Bump OIDC timeout to 5 seconds #3928

New Issue

OVERLORD · 2026-02-05T07:52:58+03:00

OVERLORD commented

2026-02-05 07:52:58 +03:00

Originally created by @nabeelmoeen on GitHub (Jul 24, 2023).

Describe the Bug

same issue as OIDC Discovery Error: cURL error 28: Resolving timed out after 3000 milliseconds

The configuration is based off Authelia's example

I can curl the OIDC auto discovery end points from the bookstack container.
But when attempting to login using authelia Bookstack throws a cURL time out error 28, as indicated in the screenshot.

the Bookstack instance I am using is currently using the default local authentication that i want to reconfigure for use with Authelia OIDC

Steps to Reproduce

Setup docker containerised bookstack instance
Update the authelia and bookstack setups as per Authelia's example
attempt to login to Bookstack using the SSO / Authelia login.
it produces the cURL timeout error (28) as indicated in provided screenshot
the OIDC auto discovery url works fine when using curl in the bookstack docker container console, returning valid json with defined endpoints. (second screenshot below)

Expected Behaviour

Bookstack logs in using authelia authentication

Screenshots or Additional Context

Browser Details

Brave 1.56.11 on windows 11 64-bit

Exact BookStack Version

23.01.1

PHP Version

No response

Hosting Environment

Dockerised version of Bootstack on a different host machine
vs. Authelia, which is also setup as a docker container.
Reverse proxy: Caddy
Authelia setup to authenticate using an LLDAP instance

Originally created by @nabeelmoeen on GitHub (Jul 24, 2023). ### Describe the Bug same issue as [OIDC Discovery Error: cURL error 28: Resolving timed out after 3000 milliseconds](https://github.com/BookStackApp/BookStack/issues/3360) The configuration is based off Authelia's [example](https://www.authelia.com/integration/openid-connect/bookstack/) I can curl the OIDC auto discovery end points from the bookstack container. But when attempting to login using authelia Bookstack throws a cURL time out error 28, as indicated in the screenshot. the Bookstack instance I am using is currently using the default local authentication that i want to reconfigure for use with Authelia OIDC ### Steps to Reproduce 1. Setup docker containerised bookstack instance 2. Update the authelia and bookstack setups as per Authelia's [example](https://www.authelia.com/integration/openid-connect/bookstack/) 3. attempt to login to Bookstack using the SSO / Authelia login. 4. it produces the cURL timeout error (28) as indicated in provided screenshot 5. the OIDC auto discovery url works fine when using curl in the bookstack docker container console, returning valid json with defined endpoints. (second screenshot below) ### Expected Behaviour Bookstack logs in using authelia authentication ### Screenshots or Additional Context ![bookstack](https://github.com/BookStackApp/BookStack/assets/6676242/17c20119-387c-4b25-b3ca-1e73db9ea637) ![DOCKER CURL](https://github.com/BookStackApp/BookStack/assets/6676242/ae5240d5-938a-4f84-891d-7fdad56ca459) ### Browser Details Brave 1.56.11 on windows 11 64-bit ### Exact BookStack Version 23.01.1 ### PHP Version _No response_ ### Hosting Environment 1. Dockerised version of Bootstack on a different host machine 2. vs. Authelia, which is also setup as a docker container. 3. Reverse proxy: Caddy 4. Authelia setup to authenticate using an LLDAP instance

OVERLORD added the 🚪 Authentication 🏭 Back-End labels 2026-02-05 07:52:59 +03:00

OVERLORD closed this issue

2026-02-05 07:53:03 +03:00

OVERLORD commented

2026-02-05 07:53:09 +03:00

@nabeelmoeen commented on GitHub (Jul 24, 2023):

It appears the Curl command on the bookstack container console is taking just above 4 seconds to run, which may explain the timeout of 3 seconds in the error.

Is there a way to increase the timeout?

the output of
time curl https://auth.mydomain/.well-known/openid-configuration


real    0m4.281s
user    0m0.043s
sys     0m0.005s

@nabeelmoeen commented on GitHub (Jul 24, 2023): It appears the Curl command on the bookstack container console is taking just above 4 seconds to run, which may explain the timeout of 3 seconds in the error. Is there a way to increase the timeout? the output of `time curl https://auth.mydomain/.well-known/openid-configuration` ``` real 0m4.281s user 0m0.043s sys 0m0.005s ```

OVERLORD commented

2026-02-05 07:53:13 +03:00

@ssddanbrown commented on GitHub (Jul 24, 2023):

Hi @nabeelmoeen, There is no supported way of changing the timeout, it's a hard-coded value.
The three second timeout is in place mainly to catch error scenarios, since three seconds would generally be far far greater than the time required for this request.

Have you looked into, or do you know, why it's so slow to respond here? Is the auth system running on a particular weak system? Is there something in-between adding latency?

