Permission error after switching to OIDC #3652

New Issue

OVERLORD · 2026-02-05T07:09:58+03:00

OVERLORD commented

2026-02-05 07:09:58 +03:00

Originally created by @10935336 on GitHub (Mar 20, 2023).

Describe the Bug

I'm trying to login bookstack using OIDC using Keycloak as Idp.

In order to use group sync, I create groups "superadmin" and "op" in keycloak and same name role in bookstack.

"superadmin" role had all 54 permissions.
"op" has 52 permissions (unable to manage app settings and role permissions).
The old admin role was called "oldadmin" and also had all 54 permissions.

Create a new user in keycloak and join the superadmin and op groups.

When I successfully integrated and configured group sync, I filled in the external authentication ID in the original local user, and then I logout and logged back in, it just like I logged in to the original local account. And it gets the "superadmin" and "op" roles correctly.

But I can't see my private books (only I have permission to view them).
Also the "superadmin" role permissions don't seem to be fully in effect, I can change system settings etc but can't see hidden books in the system.

If I grant myself the "oldadmin" role, I can view all books in the system.

I had another sysadmin try the same thing and he couldn't see his private books either.

Steps to Reproduce

I'm honestly not sure how to reproduce this issue, it's a bit complicated.

Build keycloak and use OIDC to integrate with Bookstack
Create groups superadmin and op in keycloak
Create a user in keycloak and join the superadmin and op groups
Create roles superadmin and op in bookstack, superadmin has all 54 permissions, op has 52 permissions (unable to manage app settings and role permissions)
Set up group sync
Use OIDC to log in to BOOKSTACK, and fill in the external ID in the user information
Log out and log in again, the account looks the same as the previous local account, and the group is automatically synchronized as superadmin and op
Can't see my books
Can't see other hidden books
Grant yourself the old "oldadmin" role, then you can see hidden books in the system

Expected Behaviour

The permissions system should work fine

Can see your private books normally
Can see other hidden books in the system normally

Screenshots or Additional Context

No response

Browser Details

Chrome 111.0.5563.65

Exact BookStack Version

BookStack v23.02.1

PHP Version

PHP 8.1.7

Hosting Environment

Bare metal server, RHEL 8, website behind CDN

Originally created by @10935336 on GitHub (Mar 20, 2023). ### Describe the Bug I'm trying to login bookstack using OIDC using Keycloak as Idp. In order to use group sync, I create groups "superadmin" and "op" in keycloak and same name role in bookstack. - "superadmin" role had all 54 permissions. - "op" has 52 permissions (unable to manage app settings and role permissions). - The old admin role was called "oldadmin" and also had all 54 permissions. Create a new user in keycloak and join the superadmin and op groups. When I successfully integrated and configured group sync, I filled in the external authentication ID in the original local user, and then I logout and logged back in, it just like I logged in to the original local account. And it gets the "superadmin" and "op" roles correctly. But I can't see my private books (only I have permission to view them). Also the "superadmin" role permissions don't seem to be fully in effect, I can change system settings etc but can't see hidden books in the system. If I grant myself the "oldadmin" role, I can view all books in the system. I had another sysadmin try the same thing and he couldn't see his private books either. ### Steps to Reproduce I'm honestly not sure how to reproduce this issue, it's a bit complicated. 1. Build keycloak and use OIDC to integrate with Bookstack 2. Create groups superadmin and op in keycloak 3. Create a user in keycloak and join the superadmin and op groups 4. Create roles superadmin and op in bookstack, superadmin has all 54 permissions, op has 52 permissions (unable to manage app settings and role permissions) 5. Set up group sync 6. Use OIDC to log in to BOOKSTACK, and fill in the external ID in the user information 7. Log out and log in again, the account looks the same as the previous local account, and the group is automatically synchronized as superadmin and op 8. Can't see my books 9. Can't see other hidden books 10. Grant yourself the old "oldadmin" role, then you can see hidden books in the system ### Expected Behaviour The permissions system should work fine - Can see your private books normally - Can see other hidden books in the system normally ### Screenshots or Additional Context _No response_ ### Browser Details Chrome 111.0.5563.65 ### Exact BookStack Version BookStack v23.02.1 ### PHP Version PHP 8.1.7 ### Hosting Environment Bare metal server, RHEL 8, website behind CDN

OVERLORD added the 🐛 Bug label 2026-02-05 07:09:58 +03:00

OVERLORD closed this issue

2026-02-05 07:10:01 +03:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3652