Login Loop with OIDC #3729

New Issue

OVERLORD · 2026-02-05T07:16:46+03:00

OVERLORD commented

2026-02-05 07:16:46 +03:00

Originally created by @kakt1s on GitHub (Apr 4, 2023).

Describe the Bug

When attempting to auth with OIDC via Keycloak, after being redirected back to the /oidc/callback endpoint with the code I am being redirected back to the base url (which I assume is intended), but then from there being redirected back to the login screen. No errors or popups are being displayed in the process.

Bookstack version: 21.12.2
Bookstack platform: prebuilt docker container
Keycloack version: 11.0.3

Steps to Reproduce

Deploy docker containers for v21.12.2 via docker-compose (lscr.io/linuxserver/bookstack)
Configure OIDC settings in .env file
Add bookstack client and protocol mappers in Keycloak
Attempt to log in
Enter IdP creds in keycloak
Get redirected to login screen

Expected Behaviour

Should be authenticated once redirected to the oidc/callback endpoint

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v21.12.2

PHP Version

No response

Hosting Environment

Docker containers running on a Ubuntu 22.04 system, no proxies

Originally created by @kakt1s on GitHub (Apr 4, 2023). ### Describe the Bug When attempting to auth with OIDC via Keycloak, after being redirected back to the /oidc/callback endpoint with the code I am being redirected back to the base url (which I assume is intended), but then from there being redirected back to the login screen. No errors or popups are being displayed in the process. Bookstack version: 21.12.2 Bookstack platform: prebuilt docker container Keycloack version: 11.0.3 ### Steps to Reproduce Deploy docker containers for v21.12.2 via docker-compose (lscr.io/linuxserver/bookstack) Configure OIDC settings in .env file Add bookstack client and protocol mappers in Keycloak Attempt to log in Enter IdP creds in keycloak Get redirected to login screen ### Expected Behaviour Should be authenticated once redirected to the oidc/callback endpoint ### Screenshots or Additional Context _No response_ ### Browser Details _No response_ ### Exact BookStack Version v21.12.2 ### PHP Version _No response_ ### Hosting Environment Docker containers running on a Ubuntu 22.04 system, no proxies

OVERLORD added the 🐛 Bug label 2026-02-05 07:16:46 +03:00

OVERLORD closed this issue

2026-02-05 07:16:51 +03:00

OVERLORD commented

2026-02-05 07:16:54 +03:00

@ssddanbrown commented on GitHub (Apr 4, 2023):

Hi @kakt1s,
Before I spend the time trying to emulate this environment could you possibly:

Update your instance to be using the latest version of BookStack. Then confirm back if anything has changed. A vaguely remember improving the error notifications of OIDC errors at some point in the past.
Confirm if this was working before, or if you're only now adding OIDC to an existing system?
Provide screenshots, where possible, of your config within Keycloak.

@ssddanbrown commented on GitHub (Apr 4, 2023): Hi @kakt1s, Before I spend the time trying to emulate this environment could you possibly: - Update your instance to be using the latest version of BookStack. Then confirm back if anything has changed. A vaguely remember improving the error notifications of OIDC errors at some point in the past. - Confirm if this was working before, or if you're only now adding OIDC to an existing system? - Provide screenshots, where possible, of your config within Keycloak.

OVERLORD commented

2026-02-05 07:16:58 +03:00

@kakt1s commented on GitHub (Apr 4, 2023):

Sadly, I don't control the system it's on, so if it ends up being a known bug, I won't be able to do much to fix that :/
I have added OIDC to an existing system, I tried adding the external user ids to some users for testing and had the same result. I also tried authenticating with a user that only exists in Keycloak and had the login loop issue as well.
For screenshots, my bookstack instance is on an offline network so I can't add screenshots, but I can give you the values of any relevant fields you're needing.
Sorry for the hassle with my environment.

@kakt1s commented on GitHub (Apr 4, 2023): Sadly, I don't control the system it's on, so if it ends up being a known bug, I won't be able to do much to fix that :/ I have added OIDC to an existing system, I tried adding the external user ids to some users for testing and had the same result. I also tried authenticating with a user that only exists in Keycloak and had the login loop issue as well. For screenshots, my bookstack instance is on an offline network so I can't add screenshots, but I can give you the values of any relevant fields you're needing. Sorry for the hassle with my environment.

OVERLORD commented

2026-02-05 07:17:02 +03:00

@kakt1s commented on GitHub (Apr 4, 2023):

For the keycloak configs, I just created the client and set the access type to confidential, then added the email and profile scopes to it's optional client scopes. The email and profile scopes are tied to protocol mappers of the same names.
I believe those are the only real changes I made from the client defaults in Keycloak

@kakt1s commented on GitHub (Apr 4, 2023): For the keycloak configs, I just created the client and set the access type to confidential, then added the email and profile scopes to it's optional client scopes. The email and profile scopes are tied to protocol mappers of the same names. I believe those are the only real changes I made from the client defaults in Keycloak

OVERLORD commented

2026-02-05 07:17:07 +03:00

@kakt1s commented on GitHub (Apr 4, 2023):

