starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-06 09:09:38 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

OIDC with Zitadel SaaS stops working after some time (signature could not be validated using the provided keys) #4810

New Issue
Open
opened 2026-02-05 09:17:44 +03:00 by OVERLORD · 18 comments
OVERLORD commented 2026-02-05 09:17:44 +03:00
Owner
Copy Link

Originally created by @baua1310 on GitHub (Jun 4, 2024).

Describe the Bug

When Zitadel SaaS is used for authentication with OIDC in Bookstack, it will stop working after some time, at the latest after 24 hours, and the following error message is shown: ID token validation failed with error: Token signature could not be validated using the provided keys.

Workaround: Deleting the bookstack docker container and recreating it fixes the error for some hours.

Steps to Reproduce

  1. set up OIDC with Zitadel SaaS as described in #4682 by @megastary
  2. test successful sign in with SSO
  3. wait 24 hours
  4. retry sign in with SSO
  5. see error: ID token validation failed with error: Token signature could not be validated using the provided keys

Expected Behaviour

When set up correctly, authentication with OIDC in bookstack works also after 24 hours.

Screenshots or Additional Context

Screenshot 2024-06-04 064557

Browser Details

Brave (1.66.118 Chromium: 125.0.6422.147 (Official Build) (64-bit)) on Windows 11 Version 23H2 (Build 22631.3593)

Exact BookStack Version

v24.05.1

Originally created by @baua1310 on GitHub (Jun 4, 2024). ### Describe the Bug When Zitadel SaaS is used for authentication with OIDC in Bookstack, it will stop working after some time, at the latest after 24 hours, and the following error message is shown: `ID token validation failed with error: Token signature could not be validated using the provided keys`. Workaround: Deleting the [bookstack docker container](https://docs.linuxserver.io/images/docker-bookstack/) and recreating it fixes the error for some hours. ### Steps to Reproduce 1. set up OIDC with Zitadel SaaS as described in #4682 by @megastary 2. test successful sign in with SSO 3. wait 24 hours 4. retry sign in with SSO 5. see error: `ID token validation failed with error: Token signature could not be validated using the provided keys` ### Expected Behaviour When set up correctly, authentication with OIDC in bookstack works also after 24 hours. ### Screenshots or Additional Context ![Screenshot 2024-06-04 064557](https://github.com/BookStackApp/BookStack/assets/13610694/96602b4d-17a5-4724-8a47-0ce90af4f594) ### Browser Details Brave (1.66.118 Chromium: 125.0.6422.147 (Official Build) (64-bit)) on Windows 11 Version 23H2 (Build 22631.3593) ### Exact BookStack Version v24.05.1
OVERLORD added the 🐛 Bug label 2026-02-05 09:17:44 +03:00
OVERLORD commented 2026-02-05 09:17:45 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jun 4, 2024):

As mentioned in #4682, BookStack does cache discovered details but only for 15 minutes.

First, it would be good to test/rule-out instance cache issues.
Can you try setting the cache to be database based.
This is done by setting CACHE_DRIVER=database in your existing .env file, or by setting CACHE_DRIVER=database to the environment for your BookStack app container. Remember to re-create the container if altering container environment options.

@ssddanbrown commented on GitHub (Jun 4, 2024): As mentioned in #4682, BookStack does cache discovered details but only for 15 minutes. First, it would be good to test/rule-out instance cache issues. Can you try setting the cache to be database based. This is done by setting `CACHE_DRIVER=database` in your existing `.env` file, or by setting `CACHE_DRIVER=database` to the environment for your BookStack app container. Remember to re-create the container if altering container environment options.
OVERLORD commented 2026-02-05 09:17:47 +03:00
Author
Owner
Copy Link

@baua1310 commented on GitHub (Jun 8, 2024):

