Using OIDC - Limit access to AD Group #3978

New Issue

OVERLORD · 2026-02-05T08:00:48+03:00

OVERLORD commented

2026-02-05 08:00:48 +03:00

Originally created by @BartNSTCL on GitHub (Aug 18, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I have a virtual machine running in Azure and I'd like to be able to limit the access to login or the server to one particular group in the AD, for example AZ.TCL.Users. This would contain all the users that would be allowed to log in to bookstack.

I wasn't sure if I needed to use the setting OIDC_GROUPS_CLAIM since we already have access groups set up. Maybe we need to create one called AZ.TCL.Users and then branch from there? In the past, we used the ClaimsIdentity in C#, pulled the 'name' and checked for a particular prefix. I didn't want to resort to messing with the code if there something close we could use.

Exact BookStack Version

v23.06.2

Log Content

No response

PHP Version

8.1

Hosting Environment

Ubuntu 22.04.3 LTS, installed using installation script

Originally created by @BartNSTCL on GitHub (Aug 18, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I have a virtual machine running in Azure and I'd like to be able to limit the access to login or the server to one particular group in the AD, for example AZ.TCL.Users. This would contain all the users that would be allowed to log in to bookstack. I wasn't sure if I needed to use the setting OIDC_GROUPS_CLAIM since we already have access groups set up. Maybe we need to create one called AZ.TCL.Users and then branch from there? In the past, we used the ClaimsIdentity in C#, pulled the 'name' and checked for a particular prefix. I didn't want to resort to messing with the code if there something close we could use. ### Exact BookStack Version v23.06.2 ### Log Content _No response_ ### PHP Version 8.1 ### Hosting Environment Ubuntu 22.04.3 LTS, installed using installation script

OVERLORD added the 🐕 Support label 2026-02-05 08:00:48 +03:00

OVERLORD closed this issue

2026-02-05 08:00:52 +03:00

OVERLORD commented

2026-02-05 08:00:57 +03:00

@ssddanbrown commented on GitHub (Aug 18, 2023):

Hi @BartNSTCL,
There's no way to specifically filter OIDC users from the BookStack side of things, at least without getting into hacks/workarounds. You could use group sync, and allow others from OIDC into the system by provide no permissions by default.

TBH, for systems like OIDC my perspective is for the auth system to be authority on who has access. From what I remember of AzureAD, you should be able to somewhat control who has access to the application from that side of things?

@ssddanbrown commented on GitHub (Aug 18, 2023): Hi @BartNSTCL, There's no way to specifically filter OIDC users from the BookStack side of things, at least without getting into hacks/workarounds. You could use group sync, and allow others from OIDC into the system by provide no permissions by default. TBH, for systems like OIDC my perspective is for the auth system to be authority on who has access. From what I remember of AzureAD, you should be able to somewhat control who has access to the application from that side of things?

OVERLORD commented

2026-02-05 08:01:02 +03:00

@BartNSTCL commented on GitHub (Aug 18, 2023):

Yeah, I felt I would have to go the Azure route. I see a way to give the group access but I didn't see an easy way to restrict everyone else. I might end up putting a ticket with microsoft about it.

@BartNSTCL commented on GitHub (Aug 18, 2023): Yeah, I felt I would have to go the Azure route. I see a way to give the group access but I didn't see an easy way to restrict everyone else. I might end up putting a ticket with microsoft about it.

OVERLORD commented

2026-02-05 08:01:06 +03:00

@ssddanbrown commented on GitHub (Aug 18, 2023):

Do you have an "Assignment Required?" option as described on this page?: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment

@ssddanbrown commented on GitHub (Aug 18, 2023): Do you have an "Assignment Required?" option as described on this page?: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment

OVERLORD commented

2026-02-05 08:01:09 +03:00

@BartNSTCL commented on GitHub (Aug 18, 2023):

Man, I looked all over for that! I think I have it set. I'll have to test with someone else since I'm already set as an Admin. Thanks for all the help!

@BartNSTCL commented on GitHub (Aug 18, 2023): Man, I looked all over for that! I think I have it set. I'll have to test with someone else since I'm already set as an Admin. Thanks for all the help!

OVERLORD commented

2026-02-05 08:01:11 +03:00

@ssddanbrown commented on GitHub (Aug 22, 2023):

Happy I could help. Will therefore close this off, but feel free to still comment if needed and I can re-open this.
From experience Azure changes seem to lag so be sure to give any app config changes an hour or so to be sure.

@ssddanbrown commented on GitHub (Aug 22, 2023): Happy I could help. Will therefore close this off, but feel free to still comment if needed and I can re-open this. From experience Azure changes seem to lag so be sure to give any app config changes an hour or so to be sure.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3978