OpenID Connect didn't work with auto-discovery if <issuer>/.well-known/openid-configuration is beeing redirected. #3980

New Issue

OVERLORD · 2026-02-05T08:00:53+03:00

OVERLORD commented

2026-02-05 08:00:53 +03:00

Originally created by @code-baron on GitHub (Aug 19, 2023).

Describe the Bug

If <issuer>/.well-known/openid-configuration is beeing redirected on OpenID Connect, i get
OIDC Discovery Error: Error discovering provider settings from issuer at URL https://ghg.berlin/.well-known/openid-configuration

Steps to Reproduce

Go to login-page
Click "Login with OIDC"

Expected Behaviour

If <issuer>/.well-known/openid-configuration is beeing redirected i expect that the app is follow the redirection.

Screenshots or Additional Context

In File 'app/Access/Oidc/OidcProviderSettings.php'
at 'loadSettingsFromIssuerDiscovery'
i inserted a new request to the redirection URI if we get a 301 or 302:

        $issuerUrl = rtrim($this->issuer, '/') . '/.well-known/openid-configuration';
        $request = new Request('GET', $issuerUrl);
        $response = $httpClient->sendRequest($request);
# inserted
        if ($response->getStatusCode() == 302 || $response->getStatusCode() == 301){
                $request = new Request('GET', $response->getHeader('Location')[0]);
                $response = $httpClient->sendRequest($request);
        }
# inserted END
        $result = json_decode($response->getBody()->getContents(), true);

Browser Details

Microsoft Edge Version 115.0.1901.203 (64-Bit) on Windows 11

Exact BookStack Version

23.06.2

PHP Version

8.2.8

Hosting Environment

ghcr.io/linuxserver/bookstack:v23.06.2-ls98
OIDC-Provider: IServ

Originally created by @code-baron on GitHub (Aug 19, 2023). ### Describe the Bug If `<issuer>/.well-known/openid-configuration` is beeing redirected on OpenID Connect, i get `OIDC Discovery Error: Error discovering provider settings from issuer at URL https://ghg.berlin/.well-known/openid-configuration` ### Steps to Reproduce 1. Go to login-page 2. Click "Login with OIDC" ### Expected Behaviour If `<issuer>/.well-known/openid-configuration` is beeing redirected i expect that the app is follow the redirection. ### Screenshots or Additional Context In File 'app/Access/Oidc/OidcProviderSettings.php' at 'loadSettingsFromIssuerDiscovery' i inserted a new request to the redirection URI if we get a 301 or 302: ``` $issuerUrl = rtrim($this->issuer, '/') . '/.well-known/openid-configuration'; $request = new Request('GET', $issuerUrl); $response = $httpClient->sendRequest($request); # inserted if ($response->getStatusCode() == 302 || $response->getStatusCode() == 301){ $request = new Request('GET', $response->getHeader('Location')[0]); $response = $httpClient->sendRequest($request); } # inserted END $result = json_decode($response->getBody()->getContents(), true); ``` ### Browser Details Microsoft Edge Version 115.0.1901.203 (64-Bit) on Windows 11 ### Exact BookStack Version 23.06.2 ### PHP Version 8.2.8 ### Hosting Environment ghcr.io/linuxserver/bookstack:v23.06.2-ls98 OIDC-Provider: IServ

OVERLORD added the 🐛 Bug label 2026-02-05 08:00:53 +03:00

OVERLORD closed this issue

2026-02-05 08:00:57 +03:00

OVERLORD commented

2026-02-05 08:00:59 +03:00

@ssddanbrown commented on GitHub (Aug 20, 2023):

Hi @code-baron,
For the OIDC implementations I stick very closely to the provided specs.
I could not see anything about supporting redirects within the spec.
Section 4.2 of the spec states:

A successful response MUST use the 200 OK HTTP status code and return a JSON object using the application/json content type [...]

I'd be very hesitant to support outside of the spec, since there may have been security considerations behind the rigidity of the spec, and I don't want to introduce complication for identity providers that fall outside spec.

If I've missed something in the spec though, which does allow redirects for this call, feel free to point that out and I can look to update my implementation.

@ssddanbrown commented on GitHub (Aug 20, 2023): Hi @code-baron, For the OIDC implementations I stick very closely to the provided specs. I could not see anything about supporting redirects within the spec. [Section 4.2 of the spec](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) states: > A successful response MUST use the 200 OK HTTP status code and return a JSON object using the application/json content type [...] I'd be very hesitant to support outside of the spec, since there may have been security considerations behind the rigidity of the spec, and I don't want to introduce complication for identity providers that fall outside spec. If I've missed something in the spec though, which does allow redirects for this call, feel free to point that out and I can look to update my implementation.

OVERLORD commented

2026-02-05 08:01:02 +03:00

@ssddanbrown commented on GitHub (Sep 3, 2023):

Since there's been no further discussion or follow-up I'll go ahead and close this off.

@ssddanbrown commented on GitHub (Sep 3, 2023): Since there's been no further discussion or follow-up I'll go ahead and close this off.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3980

OpenID Connect didn't work with auto-discovery if <issuer>/.well-known/openid-configuration is beeing redirected. #3980

Describe the Bug

Steps to Reproduce

Expected Behaviour

Screenshots or Additional Context

Browser Details

Exact BookStack Version

PHP Version

Hosting Environment

OpenID Connect didn't work with auto-discovery if `<issuer>/.well-known/openid-configuration` is beeing redirected. #3980