@ssddanbrown I have set the suggested environment variable:

user@SRV001:/opt/bookstack$ docker compose ps
NAME            IMAGE                                  COMMAND                  SERVICE         CREATED       STATUS       PORTS
bookstack_app   lscr.io/linuxserver/bookstack:latest   "/init"                  bookstack_app   7 hours ago   Up 4 hours   80/tcp, 443/tcp
bookstack_db    mariadb:11                             "docker-entrypoint.s…"   bookstack_db    7 hours ago   Up 4 hours   3306/tcp
user@SRV001:/opt/bookstack$ docker exec bookstack_app printenv
PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=581ed5423b8b
APP_THEME=custom
OIDC_ISSUER_DISCOVER=true
CACHE_DRIVER=database
OIDC_NAME=ZITADEL
OIDC_DISPLAY_NAME_CLAIMS=name
MAIL_ENCRYPTION=tls
MAIL_PASSWORD=somepassword
PUID=1000
OIDC_GROUPS_CLAIM=custom:roles
DB_PASS=somepassword
OIDC_END_SESSION_ENDPOINT=false
MAIL_DRIVER=smtp
DB_USER=bookstack
OIDC_REMOVE_FROM_GROUPS=true
OIDC_CLIENT_ID=someid@wiki
DB_HOST=bookstack_db
APP_DEBUG=true
AUTH_AUTO_INITIATE=true
MAIL_HOST=smtp-relay.brevo.com
MAIL_FROM=wiki@some.domain
PGID=1000
APP_URL=https://wiki.some.domain
OIDC_CLIENT_SECRET=somesecret
DB_DATABASE=bookstack
AUTH_METHOD=oidc
OIDC_ADDITIONAL_SCOPES=urn:zitadel:iam:org:projects:roles
MAIL_FROM_NAME=Wiki
OIDC_USER_TO_GROUPS=true
OIDC_ISSUER=https://some-instance.zitadel.cloud
DB_PORT=3306
MAIL_PORT=587
MAIL_USERNAME=mail@some.domain
PS1=$(whoami)@$(hostname):$(pwd)\$
HOME=/root
TERM=xterm
S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
S6_VERBOSITY=1
S6_STAGE2_HOOK=/init-hook
VIRTUAL_ENV=/lsiopy
LSIO_FIRST_PARTY=true

Unfortunately, the error pattern persists. Even recreating the container does not solve the problem. This means that signing in with OIDC is not possible at all.

@baua1310 commented on GitHub (Jun 8, 2024): @ssddanbrown I have set the suggested environment variable: ``` user@SRV001:/opt/bookstack$ docker compose ps NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS bookstack_app lscr.io/linuxserver/bookstack:latest "/init" bookstack_app 7 hours ago Up 4 hours 80/tcp, 443/tcp bookstack_db mariadb:11 "docker-entrypoint.s…" bookstack_db 7 hours ago Up 4 hours 3306/tcp user@SRV001:/opt/bookstack$ docker exec bookstack_app printenv PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=581ed5423b8b APP_THEME=custom OIDC_ISSUER_DISCOVER=true CACHE_DRIVER=database OIDC_NAME=ZITADEL OIDC_DISPLAY_NAME_CLAIMS=name MAIL_ENCRYPTION=tls MAIL_PASSWORD=somepassword PUID=1000 OIDC_GROUPS_CLAIM=custom:roles DB_PASS=somepassword OIDC_END_SESSION_ENDPOINT=false MAIL_DRIVER=smtp DB_USER=bookstack OIDC_REMOVE_FROM_GROUPS=true OIDC_CLIENT_ID=someid@wiki DB_HOST=bookstack_db APP_DEBUG=true AUTH_AUTO_INITIATE=true MAIL_HOST=smtp-relay.brevo.com MAIL_FROM=wiki@some.domain PGID=1000 APP_URL=https://wiki.some.domain OIDC_CLIENT_SECRET=somesecret DB_DATABASE=bookstack AUTH_METHOD=oidc OIDC_ADDITIONAL_SCOPES=urn:zitadel:iam:org:projects:roles MAIL_FROM_NAME=Wiki OIDC_USER_TO_GROUPS=true OIDC_ISSUER=https://some-instance.zitadel.cloud DB_PORT=3306 MAIL_PORT=587 MAIL_USERNAME=mail@some.domain PS1=$(whoami)@$(hostname):$(pwd)\$ HOME=/root TERM=xterm S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 S6_VERBOSITY=1 S6_STAGE2_HOOK=/init-hook VIRTUAL_ENV=/lsiopy LSIO_FIRST_PARTY=true ``` Unfortunately, the error pattern persists. Even recreating the container does not solve the problem. This means that signing in with OIDC is not possible at all.
OVERLORD commented 2026-02-05 09:17:49 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jun 8, 2024):

@baua1310 Does it start working again after removing the CACHE_DRIVER option again, and a container recreate?

