OpenID Connect: Undefined array key "use" when JWK missing the optional use key #3358

New Issue

Closed

opened 2026-02-05 06:29:05 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 06:29:05 +03:00

Owner

Copy Link

Originally created by @107142 on GitHub (Nov 22, 2022).

Describe the Bug

When filtering the JWK keys the function filterKey in OidcProviderSettings.php expects the key use to be present with the sig value. Which I assume is because encryption is not supported.

Problem here is that the use key is optional according to the RFC (although the wording is quite ambiguous) and our OIDC provider does not have it resulting in a crash during parsing and and error exception:

Undefined array key "use"

#0 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(169): Illuminate\Foundation\Bootstrap\HandleExceptions->handleError(2, 'Undefined array...', '/var/www/bookst...', 169)
#1 [internal function]: BookStack\Auth\Access\Oidc\OidcProviderSettings->BookStack\Auth\Access\Oidc\{closure}(Array)
#2 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(170): array_filter(Array, Object(Closure))
#3 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(155): BookStack\Auth\Access\Oidc\OidcProviderSettings->filterKeys(Array)
#4 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(116): BookStack\Auth\Access\Oidc\OidcProviderSettings->loadSettingsFromIssuerDiscovery(Object(GuzzleHttp\Client))
#5 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cache/Repository.php(391): BookStack\Auth\Access\Oidc\OidcProviderSettings->BookStack\Auth\Access\Oidc\{closure}()
#6 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(117): Illuminate\Cache\Repository->remember('oidc-discovery:...', 900, Object(Closure))
#7 /var/www/bookstack/app/Auth/Access/Oidc/OidcService.php(108): BookStack\Auth\Access\Oidc\OidcProviderSettings->discoverFromIssuer(Object(GuzzleHttp\Client), Object(Illuminate\Cache\Repository), 15)
#8 /var/www/bookstack/app/Auth/Access/Oidc/OidcService.php(53): BookStack\Auth\Access\Oidc\OidcService->getProviderSettings()
#9 /var/www/bookstack/app/Http/Controllers/Auth/OidcController.php(29): BookStack\Auth\Access\Oidc\OidcService->login()
#10 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\Http\Controllers\Auth\OidcController->login()
#11 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction('login', Array)
#12 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\Routing\ControllerDispatcher->dispatch(Object(Illuminate\Routing\Route), Object(BookStack\Http\Controllers\Auth\OidcController), 'login')
#13 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\Routing\Route->runController()
#14 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\Routing\Route->run()
#15 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Routing\Router->Illuminate\Routing\{closure}(Object(BookStack\Http\Request))
#16 /var/www/bookstack/app/Http/Middleware/CheckGuard.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#17 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckGuard->handle(Object(BookStack\Http\Request), Object(Closure), 'oidc')
#18 /var/www/bookstack/app/Http/Middleware/Localization.php(45): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#19 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\Localization->handle(Object(BookStack\Http\Request), Object(Closure))
#20 /var/www/bookstack/app/Http/Middleware/RunThemeActions.php(26): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#21 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\RunThemeActions->handle(Object(BookStack\Http\Request), Object(Closure))
#22 /var/www/bookstack/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#23 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckEmailConfirmed->handle(Object(BookStack\Http\Request), Object(Closure))
#24 /var/www/bookstack/app/Http/Middleware/PreventAuthenticatedResponseCaching.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#25 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\PreventAuthenticatedResponseCaching->handle(Object(BookStack\Http\Request), Object(Closure))
#26 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#27 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(BookStack\Http\Request), Object(Closure))
#28 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#29 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(BookStack\Http\Request), Object(Closure))
#30 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#31 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\Session\Middleware\StartSession->handleStatefulRequest(Object(BookStack\Http\Request), Object(Illuminate\Session\Store), Object(Closure))
#32 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Session\Middleware\StartSession->handle(Object(BookStack\Http\Request), Object(Closure))
#33 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#34 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(BookStack\Http\Request), Object(Closure))
#35 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#36 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(BookStack\Http\Request), Object(Closure))
#37 /var/www/bookstack/app/Http/Middleware/ApplyCspRules.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#38 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\ApplyCspRules->handle(Object(BookStack\Http\Request), Object(Closure))
#39 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#40 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#41 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(BookStack\Http\Request))
#42 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\Routing\Router->runRoute(Object(BookStack\Http\Request), Object(Illuminate\Routing\Route))
#43 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\Routing\Router->dispatchToRoute(Object(BookStack\Http\Request))
#44 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\Routing\Router->dispatch(Object(BookStack\Http\Request))
#45 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}(Object(BookStack\Http\Request))
#46 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#47 /var/www/bookstack/app/Http/Middleware/TrustProxies.php(41): Illuminate\Http\Middleware\TrustProxies->handle(Object(BookStack\Http\Request), Object(Closure))
#48 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\TrustProxies->handle(Object(BookStack\Http\Request), Object(Closure))
#49 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#50 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(BookStack\Http\Request), Object(Closure))
#51 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\TrimStrings->handle(Object(BookStack\Http\Request), Object(Closure))
#52 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#53 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle(Object(BookStack\Http\Request), Object(Closure))
#54 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#55 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle(Object(BookStack\Http\Request), Object(Closure))
#56 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#57 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#58 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(BookStack\Http\Request))
#59 /var/www/bookstack/public/index.php(53): Illuminate\Foundation\Http\Kernel->handle(Object(BookStack\Http\Request))
#60 {main}