@ssddanbrown commented on GitHub (Jul 24, 2023): Hi @nabeelmoeen, There is no supported way of changing the timeout, it's a hard-coded value. The three second timeout is in place mainly to catch error scenarios, since three seconds would generally be far far greater than the time required for this request. Have you looked into, or do you know, why it's so slow to respond here? Is the auth system running on a particular weak system? Is there something in-between adding latency?

OVERLORD commented

2026-02-05 07:53:15 +03:00

@nabeelmoeen commented on GitHub (Jul 25, 2023):

its on a self hosted server, running proxmox and multiple VMs (each VM has between 1 and 2 GB RAM).

I am also using a dynamic DNS (duckdns), and Caddy reverse proxy. the delay could be any number of factors including the DNS lookup (I also have a pihole running), since I am using the external (public host names) for the services vs. LAN IPs.
Any how, since the auto discovery is consistently performing at between 4-5 seconds, we can confirm that's the cause of the error.and short of either modifying / recompiling the code (locally) or a potential future release providing a configuration option for the timeout, I will revert to using local sign in for bookstack. On Tuesday, 25 July 2023 at 02:46:33 am AEST, Dan Brown @.***> wrote:

Hi @nabeelmoeen, There is no supported way of changing the timeout, it's a hard-coded value.
The three second timeout is in place mainly to catch error scenarios, since three seconds would generally be far far greater than the time required for this request.

Have you looked into, or do you know, why it's so slow to respond here? Is the auth system running on a particular weak system? Is there something in-between adding latency?

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: @.***>

@nabeelmoeen commented on GitHub (Jul 25, 2023): its on a self hosted server, running proxmox and multiple VMs (each VM has between 1 and 2 GB RAM). I am also using a dynamic DNS (duckdns), and Caddy reverse proxy. the delay could be any number of factors including the DNS lookup (I also have a pihole running), since I am using the external (public host names) for the services vs. LAN IPs. Any how, since the auto discovery is consistently performing at between 4-5 seconds, we can confirm that's the cause of the error.and short of either modifying / recompiling the code (locally) or a potential future release providing a configuration option for the timeout, I will revert to using local sign in for bookstack. On Tuesday, 25 July 2023 at 02:46:33 am AEST, Dan Brown ***@***.***> wrote: Hi @nabeelmoeen, There is no supported way of changing the timeout, it's a hard-coded value. The three second timeout is in place mainly to catch error scenarios, since three seconds would generally be far far greater than the time required for this request. Have you looked into, or do you know, why it's so slow to respond here? Is the auth system running on a particular weak system? Is there something in-between adding latency? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

OVERLORD commented

2026-02-05 07:53:19 +03:00

@ssddanbrown commented on GitHub (Jul 25, 2023):

Okay, I'd suggest debugging and look to address that delay then since 4-5 seconds indicates something going wrong at some stage.

Since I wouldn't look to change the default timeout due to external present issues, and since you've reverted authentication method, I'll close this off.

@ssddanbrown commented on GitHub (Jul 25, 2023): Okay, I'd suggest debugging and look to address that delay then since 4-5 seconds indicates something going wrong at some stage. Since I wouldn't look to change the default timeout due to external present issues, and since you've reverted authentication method, I'll close this off.

OVERLORD commented

2026-02-05 07:53:22 +03:00

@LenardHess commented on GitHub (Jul 30, 2023):

I too have encountered a timeout issue running Authelia and Bookstack on a Raspberry Pi 4 Model B rev 1.2.
The access to /.well-known/openid-configuration via time curl takes 0.2-0.3s.
The culprit on my setup is POST /api/oidc/token, which takes ~4.2s (measured via tcpdump).

I'm also asking in the authelia repo how that time delay can be tuned.

Irrespective of improving the OIDC performance, it would be beneficial of allowing the timeout to be configurable (either a global setting or a dedicated setting for operations that are expected to take longer such auth).
Whats your opinion on such an addition, would you take a pull request for it? (Haven't looked at how easy it would be to add yet 🤔 )

@LenardHess commented on GitHub (Jul 30, 2023): I too have encountered a timeout issue running Authelia and Bookstack on a Raspberry Pi 4 Model B rev 1.2. The access to `/.well-known/openid-configuration` via `time curl` takes 0.2-0.3s. The culprit on my setup is `POST /api/oidc/token`, which takes ~4.2s (measured via tcpdump). I'm also [asking in the authelia repo](https://github.com/authelia/authelia/discussions/5731) how that time delay can be tuned. Irrespective of improving the OIDC performance, it would be beneficial of allowing the timeout to be configurable (either a global setting or a dedicated setting for operations that are expected to take longer such auth). Whats your opinion on such an addition, would you take a pull request for it? (Haven't looked at how easy it would be to add yet :thinking: )

OVERLORD commented

2026-02-05 07:53:23 +03:00

@ssddanbrown commented on GitHub (Jul 30, 2023):

@LenardHess It would be a very simple addition to be honest, but I have a general approach of not adding options without a clear need/purpose. I don't really look to add options if they're simply to work around issues external to BookStack, like this seems to me so far.