@ssddanbrown commented on GitHub (Jun 8, 2024): @baua1310 Does it start working again after removing the `CACHE_DRIVER` option again, and a container recreate?
OVERLORD commented 2026-02-05 09:17:50 +03:00
Author
Owner
Copy Link

@baua1310 commented on GitHub (Jun 10, 2024):

@ssddanbrown Yes after removing CACHE_DRIVER and recreating the container sign in with OIDC started working again.

@baua1310 commented on GitHub (Jun 10, 2024): @ssddanbrown Yes after removing `CACHE_DRIVER` and recreating the container sign in with OIDC started working again.
OVERLORD commented 2026-02-05 09:17:51 +03:00
Author
Owner
Copy Link

@PandieTech commented on GitHub (Jul 27, 2024):

Just wanted to +1, I have the exact same problem after implementing a fresh Bookstack instance using Zitadel as my IDP, albeit mine is self hosted not SaaS Zitadel. Followed the same path from the other issue #4682, and now after some time, not necessarily 24 hours, I get the ID token validation failed with error: Token signature could not be validated using the provided keys error.
image

Edit: I have not restarted / rebuilt my Bookstack container, and after waiting a while after experiencing the error, it did start working again, probably when that cache expired and it renegotiated.

To add some more possibly worthwhile info, certain OIDC token settings can be modified in Zitadel (at least in self hosted, can't speak for SaaS). @ssddanbrown would you normally expect other OIDC IDPs to have a longer access, or in this case probably more relevant ID token expiry?

image

And apologies for my novice showing, but initially I did not include the Refresh Token grant type, will adding that have any bearing on this ID token issue?

image

Ultimately I suppose it would be nice, selfishly for this scenario, for this error to then prompt Bookstack to clear that cache and retrieve it fresh, but I'm sure it's easier said than done.

@PandieTech commented on GitHub (Jul 27, 2024): Just wanted to +1, I have the exact same problem after implementing a fresh Bookstack instance using Zitadel as my IDP, albeit mine is self hosted not SaaS Zitadel. Followed the same path from the other issue #4682, and now after some time, not necessarily 24 hours, I get the `ID token validation failed with error: Token signature could not be validated using the provided keys` error. ![image](https://github.com/user-attachments/assets/14fb2683-10ea-410d-9f74-037f224a80af) Edit: I have not restarted / rebuilt my Bookstack container, and after waiting a while after experiencing the error, it did start working again, probably when that cache expired and it renegotiated. To add some more possibly worthwhile info, certain OIDC token settings can be modified in Zitadel (at least in self hosted, can't speak for SaaS). @ssddanbrown would you normally expect other OIDC IDPs to have a longer access, or in this case probably more relevant ID token expiry? ![image](https://github.com/user-attachments/assets/4473487b-3da0-4920-8321-4d638542afe7) And apologies for my novice showing, but initially I did not include the Refresh Token grant type, will adding that have any bearing on this ID token issue? <img width="550" alt="image" src="https://github.com/user-attachments/assets/c3056c3a-086b-483f-91ff-a21a1d1129b6"> Ultimately I suppose it would be nice, selfishly for this scenario, for this error to then prompt Bookstack to clear that cache and retrieve it fresh, but I'm sure it's easier said than done.
OVERLORD commented 2026-02-05 09:17:52 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jul 27, 2024):

@pandieme

would you normally expect other OIDC IDPs to have a longer access, or in this case probably more relevant ID token expiry?
[...] I did not include the Refresh Token grant type, will adding that have any bearing on this ID token issue?

Those settings don't really matter in the context of BookStack's use. We don't hold on to tokens for refresh, I believe we just go through the original process direct with the auth provided at login time.

Ultimately I suppose it would be nice, selfishly for this scenario, for this error to then prompt Bookstack to clear that cache and retrieve it fresh

The BookStack cache should only remain for 15 minutes, that's what I can't understand and need to dive deeper into. The above tests indicate it's not being cleared (not expiring), but I feel this would have show up in other auth providers/scenarios if our cache system was fundementally not listening to cache lifetime.

Out of interest, can you describe your environment too (BookStack hosting environment& install method) just so I can guage any potential patterns?

