.login() called with returnTo: https://notes.domain.tld
2025-09-14T16:18:54.472Z express-openid-connect:getLoginState adding default state { returnTo: 'https://notes.domain.tld' }
2025-09-14T16:18:54.472Z express-openid-connect:context response_type includes code, the authorization request will use PKCE
2025-09-14T16:18:54.473Z express-openid-connect:context redirecting to https://authentik.domain.tld:8443/application/o/authorize/?client_id=jrpzmqXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fnotes.domain.tld%2Fcallback&access_type=offline&prompt=consent&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&nonce=r_xHUtXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&code_challenge_method=S256&code_challenge=gOUN2SHXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:54.474Z express-openid-connect:appSession session was deleted or is empty, clearing all matching session cookies
Sun, 14 Sep 2025 16:18:54 GMT compression no compression: size below threshold
2025-09-14T16:18:57.720Z router dispatching GET /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z body-parser:text skip empty body
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z body-parser:json skip empty body
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z body-parser:raw skip empty body
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.721Z body-parser:urlencoded skip empty body
2025-09-14T16:18:57.721Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.722Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.722Z send stat "/usr/src/app/public/root/callback"
2025-09-14T16:18:57.722Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Sun, 14 Sep 2025 16:18:57 GMT express-session fetching PHa3SXazoNKrlxBSY1WDsu_-jg5IwT1j
Sun, 14 Sep 2025 16:18:57 GMT express-session no session found
2025-09-14T16:18:57.723Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.723Z router r  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.723Z router dispatching GET /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.723Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2025-09-14T16:18:57.724Z router <anonymous>  : /callback?code=fa45eXXXXXXXXXXXXXXXXXXXXXX&state=eyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
user invalid!
2025-09-14T16:18:58.269Z express-openid-connect:appSession found session, creating signed session cookie(s) with name 'appSession'(.i)
2025-09-14T16:18:58.271Z express-openid-connect:appSession cookie size greater than 4004, chunking

[dosubot[bot]]

Hi @Warrior01017! I'm Dosu and I’m helping the Trilium team.

The "user invalid!" and 502 Bad Gateway errors with Authentik OAUTH in TriliumNext are most often caused by either missing user claims in the ID token or proxy misconfiguration.

First, make sure your Nginx Proxy Manager config increases buffer sizes—users have fixed 502 errors by setting proxy_buffers 16 16k; proxy_buffer_size 32k; proxy_busy_buffers_size 64k; in the location block for TriliumNext. This prevents "upstream sent too big header" errors when handling large OAUTH tokens source.

Next, double-check that your Authentik provider is set to include the openid profile email scopes and that "Include claims in id_token" is enabled. TriliumNext expects claims like email, sub, or preferred_username in the ID token; if these are missing or malformed, you'll get "user invalid!" source.

Also, confirm your environment variables are spelled correctly and match the Authentik provider config. The most critical are:

• TRILIUM_OAUTH_BASE_URL
• TRILIUM_OAUTH_CLIENT_ID
• TRILIUM_OAUTH_CLIENT_SECRET
• TRILIUM_OAUTH_ISSUER_BASE_URL
• TRILIUM_OAUTH_ISSUER_NAME
• TRILIUM_OAUTH_ISSUER_ICON (optional)

Restart the Trilium container after any changes. If you're behind a reverse proxy, set TRILIUM_NETWORK_TRUSTEDREVERSEPROXY=true or the proxy IP source.

If everything looks correct but you still get "user invalid!", check the Trilium logs for details about missing claims or token validation errors. Sometimes, logging in twice is needed for the first OAuth user creation source.

Let me know if you want more targeted troubleshooting steps!

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[Warrior01017]

OMG!! Adding those buffer size increases to NPM fixed it! I cannot believe that was the issue and nothing else pointed me there. However, I am now have the same issue as this, but at least I can log in now with Authentik.