A user with the email ... already exists but with different credentials #3940

New Issue

Closed

opened 2026-02-05 07:54:48 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2026-02-05 07:54:48 +03:00

Owner

Copy Link

Originally created by @antwacky on GitHub (Jul 27, 2023).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

I've found some similar issues but not quite the same.

Previously we used Microsoft Azure authentication to authenticate users. We are now moving to Keycloak, using OIDC login.

When I change the authentication method from Azure to OIDC and login, I get the error:

"A user with the email ... already exists but with different credentials"

I've seen other issues that mention updating the external ID, but I can see no such option. I can see 'Disconnect account'.

We have lots of users so the ideal solution will not involve editing via the UI.

Thanks in advance!

Exact BookStack Version

23.06.2

Log Content

A user with the email ... already exists but with different credentials

PHP Version

8.2.8

Hosting Environment

Docker image ghcr.io/linuxserver/bookstack:23.06.2 on Kubernetes.

Originally created by @antwacky on GitHub (Jul 27, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I've found some similar issues but not quite the same. Previously we used Microsoft Azure authentication to authenticate users. We are now moving to Keycloak, using OIDC login. When I change the authentication method from Azure to OIDC and login, I get the error: "A user with the email ... already exists but with different credentials" I've seen other issues that mention updating the external ID, but I can see no such option. I can see 'Disconnect account'. We have lots of users so the ideal solution will not involve editing via the UI. Thanks in advance! ### Exact BookStack Version 23.06.2 ### Log Content A user with the email ... already exists but with different credentials ### PHP Version 8.2.8 ### Hosting Environment Docker image ghcr.io/linuxserver/bookstack:23.06.2 on Kubernetes.

OVERLORD added the 🐕 Support label 2026-02-05 07:54:48 +03:00

OVERLORD closed this issue 2026-02-05 07:54:50 +03:00

OVERLORD commented 2026-02-05 07:54:55 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 27, 2023):

Hi @antwacky,

Please see my video linked below, particular the "External authentication ID field" part of the video starting at 9:16.

https://youtu.be/TJQ4NJrMvkw?t=556

@ssddanbrown commented on GitHub (Jul 27, 2023): Hi @antwacky, Please see my video linked below, particular the "External authentication ID field" part of the video starting at 9:16. https://youtu.be/TJQ4NJrMvkw?t=556

OVERLORD commented 2026-02-05 07:55:01 +03:00

Author

Owner

Copy Link

@antwacky commented on GitHub (Jul 27, 2023):

Hi, thanks for this. When I select external_auth_id from the database the field is empty for all users (current auth method is Azure OIDC).

So I should prepopulate the external_auth_id field using the Keycloak ID for each user then switch Bookstack to OIDC method?

@antwacky commented on GitHub (Jul 27, 2023): Hi, thanks for this. When I select external_auth_id from the database the field is empty for all users (current auth method is Azure OIDC). So I should prepopulate the external_auth_id field using the Keycloak ID for each user then switch Bookstack to OIDC method?

OVERLORD commented 2026-02-05 07:55:04 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 27, 2023):

So I should prepopulate the external_auth_id field using the Keycloak ID for each user then switch Bookstack to OIDC method?

Assuming that the Keycloak ID is the ID property being used (for the ID token sub claim unless you're changing it with the BookStack OIDC_EXTERNAL_ID_CLAIM option) then yes.
Could just test it with one account first to make sure you're using the right ID property.

@ssddanbrown commented on GitHub (Jul 27, 2023): > So I should prepopulate the external_auth_id field using the Keycloak ID for each user then switch Bookstack to OIDC method? Assuming that the Keycloak ID is the ID property being used (for the ID token `sub` claim unless you're changing it with the BookStack `OIDC_EXTERNAL_ID_CLAIM` option) then yes. Could just test it with one account first to make sure you're using the right ID property.

OVERLORD commented 2026-02-05 07:55:07 +03:00

Author

Owner

Copy Link

@antwacky commented on GitHub (Jul 27, 2023):

Great thanks, maybe I'll set the claim to be the email so I don't have to cross reference each user when updating.

Another quick question, the Azure method has the options:

AZURE_AUTO_REGISTER: "true"
AZURE_AUTO_CONFIRM_EMAIL: "true"

I couldn't see similar options for OIDC.

@antwacky commented on GitHub (Jul 27, 2023): Great thanks, maybe I'll set the claim to be the email so I don't have to cross reference each user when updating. Another quick question, the Azure method has the options: AZURE_AUTO_REGISTER: "true" AZURE_AUTO_CONFIRM_EMAIL: "true" I couldn't see similar options for OIDC.

OVERLORD commented 2026-02-05 07:55:10 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 27, 2023):

AZURE_AUTO_REGISTER

When OIDC is active, there is no separate register page, auto-register is essentially active by default.

AZURE_AUTO_CONFIRM_EMAIL

Again, this is usually redundant if using OIDC, you'd generally look to trust the incoming users from your identity platform, so you wouldn't use the domain restriction/email confirmation options.

@ssddanbrown commented on GitHub (Jul 27, 2023): > AZURE_AUTO_REGISTER When OIDC is active, there is no separate register page, auto-register is essentially active by default. > AZURE_AUTO_CONFIRM_EMAIL Again, this is usually redundant if using OIDC, you'd generally look to trust the incoming users from your identity platform, so you wouldn't use the domain restriction/email confirmation options.

OVERLORD commented 2026-02-05 07:55:11 +03:00

Author

Owner

Copy Link

@antwacky commented on GitHub (Jul 27, 2023):

Awesome thanks, closing the issue. Will reopen if I come across issues on the next attempt at moving to OIDC.

@antwacky commented on GitHub (Jul 27, 2023): Awesome thanks, closing the issue. Will reopen if I come across issues on the next attempt at moving to OIDC.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

v25-12

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.7

v25.12.6

v25.12.5

v25.12.4

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3940