@ssddanbrown commented on GitHub (Jul 27, 2024): @pandieme > would you normally expect other OIDC IDPs to have a longer access, or in this case probably more relevant ID token expiry? > [...] I did not include the Refresh Token grant type, will adding that have any bearing on this ID token issue? Those settings don't really matter in the context of BookStack's use. We don't hold on to tokens for refresh, I believe we just go through the original process direct with the auth provided at login time. > Ultimately I suppose it would be nice, selfishly for this scenario, for this error to then prompt Bookstack to clear that cache and retrieve it fresh The BookStack cache should only remain for 15 minutes, that's what I can't understand and need to dive deeper into. The above tests indicate it's not being cleared (not expiring), but I feel this would have show up in other auth providers/scenarios if our cache system was fundementally not listening to cache lifetime. Out of interest, can you describe your environment too (BookStack hosting environment& install method) just so I can guage any potential patterns?
OVERLORD commented 2026-02-05 09:17:53 +03:00
Author
Owner
Copy Link

@PandieTech commented on GitHub (Jul 28, 2024):

@ssddanbrown

Out of interest, can you describe your environment too (BookStack hosting environment& install method) just so I can guage any potential patterns?

Ours is running on a Debian 12 VM, hosted on an XCP-ng pool, using Docker compose and behind a Caddy reverse proxy also running in a container on a shared Docker network.

Docker versions

Docker Compose version v2.28.1
Docker version 27.0.3, build 7d4bcd8

Bookstack

Container info

../bookstack# docker compose ps
NAME               IMAGE                           COMMAND   SERVICE        CREATED        STATUS        PORTS
bookstack      lscr.io/linuxserver/bookstack   "/init"   bookstack      41 hours ago   Up 41 hours   80/tcp, 443/tcp
bookstack_db   lscr.io/linuxserver/mariadb     "/init"   bookstack_db   41 hours ago   Up 41 hours   3306/tcp

../bookstack# docker exec bookstack printenv
PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=b1317d85c73f
DB_DATABASE=bookstackapp
PGID=1000
OIC_DUMP_USER_DETAILS=false
MAIL_FROM=our@email.address
AUTH_AUTO_INITIATE=false
OIDC_ISSUER_DISCOVER=true
OIDC_GROUPS_CLAIM=groups
OIDC_CLIENT_SECRET=ourclientsecret
OIDC_ISSUER=https://idp.fqdn
MAIL_DRIVER=smtp
DB_PASS=ourpass
AUTH_METHOD=oidc
DB_USER=bookstack
MAIL_USERNAME=ouruser
TZ=Europe/London
MAIL_PORT=587
OIDC_USER_TO_GROUPS=true
OIDC_DISPLAY_NAME_CLAIMS=name
MAIL_PASSWORD=ourpass
OIDC_REMOVE_FROM_GROUPS=true
MAIL_FROM_NAME=Intranet
APP_THEME=custom
DB_PORT=3306
MAIL_ENCRYPTION=tls
APP_URL=https://our.fqdn
MAIL_HOST=smtp.fqdn
DB_HOST=bookstack_db
OIDC_NAME=SSO
OIDC_END_SESSION_ENDPOINT=false
OIDC_CLIENT_ID=ourclientid
DB_ROOT_PASS=ourpass
PUID=1000
PS1=$(whoami)@$(hostname):$(pwd)\$
HOME=/root
TERM=xterm
S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
S6_VERBOSITY=1
S6_STAGE2_HOOK=/init-hook
VIRTUAL_ENV=/lsiopy
LSIO_FIRST_PARTY=true

Docker Compose

---
services:
  bookstack:
    image: lscr.io/linuxserver/bookstack
    container_name: bookstack
    environment:
      PUID: 1000
      PGID: 1000
      TZ: Europe/London
      APP_URL: https://our.fqdn
      DB_HOST: bookstack_db
      DB_PORT: 3306
      DB_USER: bookstack
      DB_PASS: ${DB_PASS}
      DB_DATABASE: bookstackapp
    volumes:
      - app_data:/config
    restart: unless-stopped
    depends_on:
      - bookstack_db
    networks:
      - default
      - caddy
    env_file:
      - .env

