Custom Oauth provider fails on server restart

[LLBR88]

Describe the bug
Custom oauth provider (Authentik) returns "Internal Server Error", fails to log in.

To Reproduce
Steps to reproduce the behavior:

1. Set up custom oauth provider running on same server, confirm all works
2. Restart server / docker
3. Attempt to log in with oauth, get error
4. Log in to admin account with un/pw, go to oauth section, click "edit" and "save" (making no changes)
5. Go back and log in via oauth as normal

Expected behavior
Oauth provider should initialise correctly and not require re-saving.

Server version 1.6.6 (but has been an issue for many versions)

Additional context
Docker logs:

    at dan (/app/server/index.js:3022:2862)
    at async /app/server/index.js:3022:10640 {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
Token verification failed: FLe [TokenExpiredError]: jwt expired
    at /app/server/index.js:60:39015
    at c (/app/server/index.js:60:37425)
    at lHn.exports [as verify] (/app/server/index.js:60:37443)
    at OE (/app/server/index.js:540:1225)
    at async eH (/app/server/index.js:540:1433)
    at async CVt (/app/server/index.js:3014:27155)
    at async Object.l [as createContext] (/app/server/index.js:3022:10533)
    at async Object.create (/app/server/index.js:3022:2366)
    at async dan (/app/server/index.js:3022:2830)
    at async /app/server/index.js:3022:10640 {
  expiredAt: 2025-11-11T21:22:25.000Z
}
canRegisterxxx
OAuth Custom authentication request: {
  url: '/authentik',
  headers: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0'
}
Custom OAuth provider authentik authentication route accessed
tRPC error: kG [TRPCError]: Unauthorized
    at /app/server/index.js:500:13364
    at R4n (/app/server/index.js:497:64878)
    at e (/app/server/index.js:497:65343)
    at /app/server/index.js:3022:3345
    at Array.map (<anonymous>)
    at dan (/app/server/index.js:3022:2862)
    at async /app/server/index.js:3022:10640 {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
canRegisterxxx
Login successful: { user: 1 }
[Server] Axios instance created with proxy: disabled
[Server] Axios instance created with proxy: disabled
[Server] Axios instance created with proxy: disabled
Current Environment: production
Prisma schema loaded from prisma/schema.prisma
Datasource "db": PostgreSQL database "postgres" at "blinko-postgres:5432"
27 migrations found in prisma/migrations
No pending migrations to apply.
✨ Seed done! ✨
✨ Seed done! ✨
Failed to initialize custom OAuth provider: authentik Error: Failed to fetch well-known configuration from https://auth.landr.uk/application/o/blinko/.well-known/openid-configuration
    at MBn (/app/server/index.js:540:63162)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async TBn (/app/server/index.js:540:59545)
    at async W0c (/app/server/index.js:3038:4804)
9:10:36 AM [vite-express] Running in production mode
9:10:36 AM [vite-express] Inline config detected, ignoring Vite config file
9:10:36 AM [vite-express] Serving static files from /app/server/public
🎉server start on port http://0.0.0.0:1111 - env: production
tRPC error: kG [TRPCError]: Unauthorized
    at /app/server/index.js:500:13364
    at R4n (/app/server/index.js:497:64878)
    at e (/app/server/index.js:497:65343)
    at /app/server/index.js:3022:3345
    at Array.map (<anonymous>)
    at dan (/app/server/index.js:3022:2862)
    at async /app/server/index.js:3022:10640 {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
canRegisterxxx
OAuth Custom authentication request: {
  url: '/authentik',
  headers: 'Mozilla/5.0 (Linux; Android 10; Pixel 4a Build/QD4A.200805.003; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/141.0.0.0 Mobile Safari/537.36'
}
Custom OAuth provider authentik authentication route accessed
express error: Error: Unknown authentication strategy "authentik"
    at p (/app/server/index.js:58:10145)
    at /app/server/index.js:58:11477
    at /app/server/index.js:3014:26521
    at Ule.handleRequest (/app/server/index.js:38:25910)
    at o (/app/server/index.js:38:27849)
    at /app/server/index.js:3014:23479
    at Ule.handleRequest (/app/server/index.js:38:25910)