If there's a fundamental reason for slow OIDC requests, then I'd be happy to consider that, although I'd probably look to bump the default timeout a bit before resorting to a new option.

@ssddanbrown commented on GitHub (Jul 30, 2023): @LenardHess It would be a very simple addition to be honest, but I have a general approach of not adding options without a clear need/purpose. I don't really look to add options if they're simply to work around issues external to BookStack, like this seems to me so far. If there's a fundamental reason for slow OIDC requests, then I'd be happy to consider that, although I'd probably look to bump the default timeout a bit before resorting to a new option.

OVERLORD commented

2026-02-05 07:53:26 +03:00

@firlevapz commented on GitHub (Sep 3, 2023):

@ssddanbrown hi dan, could u please point me to the location where I could locally overwrite the timeout for these curl-commands? I tried to figure it out myself but failed... thanks a lot!

(i'm running authentik on a raspberry pi and this piece of python software is very slow, so it's always timing out during bookstack logins..)

@firlevapz commented on GitHub (Sep 3, 2023): @ssddanbrown hi dan, could u please point me to the location where I could locally overwrite the timeout for these curl-commands? I tried to figure it out myself but failed... thanks a lot! (i'm running authentik on a raspberry pi and this piece of python software is very slow, so it's always timing out during bookstack logins..)

OVERLORD commented

2026-02-05 07:53:30 +03:00

@ssddanbrown commented on GitHub (Sep 3, 2023):

@firlevapz This is where I believe the timeout is currently defined:

38829f8a38/app/App/Providers/AppServiceProvider.php (L80)

Of course, changes to core app files are not supported and may interfere with updates.

Out of interest, just to help identify a need.

what Raspberry Pi are you running?
How log does the request take?
- (As per above, can run something like time curl https://auth.mydomain/.well-known/openid-configuration to check, replacing auth.mydomain).

@ssddanbrown commented on GitHub (Sep 3, 2023): @firlevapz This is where I believe the timeout is currently defined: https://github.com/BookStackApp/BookStack/blob/38829f8a38a5bd90f9cce2535c79131c04ae01d6/app/App/Providers/AppServiceProvider.php#L80 Of course, changes to core app files are not supported and may interfere with updates. Out of interest, just to help identify a need. - what Raspberry Pi are you running? - How log does the request take? - (As per above, can run something like `time curl https://auth.mydomain/.well-known/openid-configuration` to check, replacing `auth.mydomain`).

OVERLORD commented

2026-02-05 07:53:31 +03:00

@firlevapz commented on GitHub (Sep 5, 2023):

great, thanks @ssddanbrown! that worked like a charm - increased the timeout to 5 now, it works flawlessly every time! Maybe that would be a nice improvement to set it to 5 seconds, to solve this bug? But I can also write a custom patch for my setup locally.

I'm using a Raspberry Pi 4 with a dockerized setup of bookstack and authentik
curl usually takes about 2,5 seconds to retrieve the configuration, but it also sometimes times out after the OIDC-response. So increasing the timeout is definitely the easiest way for my setup

@firlevapz commented on GitHub (Sep 5, 2023): great, thanks @ssddanbrown! that worked like a charm - increased the timeout to 5 now, it works flawlessly every time! Maybe that would be a nice improvement to set it to 5 seconds, to solve this bug? But I can also write a custom patch for my setup locally. - I'm using a Raspberry Pi 4 with a dockerized setup of bookstack and authentik - curl usually takes about 2,5 seconds to retrieve the configuration, but it also sometimes times out after the OIDC-response. So increasing the timeout is definitely the easiest way for my setup

OVERLORD commented

2026-02-05 07:53:40 +03:00

@ssddanbrown commented on GitHub (Sep 5, 2023):

Okay, based upon the multiple reports here I'll look to bump the time-out to 5 seconds in the next feature release to provide a little extra time for weaker systems, since all reported so far have been within that time.
I'll re-open this to track that change, and have updated the title to suit.

@ssddanbrown commented on GitHub (Sep 5, 2023): Okay, based upon the multiple reports here I'll look to bump the time-out to 5 seconds in the next feature release to provide a little extra time for weaker systems, since all reported so far have been within that time. I'll re-open this to track that change, and have updated the title to suit.

OVERLORD commented

2026-02-05 07:53:45 +03:00

@ssddanbrown commented on GitHub (Sep 8, 2023):

Within the changes in #4525, this has now been bumped up to 5 seconds.
This will be part of the next feature release.

@ssddanbrown commented on GitHub (Sep 8, 2023): Within the changes in #4525, this has now been bumped up to 5 seconds. This will be part of the next feature release.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3928