  bookstack_db:
    image: lscr.io/linuxserver/mariadb
    container_name: bookstack_db
    environment:
      PUID: 1000
      PGID: 1000
      TZ: Europe/London
      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASS}
      MYSQL_DATABASE: bookstackapp
      MYSQL_USER: bookstack
      MYSQL_PASSWORD: ${DB_PASS}
    volumes:
      - db_data:/config
    restart: unless-stopped
    env_file:
      - .env

volumes:
  app_data:
    name: bookstack_app_data
  db_data:
    name: bookstack_db_data

networks:
  caddy:
    name: caddy
    external: true

.env

DB_ROOT_PASS=ourpass
DB_PASS=ourpass

AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=false

OIDC_NAME=SSO
OIDC_DISPLAY_NAME_CLAIMS=name
OIDC_CLIENT_ID=ourclientid
OIDC_CLIENT_SECRET=ourclientsecret
OIDC_ISSUER=https://idp.fqdn
OIDC_END_SESSION_ENDPOINT=false
OIDC_ISSUER_DISCOVER=true

APP_THEME=custom

OIDC_DUMP_USER_DETAILS=false

OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=groups
OIDC_REMOVE_FROM_GROUPS=true

MAIL_DRIVER=smtp
MAIL_HOST=smtp.fdqn
MAIL_PORT=587
MAIL_ENCRYPTION=tls
MAIL_USERNAME=ouruser
MAIL_PASSWORD=ourpass
MAIL_FROM=our@email.fqdn
MAIL_FROM_NAME=Intranet

Custom theme function

As described in this issue #4682 we added the following file to our bookstack containers volume to Replace multiple aud values with single azp value to cater for Zitadel's returned array.

# /var/lib/docker/volumes/bookstack_app_data/_data/www/themes/custom

<?php

use BookStack\Facades\Theme;
use BookStack\Theming\ThemeEvents;

Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, function (array $idTokenData, array $accessTokenData) {
    if (is_array($idTokenData['aud']) && in_array($idTokenData['azp'], $idTokenData['aud'])) {
        return array_merge($idTokenData, [
            'aud' => [$idTokenData['azp']]
        ]);
    }
});

Caddy (Reverse Proxy)

Caddyfile

our.fqdn {
        reverse_proxy http://bookstack
}

Docker Compose

services:
  caddy:
    container_name: caddy
    image: caddy:2.8.4
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - data:/data:rw
      - config:/config:rw
    networks:
      - caddy

volumes:
  data:
  config:

