zadam
Sync to server behind OIDC & Reverse Proxy
Trilium Version
0.95.0
What operating system are you using?
Other Linux
What is your setup?
Local + server sync
Operating System Version
LXC & Windows 10
Description
I have server setup on an LXC with a reverse proxy and OIDC authentication. This is all working as expected. However, on my desktop app when I enter the reverse proxy address in Server instance address and click on sync I receive an error.
Sync failed: Request to GET https://trilium.mydomain.com/api/setup/status failed, error: Unexpected token '<', "<!doctype "... is not valid JSON
Is there a specific setting to allow sync via authenticated reverse proxy? Sync did work when just using the local IP of the server instance.
Error logs
No response
Hi @truncsphere! I'm Dosu and I’m helping the Trilium team.
Trilium doesn't support syncing through a reverse proxy that enforces OIDC authentication. The error you're seeing happens because the desktop app expects a JSON response from the API, but the reverse proxy returns an HTML login page when authentication isn't satisfied, which the app can't handle as valid JSON reference.
Trilium's sync endpoints require password-based authentication set during server initialization, not OIDC. OIDC is only supported for web login, not for desktop sync reference. There's no built-in way for the desktop client to pass OIDC credentials to the proxy, so sync through an OIDC-protected endpoint isn't possible out of the box.
If you want to use OIDC for web access but still allow desktop sync, you can either expose a separate endpoint for sync without OIDC, or (with caution) disable Trilium's internal authentication (noAuthentication=true) and rely on your reverse proxy for access control reference. Be aware that this has security implications—make sure your proxy is properly secured.
For more details, see the Synchronization documentation and related OIDC setup discussions.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
![dosubot[bot] avatar](https://avatars.githubusercontent.com/in/324583?v=4 "Published by a pub.dev verified publisher"){kind=small}
This doesn't really help. I feel having only a password is not secure enough. Having the ability to sync while using OIDC would allow me to keep the application more secure.
Additionally, using Pocket-ID as the OIDC via the built-in supported method does not currently work. see https://github.com/orgs/TriliumNext/discussions/6318
I have a similar issue: I'm exposing Trilium by having a reverse authentication proxy in front of it and this works really well. Then I have /api and /share paths configured separately in my reverse proxy so that they do not require authentication in the proxy layer. This also works so that I can share notes publicly and I can also access API without any issue.
However this doesn't quite work for synchronising as currently sync seems to require that the server has password enabled. https://github.com/TriliumNext/Trilium/blob/3afe6df9f26aed727b307bf1916d83752f3ef95f/apps/server/src/services/auth.ts#L146 file ensures that password is enabled.
I'm thinking that if the synchronisation could also work with API tokens instead of passwords then this issue could be resolved relatively easy?
@garo ,
I'm thinking that if the synchronisation could also work with API tokens instead of passwords then this issue could be resolved relatively easy?
That's exactly what needs to be implemented to get this going.