Steps to Reproduce

1. Connect BookStack with OpenID Connect that does not have use key present in the jwks endpoint
2. Set OIDC_ISSUER_DISCOVER to true
3. Attempt to log-in

Expected Behaviour

Absence of the use key should not necessarily result in an exception. Maybe a warning?

Screenshots or Additional Context

No response

Browser Details

Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Exact BookStack Version

v22.10.2

PHP Version

8.1.12

Hosting Environment

Rancher Kubernetes

Docker image: solidnerd/bookstack:latest

Clean install

Originally created by @107142 on GitHub (Nov 22, 2022). ### Describe the Bug When filtering the JWK keys the function `filterKey` in `OidcProviderSettings.php` expects the key `use` to be present with the *sig* value. Which I assume is because encryption is not supported. Problem here is that the `use` key is optional according to the [RFC](https://www.rfc-editor.org/rfc/rfc7517#section-4.2) (although the wording is quite ambiguous) and our OIDC provider does not have it resulting in a crash during parsing and and error exception: ```log Undefined array key "use" ``` <details> ```log #0 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(169): Illuminate\Foundation\Bootstrap\HandleExceptions->handleError(2, 'Undefined array...', '/var/www/bookst...', 169) #1 [internal function]: BookStack\Auth\Access\Oidc\OidcProviderSettings->BookStack\Auth\Access\Oidc\{closure}(Array) #2 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(170): array_filter(Array, Object(Closure)) #3 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(155): BookStack\Auth\Access\Oidc\OidcProviderSettings->filterKeys(Array) #4 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(116): BookStack\Auth\Access\Oidc\OidcProviderSettings->loadSettingsFromIssuerDiscovery(Object(GuzzleHttp\Client)) #5 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cache/Repository.php(391): BookStack\Auth\Access\Oidc\OidcProviderSettings->BookStack\Auth\Access\Oidc\{closure}() #6 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(117): Illuminate\Cache\Repository->remember('oidc-discovery:...', 900, Object(Closure)) #7 /var/www/bookstack/app/Auth/Access/Oidc/OidcService.php(108): BookStack\Auth\Access\Oidc\OidcProviderSettings->discoverFromIssuer(Object(GuzzleHttp\Client), Object(Illuminate\Cache\Repository), 15) #8 /var/www/bookstack/app/Auth/Access/Oidc/OidcService.php(53): BookStack\Auth\Access\Oidc\OidcService->getProviderSettings() #9 /var/www/bookstack/app/Http/Controllers/Auth/OidcController.php(29): BookStack\Auth\Access\Oidc\OidcService->login() #10 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\Http\Controllers\Auth\OidcController->login() #11 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction('login', Array) #12 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\Routing\ControllerDispatcher->dispatch(Object(Illuminate\Routing\Route), Object(BookStack\Http\Controllers\Auth\OidcController), 'login') #13 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\Routing\Route->runController() #14 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\Routing\Route->run() #15 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Routing\Router->Illuminate\Routing\{closure}(Object(BookStack\Http\Request)) #16 /var/www/bookstack/app/Http/Middleware/CheckGuard.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #17 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckGuard->handle(Object(BookStack\Http\Request), Object(Closure), 'oidc') #18 /var/www/bookstack/app/Http/Middleware/Localization.php(45): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #19 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\Localization->handle(Object(BookStack\Http\Request), Object(Closure)) #20 /var/www/bookstack/app/Http/Middleware/RunThemeActions.php(26): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #21 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\RunThemeActions->handle(Object(BookStack\Http\Request), Object(Closure)) #22 /var/www/bookstack/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #23 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckEmailConfirmed->handle(Object(BookStack\Http\Request), Object(Closure)) #24 /var/www/bookstack/app/Http/Middleware/PreventAuthenticatedResponseCaching.