networks:
  caddy:
    name: caddy
@PandieTech commented on GitHub (Jul 28, 2024): @ssddanbrown > Out of interest, can you describe your environment too (BookStack hosting environment& install method) just so I can guage any potential patterns? Ours is running on a Debian 12 VM, hosted on an XCP-ng pool, using Docker compose and behind a Caddy reverse proxy also running in a container on a shared Docker network. Docker versions ```none Docker Compose version v2.28.1 Docker version 27.0.3, build 7d4bcd8 ``` ## Bookstack ### Container info ```none ../bookstack# docker compose ps NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS bookstack lscr.io/linuxserver/bookstack "/init" bookstack 41 hours ago Up 41 hours 80/tcp, 443/tcp bookstack_db lscr.io/linuxserver/mariadb "/init" bookstack_db 41 hours ago Up 41 hours 3306/tcp ../bookstack# docker exec bookstack printenv PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=b1317d85c73f DB_DATABASE=bookstackapp PGID=1000 OIC_DUMP_USER_DETAILS=false MAIL_FROM=our@email.address AUTH_AUTO_INITIATE=false OIDC_ISSUER_DISCOVER=true OIDC_GROUPS_CLAIM=groups OIDC_CLIENT_SECRET=ourclientsecret OIDC_ISSUER=https://idp.fqdn MAIL_DRIVER=smtp DB_PASS=ourpass AUTH_METHOD=oidc DB_USER=bookstack MAIL_USERNAME=ouruser TZ=Europe/London MAIL_PORT=587 OIDC_USER_TO_GROUPS=true OIDC_DISPLAY_NAME_CLAIMS=name MAIL_PASSWORD=ourpass OIDC_REMOVE_FROM_GROUPS=true MAIL_FROM_NAME=Intranet APP_THEME=custom DB_PORT=3306 MAIL_ENCRYPTION=tls APP_URL=https://our.fqdn MAIL_HOST=smtp.fqdn DB_HOST=bookstack_db OIDC_NAME=SSO OIDC_END_SESSION_ENDPOINT=false OIDC_CLIENT_ID=ourclientid DB_ROOT_PASS=ourpass PUID=1000 PS1=$(whoami)@$(hostname):$(pwd)\$ HOME=/root TERM=xterm S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 S6_VERBOSITY=1 S6_STAGE2_HOOK=/init-hook VIRTUAL_ENV=/lsiopy LSIO_FIRST_PARTY=true ``` ### Docker Compose ```none --- services: bookstack: image: lscr.io/linuxserver/bookstack container_name: bookstack environment: PUID: 1000 PGID: 1000 TZ: Europe/London APP_URL: https://our.fqdn DB_HOST: bookstack_db DB_PORT: 3306 DB_USER: bookstack DB_PASS: ${DB_PASS} DB_DATABASE: bookstackapp volumes: - app_data:/config restart: unless-stopped depends_on: - bookstack_db networks: - default - caddy env_file: - .env bookstack_db: image: lscr.io/linuxserver/mariadb container_name: bookstack_db environment: PUID: 1000 PGID: 1000 TZ: Europe/London MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASS} MYSQL_DATABASE: bookstackapp MYSQL_USER: bookstack MYSQL_PASSWORD: ${DB_PASS} volumes: - db_data:/config restart: unless-stopped env_file: - .env volumes: app_data: name: bookstack_app_data db_data: name: bookstack_db_data networks: caddy: name: caddy external: true ``` ### .env ```none DB_ROOT_PASS=ourpass DB_PASS=ourpass AUTH_METHOD=oidc AUTH_AUTO_INITIATE=false OIDC_NAME=SSO OIDC_DISPLAY_NAME_CLAIMS=name OIDC_CLIENT_ID=ourclientid OIDC_CLIENT_SECRET=ourclientsecret OIDC_ISSUER=https://idp.fqdn OIDC_END_SESSION_ENDPOINT=false OIDC_ISSUER_DISCOVER=true APP_THEME=custom OIDC_DUMP_USER_DETAILS=false OIDC_USER_TO_GROUPS=true OIDC_GROUPS_CLAIM=groups OIDC_REMOVE_FROM_GROUPS=true MAIL_DRIVER=smtp MAIL_HOST=smtp.fdqn MAIL_PORT=587 MAIL_ENCRYPTION=tls MAIL_USERNAME=ouruser MAIL_PASSWORD=ourpass MAIL_FROM=our@email.fqdn MAIL_FROM_NAME=Intranet ``` ### Custom theme function As described in [this issue #4682](https://github.com/BookStackApp/BookStack/issues/4682#issuecomment-1819732595) we added the following file to our bookstack containers volume to `Replace multiple aud values with single azp value` to cater for Zitadel's returned array. ```php # /var/lib/docker/volumes/bookstack_app_data/_data/www/themes/custom <?php use BookStack\Facades\Theme; use BookStack\Theming\ThemeEvents; Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, function (array $idTokenData, array $accessTokenData) { if (is_array($idTokenData['aud']) && in_array($idTokenData['azp'], $idTokenData['aud'])) { return array_merge($idTokenData, [ 'aud' => [$idTokenData['azp']] ]); } }); ``` ## Caddy (Reverse Proxy) ### Caddyfile ```none our.fqdn { reverse_proxy http://bookstack } ``` ## Docker Compose ```none services: caddy: container_name: caddy image: caddy:2.8.4 restart: unless-stopped ports: - "80:80" - "443:443" - "443:443/udp" volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro - data:/data:rw - config:/config:rw networks: - caddy volumes: data: config: networks: caddy: name: caddy ```
OVERLORD commented 2026-02-05 09:17:55 +03:00
Author
Owner
Copy Link

@Rob787 commented on GitHub (Sep 25, 2024):

+1 for this issue also with self-hosted Zitadel

@Rob787 commented on GitHub (Sep 25, 2024): +1 for this issue also with self-hosted Zitadel
OVERLORD commented 2026-02-05 09:17:57 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Sep 26, 2024):

@Rob787 Are you also using the linuxserver docker image?