    at o (/app/server/index.js:38:27849)
    at zle.dispatch (/app/server/index.js:38:27605)
    at a (/app/server/index.js:38:31720)
tRPC error: kG [TRPCError]: Unauthorized
    at /app/server/index.js:500:13364
    at R4n (/app/server/index.js:497:64878)
    at e (/app/server/index.js:497:65343)
    at /app/server/index.js:3022:3345
    at Array.map (<anonymous>)
    at dan (/app/server/index.js:3022:2862)
    at async /app/server/index.js:3022:10640 {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
canRegisterxxx
OAuth Custom authentication request: {
  url: '/authentik',
  headers: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0'
}
Custom OAuth provider authentik authentication route accessed
express error: Error: Unknown authentication strategy "authentik"
    at p (/app/server/index.js:58:10145)
    at /app/server/index.js:58:11477
    at /app/server/index.js:3014:26521
    at Ule.handleRequest (/app/server/index.js:38:25910)
    at o (/app/server/index.js:38:27849)
    at /app/server/index.js:3014:23479
    at Ule.handleRequest (/app/server/index.js:38:25910)
    at o (/app/server/index.js:38:27849)
    at zle.dispatch (/app/server/index.js:38:27605)
    at a (/app/server/index.js:38:31720)
isUserPreferConfig false
OAuth strategies reinitialized after config update: { success: true, message: 'OAuth strategies reinitialized' }
tRPC error: kG [TRPCError]: Unauthorized
    at /app/server/index.js:500:13364
    at R4n (/app/server/index.js:497:64878)
    at e (/app/server/index.js:497:65343)
    at /app/server/index.js:3022:3345
    at Array.map (<anonymous>)
    at dan (/app/server/index.js:3022:2862)
    at async /app/server/index.js:3022:10640 {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
canRegisterxxx
OAuth Custom authentication request: {
  url: '/authentik',
  headers: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0'
}
Custom OAuth provider authentik authentication route accessed
authentik callback route accessed
oauth verify success, user: 4
tRPC error: kG [TRPCError]: Unauthorized
    at /app/server/index.js:500:13364
    at R4n (/app/server/index.js:497:64878)
    at e (/app/server/index.js:497:65343)
    at /app/server/index.js:3022:3345
    at Array.map (<anonymous>)
    at dan (/app/server/index.js:3022:2862)
    at async /app/server/index.js:3022:10640 {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
Profile access: { user: 4 }
Link preview error: Error
    at new XGe (/app/server/index.js:1726:440172)
    at U9l (/app/server/index.js:1732:423265)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /app/server/index.js:1734:131639 {
  name: 'WRONG_CONTENT_TYPE',
�
{
    url: 'https://github.com/badaix/snapcast/releases/download/v0.34.0/snapclient_0.34.0-1_arm64_trixie_with-pipewire.deb',
    contentType: 'application/octet-stream',
    contentLength: '560300'
  }
}
timeout
Link preview error: undefined
timeout`

[dosubot]

Hi @LLBR88! I'm Dosu and I’m helping the blinko team.

This happens because on server startup, Blinko tries to fetch the well-known OpenID configuration for your custom OAuth provider (Authentik). If that fetch fails (for example, due to a network hiccup or the Authentik service not being ready), the provider strategy isn't registered with Passport.js, which leads to "Unknown authentication strategy" and "Internal Server Error" when you try to log in. When you re-save the OAuth config in the admin UI, Blinko reinitializes all OAuth strategies—this time, the fetch usually succeeds, and everything works until the next restart.

This is a known issue and has been fixed in later versions of Blinko. In the meantime, you can try to ensure that the Authentik service is fully up and reachable before starting Blinko, or script a restart of the Blinko container after Authentik is ready. If you want a permanent fix, consider upgrading to a version after v1.0.0-rc.1 where this bug is resolved citation.

If you need to patch it yourself, you’d want to add retry logic or better error handling around the well-known config fetch in the OAuth strategy initialization code citation.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}