Entra ID/Azure AD OIDC - Groups overage claim not handled correctly #4502

New Issue

OVERLORD · 2026-02-05T09:01:39+03:00

OVERLORD commented

2026-02-05 09:01:39 +03:00

Originally created by @crgbt on GitHub (Mar 7, 2024).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Hi there,

I'm not sure whether this should be a support request, a bug, or a feature request. I went with my best judgement and selected a support request - apologies if it's the wrong one.

We have a BookStack v24.02 instance with Entra ID/Azure AD authentication via OIDC and Group Sync enabled which is working well; however, when a user is in a lot of groups, Entra ID will send a 'groups overage claim' so the original token size doesn't exceed HTTP header size limits. It appears that BookStack doesn't know how to handle this and therefore doesn't pull the group membership through for the user.

This behaviour is documented at the bottom of this table: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims, and here: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim

As an example, this is what we see with OIDC_DUMP_USER_DETAILS=true for a working user (all GUID's, secrets, etc. have been replaced):

{
    "aud": "4a62be64-3fc8-47b0-b85e-ad03ded848bc",
    "iss": "
https://login.microsoftonline.com/61d1546f-3fd1-427d-9348-74846252706a/v2.0"
,
    "iat": 1709818789,
    "nbf": 1709818789,
    "exp": 1709822012,
    "email": "jane.doe@domain.com",
    "groups": [
        "f01bd248-79e4-4d5c-adc2-f703adab9a8a",
        "3fc3c463-cf9c-47d7-a2ee-0e86dae00ab8",
        "e69e1171-e2ef-4752-af9c-46882a0c82c9",
        "7fade49e-c072-4986-a9c0-6800ac12768e"
    ],
    "name": "Jane Doe",
    "oid": "835a59a6-18a8-4cdf-9ab0-e497b334495c",
    "preferred_username": "jdoe2@domain.com",
    "rh": "0.1y4qRc6H8ipUIN_vdg3FIbVWT4mhcBjnistNCO2RrU5wDGaJKPH.",
    "sub": "pvUyn6XK5TcF_4g3jEQHGx9hDwtskzilWBdMSmAL2b7",
    "tid": "61d1546f-3fd1-427d-9348-74846252706a",
    "uti": "4RQkWgbnNi05m8vhc2K73d",
    "ver": "2.0"
}

And for a user in a lot of groups:

{
    "aud": "4a62be64-3fc8-47b0-b85e-ad03ded848bc",
    "iss": "
https://login.microsoftonline.com/61d1546f-3fd1-427d-9348-74846252706a/v2.0"
,
    "iat": 1709818123,
    "nbf": 1709818123,
    "exp": 1709822456,
    "_claim_names": {
        "groups": "src1"
    },
    "_claim_sources": {
        "src1": {
            "endpoint": "
https://graph.windows.net/61d1546f-3fd1-427d-9348-74846252706a/users/cd679ee7-b975-4824-b0c6-2600f0f8bb9b/getMemberObjects"
        }
    },
    "email": "john.doe@domain.com",
    "name": "John Doe",
    "oid": "cd679ee7-b975-4824-b0c6-2600f0f8bb9b",
    "preferred_username": "jdoe1@domain.com",
    "rh": "0.1y4qRc6H8ipUIN_r7LWGbhOxVXAsfKETZmQzejJlFvt0wnCoWdk.",
    "sub": "p13BdumI_y2qKZ4wjbS9UgGtN8kCOTLFa7WcsWPfJox",
    "tid": "61d1546f-3fd1-427d-9348-74846252706a",
    "uti": "QKWR_PTnF3md2DqoO4S5Vs",
    "ver": "2.0"
}

Is this something that's configurable, or is this a bug and/or a feature request?

Thanks for taking the time to look at my query, and for any advice given.