@ssddanbrown commented on GitHub (Sep 26, 2024): @Rob787 Are you also using the linuxserver docker image?
OVERLORD commented 2026-02-05 09:17:59 +03:00
Author
Owner
Copy Link

@Rob787 commented on GitHub (Sep 30, 2024):

@ssddanbrown For Bookstack? Yes, the linuxserver Docker image indeed.

@Rob787 commented on GitHub (Sep 30, 2024): @ssddanbrown For Bookstack? Yes, the linuxserver Docker image indeed.
OVERLORD commented 2026-02-05 09:18:01 +03:00
Author
Owner
Copy Link

@cybrwshl commented on GitHub (Feb 28, 2025):

@ssddanbrown have you had time to take a closer look at the problem?

@cybrwshl commented on GitHub (Feb 28, 2025): @ssddanbrown have you had time to take a closer look at the problem?
OVERLORD commented 2026-02-05 09:18:02 +03:00
Author
Owner
Copy Link

@baua1310 commented on GitHub (Feb 28, 2025):

Hi, just a quick update from my side: As the problem with OIDC and Zitadel had not been solved, I switched to SAML 2.0.
SAML 2.0 and Zitadel is working fine since a few months. Here is my configuration:

AUTH_METHOD=saml2
AUTH_AUTO_INITIATE=true
SAML2_NAME=ZITADEL
SAML2_EMAIL_ATTRIBUTE=Email
SAML2_EXTERNAL_ID_ATTRIBUTE=UserID
SAML2_DISPLAY_NAME_ATTRIBUTES=FullName
SAML2_IDP_ENTITYID=https://<domain>.zitadel.cloud/saml/v2/metadata
SAML2_AUTOLOAD_METADATA=true
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=roles
SAML2_REMOVE_FROM_GROUPS=true

To map Zitadel roles to bookstack groups I added added a custom script in Zitadel called "samlRoles" inside Actions and added the script in the flow "Complement SAMLResponse" to the trigger "Pre SAMLResponse creation".

/**
 * Add an custom attribute to the SAMLResponse, if it's not already present.
 * Adds the roles as an additional attribute to the SAMLResponse, if it's not already present.
 *
 * Flow: Complement SAMLResponse, Triggers: Pre SAMLResponse creation
 *
 * @param ctx
 * @param api
 */
function samlRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let roles = [];
  ctx.v1.user.grants.grants.forEach(grant => {
    grant.roles.forEach(role => {
        roles.push(role)  
    })
  })

  api.v1.attributes.setCustomAttribute('roles', '', ...roles)
}
@baua1310 commented on GitHub (Feb 28, 2025): Hi, just a quick update from my side: As the problem with OIDC and Zitadel had not been solved, I switched to SAML 2.0. SAML 2.0 and Zitadel is working fine since a few months. Here is my configuration: ``` AUTH_METHOD=saml2 AUTH_AUTO_INITIATE=true SAML2_NAME=ZITADEL SAML2_EMAIL_ATTRIBUTE=Email SAML2_EXTERNAL_ID_ATTRIBUTE=UserID SAML2_DISPLAY_NAME_ATTRIBUTES=FullName SAML2_IDP_ENTITYID=https://<domain>.zitadel.cloud/saml/v2/metadata SAML2_AUTOLOAD_METADATA=true SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=roles SAML2_REMOVE_FROM_GROUPS=true ``` To map Zitadel roles to bookstack groups I added added a custom script in Zitadel called "samlRoles" inside Actions and added the script in the flow "Complement SAMLResponse" to the trigger "Pre SAMLResponse creation". ``` /** * Add an custom attribute to the SAMLResponse, if it's not already present. * Adds the roles as an additional attribute to the SAMLResponse, if it's not already present. * * Flow: Complement SAMLResponse, Triggers: Pre SAMLResponse creation * * @param ctx * @param api */ function samlRoles(ctx, api) { if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { return; } let roles = []; ctx.v1.user.grants.grants.forEach(grant => { grant.roles.forEach(role => { roles.push(role) }) }) api.v1.attributes.setCustomAttribute('roles', '', ...roles) } ```
OVERLORD commented 2026-02-05 09:18:03 +03:00
Author
Owner
Copy Link

@cybrwshl commented on GitHub (Mar 8, 2025):

Thanks @baua1310, works like a charm! Except for the logout process, but that's no problem.

