diff --git a/modules/server/containers/apps/immich.nix b/modules/server/containers/apps/immich.nix
index 1882e1f..4be43a7 100644
--- a/modules/server/containers/apps/immich.nix
+++ b/modules/server/containers/apps/immich.nix
@@ -81,7 +81,7 @@ in {
                           .oauth.profileSigningAlgorithm = "RS256" |
                           .oauth.clientId = "immich" | 
                           .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
-                          .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}" | 
+                          .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}/application/o/immich/" | 
                           .oauth.scope = "openid profile email" |
                           .oauth.buttonText = "Login with SSO"' | \
         ${pkgs.curl}/bin/curl -s -X PUT "$IMMICH_URL/api/system-config" -H "Cookie: immich_access_token=$IMMICH_TOKEN; immich_auth_type=password; immich_is_authenticated=true" -H "Content-Type: application/json" -d @-
diff --git a/modules/server/containers/data/authentik/ldap.yaml b/modules/server/containers/data/authentik/ldap.yaml
index c24408f..3565076 100644
--- a/modules/server/containers/data/authentik/ldap.yaml
+++ b/modules/server/containers/data/authentik/ldap.yaml
@@ -75,4 +75,4 @@ entries:
       name: ldap
       group: _
       provider:
-        - !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
+        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]