How to login with local users when OIDC is enabled? #3931

New Issue

OVERLORD · 2026-02-05T07:53:48+03:00

OVERLORD commented

2026-02-05 07:53:48 +03:00

Originally created by @mfatfhg on GitHub (Jul 25, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Hi all,

we use

AUTH_METHOD=oidc
and
AUTH_AUTO_INITIATE=true

which is working realy good.

For testing of roles and rights we would like to use test users, but we cant create identities in the used identity provider ourselft.

So, is there a way to login with local users even though we have oidc and auto initiate activated?

In some systems its possible to use something like "AUTH_METHOD=basic,oidc" or something like that, so the user can chose the method itself.

Thanks for help

Exact BookStack Version

v23.06.2

Log Content

No response

PHP Version

No response

Hosting Environment

Not related to topic, but its installed on Ubuntu 22.04 with automatic install script from documentation.

Originally created by @mfatfhg on GitHub (Jul 25, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hi all, we use AUTH_METHOD=oidc and AUTH_AUTO_INITIATE=true which is working realy good. For testing of roles and rights we would like to use test users, but we cant create identities in the used identity provider ourselft. So, is there a way to login with local users even though we have oidc and auto initiate activated? In some systems its possible to use something like "AUTH_METHOD=basic,oidc" or something like that, so the user can chose the method itself. Thanks for help ### Exact BookStack Version v23.06.2 ### Log Content _No response_ ### PHP Version _No response_ ### Hosting Environment Not related to topic, but its installed on Ubuntu 22.04 with automatic install script from documentation.

OVERLORD added the 🐕 Support label 2026-02-05 07:53:48 +03:00

OVERLORD closed this issue

2026-02-05 07:53:51 +03:00

OVERLORD commented

2026-02-05 07:53:55 +03:00

@ssddanbrown commented on GitHub (Jul 25, 2023):

Hi @mfatfhg,

It's not possible to combine/mix auth options currently within BookStack.
There's an open request for this in #2715, but it's not likely something I'd look to support anytime soon to be honest.

One potential option (never tested this myself, and groups may complicate things) is to find an OIDC supporting auth system, which also supports an upstream OIDC for identities, so you could maybe add extra users at that layer.
Keycloak could be a possible option for this.

@ssddanbrown commented on GitHub (Jul 25, 2023): Hi @mfatfhg, It's not possible to combine/mix auth options currently within BookStack. There's an open request for this in #2715, but it's not likely something I'd look to support anytime soon to be honest. One potential option (never tested this myself, and groups may complicate things) is to find an OIDC supporting auth system, which also supports an upstream OIDC for identities, so you could maybe add extra users at that layer. [Keycloak](https://www.keycloak.org/) could be a possible option for this.

OVERLORD commented

2026-02-05 07:53:58 +03:00

@mfatfhg commented on GitHub (Jul 26, 2023):

Hi @ssddanbrown,

thanks for reply. We already have Keycloak as IAM system. But we are project driven organisation in our company and dont have direct access to change something in our Keycloak instance, because keycloak is hosted by our central IT department. And we cant set up our own keycloak, because we dont have access to the central identity sources of our company. Things are a bit complicated.

So, I understand that its not a high level feature request on your roadmap. In our opinion, the ability to authenticate with different types of identities (local db users, oidc, ldap) is somethink like industry standard and should be possible.

On of the reasons is the following: Typically, OIDC providers are services in the cloud (if you use SAAS IDPs it might be auth0, or if you self host a IDP, it might be located on a remote site of your company).

If you only allow OIDC at the same time, you cant login to bookstack anymore if you dont have WAN/Internet connectivity anymore. And because we would like to use bookstack as documentation system for emergency manuals too, we would like to have the possibility to login with different types of accounts ( local db accounts or maybe ldap accounts from a local Active directory) as fallback method.

A admin should always have the possibility to access a system in case of technical problems (bad WAN/Internet connectivity).

@mfatfhg commented on GitHub (Jul 26, 2023): Hi @ssddanbrown, thanks for reply. We already have Keycloak as IAM system. But we are project driven organisation in our company and dont have direct access to change something in our Keycloak instance, because keycloak is hosted by our central IT department. And we cant set up our own keycloak, because we dont have access to the central identity sources of our company. Things are a bit complicated. So, I understand that its not a high level feature request on your roadmap. In our opinion, the ability to authenticate with different types of identities (local db users, oidc, ldap) is somethink like industry standard and should be possible. On of the reasons is the following: Typically, OIDC providers are services in the cloud (if you use SAAS IDPs it might be auth0, or if you self host a IDP, it might be located on a remote site of your company). If you only allow OIDC at the same time, you cant login to bookstack anymore if you dont have WAN/Internet connectivity anymore. And because we would like to use bookstack as documentation system for emergency manuals too, we would like to have the possibility to login with different types of accounts ( local db accounts or maybe ldap accounts from a local Active directory) as fallback method. A admin should always have the possibility to access a system in case of technical problems (bad WAN/Internet connectivity).

OVERLORD commented

2026-02-05 07:54:05 +03:00

@ssddanbrown commented on GitHub (Jul 26, 2023):

Okay. Could always flip the auth method in an emergency. I'll close this off though since the original question has been answered and since there's an existing issue covering this request.

@ssddanbrown commented on GitHub (Jul 26, 2023): Okay. Could always flip the auth method in an emergency. I'll close this off though since the original question has been answered and since there's an existing issue covering this request.

OVERLORD commented

2026-02-05 07:54:08 +03:00

@prohtex commented on GitHub (Jun 14, 2025):

+1 for me for this one. I want to be able to log into admin which is a local user and assign roles to the auto-generated users from Authentik.

@prohtex commented on GitHub (Jun 14, 2025): +1 for me for this one. I want to be able to log into admin which is a local user and assign roles to the auto-generated users from Authentik.

OVERLORD commented

2026-02-05 07:54:11 +03:00

@Kodalinq commented on GitHub (Jun 28, 2025):

+1 for this feature request. In hybrid environments, we need the ability for local administrators

@Kodalinq commented on GitHub (Jun 28, 2025): +1 for this feature request. In hybrid environments, we need the ability for local administrators

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3931