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #25 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\PreventAuthenticatedResponseCaching->handle(Object(BookStack\Http\Request), Object(Closure)) #26 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #27 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(BookStack\Http\Request), Object(Closure)) #28 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #29 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(BookStack\Http\Request), Object(Closure)) #30 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #31 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\Session\Middleware\StartSession->handleStatefulRequest(Object(BookStack\Http\Request), Object(Illuminate\Session\Store), Object(Closure)) #32 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Session\Middleware\StartSession->handle(Object(BookStack\Http\Request), Object(Closure)) #33 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #34 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(BookStack\Http\Request), Object(Closure)) #35 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #36 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(BookStack\Http\Request), Object(Closure)) #37 /var/www/bookstack/app/Http/Middleware/ApplyCspRules.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #38 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\ApplyCspRules->handle(Object(BookStack\Http\Request), Object(Closure)) #39 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #40 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\Pipeline\Pipeline->then(Object(Closure)) #41 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(BookStack\Http\Request)) #42 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\Routing\Router->runRoute(Object(BookStack\Http\Request), Object(Illuminate\Routing\Route)) #43 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\Routing\Router->dispatchToRoute(Object(BookStack\Http\Request)) #44 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\Routing\Router->dispatch(Object(BookStack\Http\Request)) #45 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}(Object(BookStack\Http\Request)) #46 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #47 /var/www/bookstack/app/Http/Middleware/TrustProxies.php(41): Illuminate\Http\Middleware\TrustProxies->handle(Object(BookStack\Http\Request), Object(Closure)) #48 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\TrustProxies->handle(Object(BookStack\Http\Request), Object(Closure)) #49 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #50 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(BookStack\Http\Request), Object(Closure)) #51 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\TrimStrings->handle(Object(BookStack\Http\Request), Object(Closure)) #52 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #53 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle(Object(BookStack\Http\Request), Object(Closure)) #54 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #55 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle(Object(BookStack\Http\Request), Object(Closure)) #56 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request)) #57 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\Pipeline\Pipeline->then(Object(Closure)) #58 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(BookStack\Http\Request)) #59 /var/www/bookstack/public/index.php(53): Illuminate\Foundation\Http\Kernel->handle(Object(BookStack\Http\Request)) #60 {main} ``` </details> ### Steps to Reproduce 1. Connect BookStack with OpenID Connect that **does not** have `use` key present in the jwks endpoint 2. Set `OIDC_ISSUER_DISCOVER` to `true` 3. Attempt to log-in ### Expected Behaviour Absence of the `use` key should not necessarily result in an exception. Maybe a warning? ### Screenshots or Additional Context _No response_ ### Browser Details Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 ### Exact BookStack Version v22.10.2 ### PHP Version 8.1.12 ### Hosting Environment Rancher Kubernetes Docker image: solidnerd/bookstack:latest Clean install

OVERLORD added the 🐛 Bug label 2026-02-05 06:29:05 +03:00

OVERLORD closed this issue 2026-02-05 06:29:08 +03:00

OVERLORD commented 2026-02-05 06:29:11 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 22, 2022):

Thanks for the clear report @107142. To add, the OIDC discovery spec states:

This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure.

