mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-05 08:39:55 +03:00
[Bug Report]: Login catch-22 when switching to OIDC authentication #2523
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Northguy on GitHub (Dec 6, 2021).
Describe the Bug
I would like to switch from 'regular' login to OIDC login. I have configured Authelia as an OpenID client and seem to succesfully proceed through the authentication process, until Authelia returns me back to Bookstack. Bookstack responses with 'user with e-mail xxxxx@xxxx.com already exists, which is obvious as I would like to login with the same user I created in Bookstack as I have in Authelia.
According to the documentation, Bookstack should make a match between both users, based on e-mail. Is this a bug or am I doing something wrong? I am a bit at a loss where to start debugging.
Steps to Reproduce
Expected Behaviour
Existing user in Bookstack should be recognized by e-mail address and OIDC user should provide acces.
Screenshots or Additional Context
No response
Exact BookStack Version
BookStack v21.11.2
PHP Version
??
Hosting Environment
Running in Docker with image https://docs.linuxserver.io/images/docker-bookstack behind Traefik reverse proxy and Authelia as OIDC provider
@ssddanbrown commented on GitHub (Dec 6, 2021):
BookStack matches OIDC provided users to BookStack users based upon a unique OIDC provided ID, against the "External Authentication ID" value for a user.
If your user was initially created with non-OIDC auth, then the email will already exist in BookStack but since the BookStack user does not share the same unique ID (Since a standard auth user won't have an "External Authentication ID" value) they won't be matched together (It opens up some security concerns if we start matching based on email from other auth sources).
To remedy for your user you can:
Depending on container setup, this may prove tricky. The "External Authentication ID" field can alternatively be found on the users table in the database as an alternative.
@Northguy commented on GitHub (Dec 6, 2021):
Hi @ssddanbrown ,
Thanks. In order to edit my user while being logged in: how do I change the auth method to oidc while logged in?
I did change the
AUTH_METHOD=oidcenvironment variable in my .env file as well as login via CLI of my container, but I assume these are only read when I restart Bookstack. Restarting the bookstack instance, will result in being logged out again and put me back at the catch-22 of not being able to login?So how do I 'hot' switch to OIDC?
@ssddanbrown commented on GitHub (Dec 6, 2021):
@Northguy That variable should be read upon each request ideally so should be able to hot-switch. Variables on the container environment could interfere/override though and not be hot-switchable.
I would try remove any
AUTH_METHODenvironment variables at a container/docker level and just change via the.envfile. Hopefully it should then be 'hot' switchable.@Northguy commented on GitHub (Dec 7, 2021):
@ssddanbrown thanks for the pointer in the right direction. For future reference:
The Linuxserver.io bookstack docker container requires a volume share. In this share the .env file is created, based on initial docker-compose environment variables. It is possible to add additional variables there (/config/www/.env) and these indeed act as 'hot' switchable.