Exact BookStack Version

v24.02

Log Content

No response

Hosting Environment

Distro: Oracle Linux 9.3
PHP: 8.3.3
MySQL: 8.0.32

Originally created by @crgbt on GitHub (Mar 7, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hi there, I'm not sure whether this should be a support request, a bug, or a feature request. I went with my best judgement and selected a support request - apologies if it's the wrong one. We have a BookStack v24.02 instance with Entra ID/Azure AD authentication via OIDC and Group Sync enabled which is working well; however, when a user is in a lot of groups, Entra ID will send a 'groups overage claim' so the original token size doesn't exceed HTTP header size limits. It appears that BookStack doesn't know how to handle this and therefore doesn't pull the group membership through for the user. This behaviour is documented at the bottom of this table: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims, and here: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim As an example, this is what we see with OIDC_DUMP_USER_DETAILS=true for a working user (all GUID's, secrets, etc. have been replaced): ``` { "aud": "4a62be64-3fc8-47b0-b85e-ad03ded848bc", "iss": " https://login.microsoftonline.com/61d1546f-3fd1-427d-9348-74846252706a/v2.0" , "iat": 1709818789, "nbf": 1709818789, "exp": 1709822012, "email": "jane.doe@domain.com", "groups": [ "f01bd248-79e4-4d5c-adc2-f703adab9a8a", "3fc3c463-cf9c-47d7-a2ee-0e86dae00ab8", "e69e1171-e2ef-4752-af9c-46882a0c82c9", "7fade49e-c072-4986-a9c0-6800ac12768e" ], "name": "Jane Doe", "oid": "835a59a6-18a8-4cdf-9ab0-e497b334495c", "preferred_username": "jdoe2@domain.com", "rh": "0.1y4qRc6H8ipUIN_vdg3FIbVWT4mhcBjnistNCO2RrU5wDGaJKPH.", "sub": "pvUyn6XK5TcF_4g3jEQHGx9hDwtskzilWBdMSmAL2b7", "tid": "61d1546f-3fd1-427d-9348-74846252706a", "uti": "4RQkWgbnNi05m8vhc2K73d", "ver": "2.0" } ``` And for a user in a lot of groups: ``` { "aud": "4a62be64-3fc8-47b0-b85e-ad03ded848bc", "iss": " https://login.microsoftonline.com/61d1546f-3fd1-427d-9348-74846252706a/v2.0" , "iat": 1709818123, "nbf": 1709818123, "exp": 1709822456, "_claim_names": { "groups": "src1" }, "_claim_sources": { "src1": { "endpoint": " https://graph.windows.net/61d1546f-3fd1-427d-9348-74846252706a/users/cd679ee7-b975-4824-b0c6-2600f0f8bb9b/getMemberObjects" } }, "email": "john.doe@domain.com", "name": "John Doe", "oid": "cd679ee7-b975-4824-b0c6-2600f0f8bb9b", "preferred_username": "jdoe1@domain.com", "rh": "0.1y4qRc6H8ipUIN_r7LWGbhOxVXAsfKETZmQzejJlFvt0wnCoWdk.", "sub": "p13BdumI_y2qKZ4wjbS9UgGtN8kCOTLFa7WcsWPfJox", "tid": "61d1546f-3fd1-427d-9348-74846252706a", "uti": "QKWR_PTnF3md2DqoO4S5Vs", "ver": "2.0" } ``` Is this something that's configurable, or is this a bug and/or a feature request? Thanks for taking the time to look at my query, and for any advice given. ### Exact BookStack Version v24.02 ### Log Content _No response_ ### Hosting Environment Distro: Oracle Linux 9.3 PHP: 8.3.3 MySQL: 8.0.32

OVERLORD added the 🐕 Support label 2026-02-05 09:01:39 +03:00

OVERLORD closed this issue

2026-02-05 09:01:42 +03:00

OVERLORD commented

2026-02-05 09:01:44 +03:00

@ssddanbrown commented on GitHub (Mar 7, 2024):

Hi @crgbt,

I'm not really keen on supporting any (additional) Microsoft/Azure/Entra specific quirks so adding support to detect and use their specific work around is not something I'd look to implement.

There's #4726 which aims to add userinfo endpoint querying for data. My plan is for BookStack to query userinfo if any claims are missing from the token, which should then work for this case assuming Entra provides all the groups normally as part of the userinfo endpoint data.

As an alternative option, if happy to hack around, we do provide a OIDC_ID_TOKEN_PRE_VALIDATE logical theme event, which a simple example of which can be seen here. This could be potentially used to define custom code that follows the Entra process to get & load the extra groups.

@ssddanbrown commented on GitHub (Mar 7, 2024): Hi @crgbt, I'm not really keen on supporting any (additional) Microsoft/Azure/Entra specific quirks so adding support to detect and use their specific work around is not something I'd look to implement. There's #4726 which aims to add userinfo endpoint querying for data. My plan is for BookStack to query userinfo if any claims are missing from the token, which should then work for this case assuming Entra provides all the groups normally as part of the userinfo endpoint data. As an alternative option, if happy to hack around, we do provide a `OIDC_ID_TOKEN_PRE_VALIDATE` [logical theme](https://github.com/BookStackApp/BookStack/blob/development/dev/docs/logical-theme-system.md) event, which a simple example of which [can be seen here](https://www.bookstackapp.com/blog/bookstack-release-v23-05/#oidc-id-token-logical-theme-event). This could be potentially used to define custom code that follows the Entra process to get & load the extra groups.

OVERLORD commented

2026-02-05 09:01:48 +03:00

@crgbt commented on GitHub (Mar 7, 2024):

Hi @ssddanbrown,

That's understandable, thanks for the info.

For your info, it looks like the userinfo endpoint in Entra ID won't return groups as the only claims returned are sub, name, family_name, given_name, picture, and email, which can't be customised (https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#notes-and-caveats-on-the-userinfo-endpoint) unless I've misunderstood the documentation.

I'll check out OIDC_ID_TOKEN_PRE_VALIDATE - it looks a little above my head, but I'll do some reading and I'm sure I can get some assistance from colleagues.

Failing that, I might also check out SAML and see if that behaves in the same way.

Thanks again for the info.

@crgbt commented on GitHub (Mar 7, 2024): Hi @ssddanbrown, That's understandable, thanks for the info. For your info, it looks like the userinfo endpoint in Entra ID won't return groups as the only claims returned are sub, name, family_name, given_name, picture, and email, which can't be customised (https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#notes-and-caveats-on-the-userinfo-endpoint) unless I've misunderstood the documentation. I'll check out `OIDC_ID_TOKEN_PRE_VALIDATE` - it looks a little above my head, but I'll do some reading and I'm sure I can get some assistance from colleagues. Failing that, I might also check out SAML and see if that behaves in the same way. Thanks again for the info.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4502