Remote User Access - Access Token is invalid or expired

[Nvitalian 8]

Wrong Area: This should be in Docker, Sorry.

I've dug around but I'm not finding anything that matches my situation. Apologies ahead of time if I missed something.

Emby Container
Version 4.8.10.0

Everything locally is fantastic, I have no issue with any of the users I've created.

I can not get any user to auth remotely though, I get the token error.

I've double-checked all users have the tick box checked: "Allow remote connections to this Emby Server. If unchecked, all remote connections will be blocked."

Happy to upload any configs or anything else needed.

Thank you in advance.

Emby Server Log.txt

Edited February 22, 2025 by Nvitalian
Wrong Area: This should be in Docker, Sorry.

[Luke 42077]

Hi there, what exactly happens on screen?

[Nvitalian 8]

I've tried multiple user.

[Luke 42077]

OK please attach the complete emby server log file. Thanks.

[Nvitalian 8]

Let me know if that's overly redacted.

Thanks

embyserver-2.22.25.txt

[Nvitalian 8]

So I'm messing around. I took one of the existing users and tied it to an Emby account xxxx@xxxx.xxx. Signed in through the Andriod app and I can access the server.

I'm going to try with a few more.

[Nvitalian 8]

So the account I was able to get to work was the admin account. Is anyone aware of a setting or tic box I'd be missing that would trigger this token issue?

[Luke 42077]

5 hours ago, Nvitalian said:

Let me know if that's overly redacted.

Thanks

embyserver-2.22.25.txt 3.1 kB · 1 download

Hi, this is still an edited log. The original is needed. You can get an anonymized log by downloading it from your server dashboard. Thanks.

[Nvitalian 8]

embyserver-02.txt

[Luke 42077]

Hi, if you disable cloudfare, how do things compare?

[Nvitalian 8]

This seems to be isolated to the Android app, at least that is the only way I have to test externally. No crapple device or Roku TV externally I can use.

Via a mobile browser, chrome, firefox, edge off of the Android device works.

This is across 3 devices as well.

I shut down the proxying for the domain and checked DNS resolution to verify the raw public is being served.

I still get the token error on all 3 devices.

I decided just for giggles to rebuild my Reverse Proxy NPM. No change.

I've been digging through my firewall as well, I log both inbound and outbound. I'm not seeing anything there either.

I shut down any of the UTM features on both rulesets just to check.

 

Appreciate the help.

[Nvitalian 8]

Pulling this from my reverse proxy if it helps

proxy.txt

[Lessaj 467]

Hm, authenticatebyname is supposed to be a POST, not a GET...

[Luke 42077]

1 hour ago, Lessaj said:

Hm, authenticatebyname is supposed to be a POST, not a GET...

Good catch. If that’s what’s happening then it’s an improperly configured reverse proxy most likely .

[Nvitalian 8]

Thank you, I'm digging into it.

[Luke 42077]

I would suggest comparing to this:;

Even if you don't use nginx, most reverse proxies have a similar set of options.

[Nvitalian 8]

Definitely a sub-domain vs sub-directory issue. I have Emby sitting as an app in my Truenas server. Looks to be more learning in store. Thank you very much for pointing me in right direction.

[Nvitalian 8]

If I need to close this down and open a new post please let me know.

So what I can't figure out is Emby is running as a container. It's connected to the host network. Publicly, it has its own subdomain. A record pointed to NPM. Is there an environment variable I'm supposed to be setting to do subdomain? I see the issue with the GET coming through and no POST and the rewrite through NPM does nothing.
 

In Emby I have the External domain set in network settings. Wondering if I should dump using a Truenas "App" and build the container through portainer or cli.

 

Thanks in advance.

Edited February 26, 2025 by Nvitalian

[Nvitalian 8]

I should add this token issue only occurs via the Android app. Going through a browser is fine.

But... If you sign in via Emby Connect, select the server, you can pass through just fine.

Edited February 26, 2025 by Nvitalian

[Neminem 1518]

Here is some hints, on how I got it working with NPM.

I use awsome.domain.com

add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-Permitted-Cross-Domain-Policies "master-only" always;
add_header Pragma "no-cache" always;
add_header Cache-Control "no-store" always;

Its not pretty and its not secure in anyway, I only get a B, something about "Content Security Policy (CSP)" that I never could get working in the NPM webui. 

 but it works for me.

[Lessaj 467]

22 minutes ago, Neminem said:

What testing service is this? I want to check mine, I get an A+ with Qualys but I don't think they check CSP.

[Neminem 1518]

Its from this test

HTTP Header Security Test - HTTP Observatory | MDN

[Neminem 1518]

With Qualys I get an A+ too

[Lessaj 467]

Thanks, implemented CSP now.

[Neminem 1518]

Ohh wow is that in NPM ?

How ?