OIDC User with email already exists #4501

New Issue

OVERLORD · 2026-02-05T09:01:38+03:00

OVERLORD commented

2026-02-05 09:01:38 +03:00

Originally created by @Node815 on GitHub (Mar 8, 2024).

Describe the Bug

This seems to just started to happen, the other day, I was able to login. Today, I can not. It gives the following error when I login using the SSO option:

I have user creation disabled in the settings in Bookstack so it should not be attempting to create a new user or cross check against a password. Since it's OIDC, none would be set I'd think.

I have also removed the settings and restarted from scratch in Authentik for the provider so I could get new client and secret codes and it happened again.

Steps to Reproduce

Set up OIDC integration with Authentik 2024.2.2
Modify the .env to include the keys and set up accordingly

Expected Behaviour

User can log in via SSO

Screenshots or Additional Context

Docker logs via (Dozzle) do not show any meaningful errors or data so I can't help with those unless there are some stored in the container I can view and add to this, I will.

Browser Details

Firefox and Vivaldi - both up to date versions.

Exact BookStack Version

v24.02

Originally created by @Node815 on GitHub (Mar 8, 2024). ### Describe the Bug This seems to just started to happen, the other day, I was able to login. Today, I can not. It gives the following error when I login using the SSO option: ![image](https://github.com/BookStackApp/BookStack/assets/20736534/1409abdf-c4bb-4343-ba82-4cc935fd383c) I have user creation disabled in the settings in Bookstack so it should not be attempting to create a new user or cross check against a password. Since it's OIDC, none would be set I'd think. I have also removed the settings and restarted from scratch in Authentik for the provider so I could get new client and secret codes and it happened again. ### Steps to Reproduce Set up OIDC integration with Authentik 2024.2.2 Modify the .env to include the keys and set up accordingly ### Expected Behaviour User can log in via SSO ### Screenshots or Additional Context Docker logs via (Dozzle) do not show any meaningful errors or data so I can't help with those unless there are some stored in the container I can view and add to this, I will. ### Browser Details Firefox and Vivaldi - both up to date versions. ### Exact BookStack Version v24.02

OVERLORD added the 🐛 Bug label 2026-02-05 09:01:38 +03:00

OVERLORD closed this issue

2026-02-05 09:01:40 +03:00

OVERLORD commented

2026-02-05 09:01:45 +03:00

@ssddanbrown commented on GitHub (Mar 8, 2024):

This would occur if the user coming from the OIDC auth system (authentik in this case) has an unrecognised ID along with an email address that's already used by an account in the system.

I have also removed the settings and restarted from scratch in Authentik for the provider so I could get new client and secret codes and it happened again.

That kind of thing can cause this to occur, assuming the BookStack user remains as-is.
Many auth systems will provide an application-specific unique ID for the user, so creating a new auth application in the auth system can lead to a different user ID provided to BookStack.
I can't remember if authentik does this for sure (or what options it provides related to this ID, or the sub claim).

You can see/set the ID used for a user via editing their user account as an admin, under the "External Authentication ID" dropdown.

@ssddanbrown commented on GitHub (Mar 8, 2024): This would occur if the user coming from the OIDC auth system (authentik in this case) has an unrecognised ID along with an email address that's already used by an account in the system. > I have also removed the settings and restarted from scratch in Authentik for the provider so I could get new client and secret codes and it happened again. That kind of thing can cause this to occur, assuming the BookStack user remains as-is. Many auth systems will provide an application-specific unique ID for the user, so creating a new auth application in the auth system can lead to a different user ID provided to BookStack. I can't remember if authentik does this for sure (or what options it provides related to this ID, or the `sub` claim). You can see/set the ID used for a user via editing their user account as an admin, under the "External Authentication ID" dropdown.

OVERLORD commented

2026-02-05 09:01:49 +03:00

@Node815 commented on GitHub (Mar 8, 2024):

If you are referring to this in the External Authentication ID:

I deleted it manually, saved it and tried logging in again with the account and it did the same thing.