Also, when I set OIDC_DUMP_USER_DETAILS, I get a successful dump of the authenticated user's data. Not sure if that helps with troubleshooting or not

@kakt1s commented on GitHub (Apr 4, 2023): Also, when I set OIDC_DUMP_USER_DETAILS, I get a successful dump of the authenticated user's data. Not sure if that helps with troubleshooting or not

OVERLORD commented

2026-02-05 07:17:10 +03:00

@ssddanbrown commented on GitHub (Apr 4, 2023):

I get a successful dump of the authenticated user's data. Not sure if that helps with troubleshooting or not

That does indeed. I'm fairly sure you're hitting an error scenario, but BookStack is not managing to show you the error message (Gets lost in the journey) which is something I fixed in ce566bea2a, which was part of v22.02.

Since you're getting to the stage of dumping user details, I can only guess the following error scenarios (Since these happen after):

User ID Token validation is is failing (There's quite a few checks done in validating a token).
The user is already logged in (Assuming this does not apply here).
The user does not already exist (based upon BookStack user external_auth_id exact match to sub claim) but their email already exists in the system.

Getting updated would really benefit here.

@ssddanbrown commented on GitHub (Apr 4, 2023): > I get a successful dump of the authenticated user's data. Not sure if that helps with troubleshooting or not That does indeed. I'm fairly sure you're hitting an error scenario, but BookStack is not managing to show you the error message (Gets lost in the journey) which is something I fixed in ce566bea2a2f5e120cc09808f9d3a4aee79589c2, which was part of v22.02. Since you're getting to the stage of dumping user details, I can only guess the following error scenarios (Since these happen after): - User ID Token validation is is failing (There's quite a few checks done in validating a token). - The user is already logged in (Assuming this does not apply here). - The user does not already exist (based upon BookStack user `external_auth_id` exact match to `sub` claim) but their email already exists in the system. Getting updated would really benefit here.

OVERLORD commented

2026-02-05 07:17:16 +03:00

@kakt1s commented on GitHub (Apr 4, 2023):

Sadly, I stood up another test stack with docker running v23.02.2 and it works with my Keycloak config and my oidc configs without issue. If I go to upgrade to that with my current data set, will I run into schema issues?

@kakt1s commented on GitHub (Apr 4, 2023): Sadly, I stood up another test stack with docker running v23.02.2 and it works with my Keycloak config and my oidc configs without issue. If I go to upgrade to that with my current data set, will I run into schema issues?

OVERLORD commented

2026-02-05 07:17:21 +03:00

@ssddanbrown commented on GitHub (Apr 5, 2023):

Sadly, I stood up another test stack with docker running v23.02.2 and it works with my Keycloak config and my oidc configs without issue.

I'm assuming that test stack was lacking the same set of existing users, and therefore may indicate you're erroring on the third point listed in my last comment.

If I go to upgrade to that with my current data set, will I run into schema issues?

Depends on how you go about it.
Either way, be sure to have backups first.
If you're just upgrading the existing instance in-place, that generally should be fine. The system is designed to be upgradable from any previous release. database migrations should run on first start of the new container version (Be sure to watch logs and note any logs on first start-up, as subsequent errors can be misguiding).

If you're intended to migrate to that separate test stack, that's also possible but the order very much matters. You should not merge the database another with existing tables.

I go through backup/restore/update procedures in detail, for this kind of stack, in my video here:
https://www.youtube.com/watch?v=6A8hLuQTkKQ

@ssddanbrown commented on GitHub (Apr 5, 2023): > Sadly, I stood up another test stack with docker running v23.02.2 and it works with my Keycloak config and my oidc configs without issue. I'm assuming that test stack was lacking the same set of existing users, and therefore may indicate you're erroring on the third point listed in my last comment. > If I go to upgrade to that with my current data set, will I run into schema issues? Depends on how you go about it. Either way, be sure to have backups first. If you're just upgrading the existing instance in-place, that generally should be fine. The system is designed to be upgradable from any previous release. database migrations should run on first start of the new container version (Be sure to watch logs and note any logs on first start-up, as subsequent errors can be misguiding). If you're intended to migrate to that separate test stack, that's also possible but the order very much matters. You should not merge the database another with existing tables. I go through backup/restore/update procedures in detail, for this kind of stack, in my video here: https://www.youtube.com/watch?v=6A8hLuQTkKQ

OVERLORD commented

2026-02-05 07:17:24 +03:00

@kakt1s commented on GitHub (Apr 5, 2023):

I got approval for an update and it's working now, thanks for your help.

@kakt1s commented on GitHub (Apr 5, 2023): I got approval for an update and it's working now, thanks for your help.

OVERLORD commented

2026-02-05 07:17:27 +03:00

@ssddanbrown commented on GitHub (Apr 5, 2023):

@kakt1s Good news!

Enjoy all the new features added last year and this year so far!

@ssddanbrown commented on GitHub (Apr 5, 2023): @kakt1s Good news! Enjoy all the new [features added last year](https://www.bookstackapp.com/blog/bookstack-in-2022/#new-features--enhancements) and this year so far!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3729