Agreed that this should not cause an exception on check, but not totally sure how to handle missing use parameters. Options:

• As advised, show a warning.
  • Will be a little annoying to record and report such warnings unless we'd be happy for them to block further processing of additional potentially fully-defined keys.
• Simply ignore keys without a use.
  • Might cause frustration in scenarios where the user is expecting the key to be used but bookstack is not finding any valid keys, and not reporting the skipping of such a key.
• Assume such keys to be available for signing use.
  • Hard to understand if this could be valid usage. The JWK spec does not specify a default. The OIDC discovery text, as quoted above, does make it sound like non-use keys would be considered signing keys, since the jwks containing encryption keys is stated as MAY and, in that case, the use param is required. So sounds like we could correctly state keys without use to be signing keys.
• Assume such keys to be available for signing use, but demote them over keys with use set.

Based on the OIDC discovery spec, I'm thinking that the third option would be fine while also being super simple. Would be good to understand this against your real-world use-case. Would you be able to share the data of your jwks_uri? (URL found when viewing your <issuer>/.well-known/openid-configuration url). Of course anonymise/hide any values but I'd just like to see how the options would fit against your actual scenario, since I have not come across an OIDC system that causes this.

@ssddanbrown commented on GitHub (Nov 22, 2022): Thanks for the clear report @107142. To add, the [OIDC discovery spec](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) states: > This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. Agreed that this should not cause an exception on check, but not totally sure how to handle missing `use` parameters. Options: - As advised, show a warning. - Will be a little annoying to record and report such warnings unless we'd be happy for them to block further processing of additional potentially fully-defined keys. - Simply ignore keys without a `use`. - Might cause frustration in scenarios where the user is expecting the key to be used but bookstack is not finding any valid keys, and not reporting the skipping of such a key. - Assume such keys to be available for signing use. - Hard to understand if this could be valid usage. The JWK spec does not specify a default. The OIDC discovery text, as quoted above, does make it sound like non-`use` keys would be considered signing keys, since the jwks containing encryption keys is stated as `MAY` and, in that case, the `use` param is required. So sounds like we could correctly state keys without `use` to be signing keys. - Assume such keys to be available for signing use, but demote them over keys with `use` set. Based on the OIDC discovery spec, I'm thinking that the third option would be fine while also being super simple. Would be good to understand this against your real-world use-case. Would you be able to share the data of your `jwks_uri`? (URL found when viewing your `<issuer>/.well-known/openid-configuration` url). Of course anonymise/hide any values but I'd just like to see how the options would fit against your actual scenario, since I have not come across an OIDC system that causes this.

OVERLORD commented 2026-02-05 06:29:13 +03:00

Author

Owner

Copy Link

@107142 commented on GitHub (Nov 23, 2022):

Hey,
I have since talked with the guys responsible for our IdP and the missing use key will be added, "fixing" the issue for me.
You can look at the jwks_uri if you want.

Assume such keys to be available for signing use.

I kinda like this one the most and understand it the same you do: unless stated otherwise, without the use present, keys are to be considered signing keys.
It would also seem to me that this is commonly used in the wild and it would make it compatible with the RFC (well within reason, those RFC are seriously not all that clear).

@107142 commented on GitHub (Nov 23, 2022): Hey, I have since talked with the guys responsible for our IdP and the missing `use` key will be added, "fixing" the issue for me. You can [look](https://oidc.muni.cz/oidc/jwk) at the jwks_uri if you want. > Assume such keys to be available for signing use. I kinda like this one the most and understand it the same you do: unless stated otherwise, without the `use` present, keys are to be considered signing keys. It would also seem to me that this is commonly used in the wild and it would make it compatible with the RFC (well within reason, those RFC are seriously not all that clear).

OVERLORD commented 2026-02-05 06:29:16 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 23, 2022):

Thanks for the extra detail and confirmation of this logic @107142.
I have now updated the logic in e20c944350 to assume that lack of use is treated as sig, and added a test to cover this scenario.

Will be part of the next feature release.

@ssddanbrown commented on GitHub (Nov 23, 2022): Thanks for the extra detail and confirmation of this logic @107142. I have now updated the logic in e20c944350c78f33c1ed0c34db8fde6a8a639b3d to assume that lack of `use` is treated as `sig`, and added a test to cover this scenario. Will be part of the next feature release.

OVERLORD commented 2026-02-05 06:29:18 +03:00

Author

Owner

Copy Link

@107142 commented on GitHub (Nov 23, 2022):

Thank you for a speedy fix @ssddanbrown. Much appreciated.

@107142 commented on GitHub (Nov 23, 2022): Thank you for a speedy fix @ssddanbrown. Much appreciated.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3358