My OIDC Setings in the .env file:

`# OpenID Connect authentication configuration

Refer to https://www.bookstackapp.com/docs/admin/oidc-auth/

OIDC_NAME=SSO
OIDC_DISPLAY_NAME_CLAIMS=name
OIDC_CLIENT_ID=REDACTED
OIDC_CLIENT_SECRET=REDACTED
OIDC_ISSUER=https://redacted/application/o/wiki/
OIDC_ISSUER_DISCOVER=true
OIDC_PUBLIC_KEY=null
OIDC_AUTH_ENDPOINT=https://redacted/application/o/wiki/
OIDC_TOKEN_ENDPOINT=https://redacted/application/o/token/
OIDC_ADDITIONAL_SCOPES=null
OIDC_DUMP_USER_DETAILS=false
OIDC_USER_TO_GROUPS=false
OIDC_GROUPS_CLAIM=groups
OIDC_REMOVE_FROM_GROUPS=false
OIDC_EXTERNAL_ID_CLAIM=email
OIDC_DUMP_USER_DETAILS=false`

This has worked without issues. I did dump the details and it didn't seem to show anything out of the ordinary to me.

@Node815 commented on GitHub (Mar 8, 2024): If you are referring to this in the External Authentication ID: ![image](https://github.com/BookStackApp/BookStack/assets/20736534/333324ae-40f9-43e3-bb5e-7466576bb782) I deleted it manually, saved it and tried logging in again with the account and it did the same thing. My OIDC Setings in the .env file: `# OpenID Connect authentication configuration # Refer to https://www.bookstackapp.com/docs/admin/oidc-auth/ OIDC_NAME=SSO OIDC_DISPLAY_NAME_CLAIMS=name OIDC_CLIENT_ID=REDACTED OIDC_CLIENT_SECRET=REDACTED OIDC_ISSUER=https://redacted/application/o/wiki/ OIDC_ISSUER_DISCOVER=true OIDC_PUBLIC_KEY=null OIDC_AUTH_ENDPOINT=https://redacted/application/o/wiki/ OIDC_TOKEN_ENDPOINT=https://redacted/application/o/token/ OIDC_ADDITIONAL_SCOPES=null OIDC_DUMP_USER_DETAILS=false OIDC_USER_TO_GROUPS=false OIDC_GROUPS_CLAIM=groups OIDC_REMOVE_FROM_GROUPS=false OIDC_EXTERNAL_ID_CLAIM=email OIDC_DUMP_USER_DETAILS=false` This has worked without issues. I did dump the details and it didn't seem to show anything out of the ordinary to me.

OVERLORD commented

2026-02-05 09:01:51 +03:00

@Node815 commented on GitHub (Mar 8, 2024):

I noticed the extra OIDC_DUMP_User-DETAILS line. I removed that.
I then made the following changes:
I changed the OIDC_EXTERNAL_ID_CLAIM=sub
I changed the OIDC_DISPLAY_NAME_CLAIMS=email

ISSUE IS RESOLVED! Sorry about all of this confusion.

@Node815 commented on GitHub (Mar 8, 2024): I noticed the extra OIDC_DUMP_User-DETAILS line. I removed that. I then made the following changes: I changed the OIDC_EXTERNAL_ID_CLAIM=sub I changed the OIDC_DISPLAY_NAME_CLAIMS=email ISSUE IS RESOLVED! Sorry about all of this confusion.

OVERLORD commented

2026-02-05 09:01:53 +03:00

@ssddanbrown commented on GitHub (Mar 8, 2024):

Good to hear! If changing the ID claim used, just be aware this could affect any other existing users you may have, and their "External Authentication ID" values may need to be updated.

@ssddanbrown commented on GitHub (Mar 8, 2024): Good to hear! If changing the ID claim used, just be aware this could affect any other existing users you may have, and their "External Authentication ID" values may need to be updated.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4501