@cybrwshl commented on GitHub (Mar 8, 2025): Thanks @baua1310, works like a charm! Except for the logout process, but that's no problem.
OVERLORD commented 2026-02-05 09:18:05 +03:00
Author
Owner
Copy Link

@AndrinGautschi commented on GitHub (Jun 5, 2025):

Just ran into the same issue. Zitadel is self-hosted (and configured to rewrite the roles into a roles array) in a k3s cluster, as is bookstack (via linuxserver image with the same theme-hack concerning the audience array as pointed out above). Accordingly, the behaviour is also the same: After a day or so the login (which previously has worked fine after a fresh install) stops working with "ID token validation failed with error: Token signature could not be validated using the provided keys". Interestingly, it seems to work again after approximately 15minutes (pretty much the time it took me to find this thread and read through).

The zitadel logs say: "2025/06/05 13:09:26 ERROR: Failed to extract ServerMetadata from context"

nginx access.log of bookstack:

XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET / HTTP/1.1" 302 410 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /login HTTP/1.1" 200 7973 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /dist/styles.css?version=v25.05 HTTP/1.1" 304 0 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /dist/app.js?version=v25.05 HTTP/1.1" 200 192990 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /logo.png HTTP/1.1" 304 0 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /icon-32.png HTTP/1.1" 200 746 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:25 +0000] "POST /oidc/login HTTP/1.1" 302 1766 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:29 +0000] "GET /oidc/callback?code=xavchangedkvalyJ9gKVIJg-_rkUchangedw&state=fd3db65changed45d59b2 HTTP/1.1" 302 410 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:09:30 +0000] "GET /login HTTP/1.1" 200 8073 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:28:08 +0000] "POST /oidc/login HTTP/1.1" 302 1766 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:28:11 +0000] "GET /oidc/callback?code=zi_XpJAQEVLchangedg&state=905changed5a02d HTTP/1.1" 302 386 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:28:12 +0000] "GET / HTTP/1.1" 200 24005 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:28:12 +0000] "GET /uploads/images/user/2025-06/thumbs-30-30/hbtnje7rz6-avatar.png HTTP/1.1" 304 0 "https://url.to.bookstack.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.21 - - [05/Jun/2025:13:28:12 +0000] "GET /uploads/images/user/2025-06/thumbs-30-30/ku0ijbpqhv-avatar.png HTTP/1.1" 304 0 "https://url.to.bookstack.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0"
XX.XX.X.42 - - [05/Jun/2025:13:32:41 +0000] "GET /plugins/.git/config HTTP/1.1" 404 7800 "-" "msnbot-media/1.1 ( http://search.msn.com/msnbot.htm)"

@ssddanbrown Have you ever had the chance to look into your suggested caching issue? (btw: I think you do a great job, whether this issue gets resolved or not!)

PS: There is one thing that I've configured different than my predecessors; Bookstack is registered within Zitadel as PKCE app. Since zitadel does not provide a client secret for such cases and bookstack needs one, I had to generate a random value by myself which I feed into the bookstack container on startup.

@AndrinGautschi commented on GitHub (Jun 5, 2025): Just ran into the same issue. Zitadel is self-hosted (and configured to rewrite the roles into a roles array) in a k3s cluster, as is bookstack (via linuxserver image with the same theme-hack concerning the audience array as pointed out above). Accordingly, the behaviour is also the same: After a day or so the login (which previously has worked fine after a fresh install) stops working with "ID token validation failed with error: Token signature could not be validated using the provided keys". Interestingly, it seems to work again after approximately 15minutes (pretty much the time it took me to find this thread and read through). The zitadel logs say: "2025/06/05 13:09:26 ERROR: Failed to extract ServerMetadata from context" nginx access.log of bookstack: ``` XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET / HTTP/1.1" 302 410 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /login HTTP/1.1" 200 7973 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /dist/styles.css?version=v25.05 HTTP/1.1" 304 0 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /dist/app.js?version=v25.05 HTTP/1.1" 200 192990 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /logo.png HTTP/1.1" 304 0 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:23 +0000] "GET /icon-32.png HTTP/1.1" 200 746 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:25 +0000] "POST /oidc/login HTTP/1.1" 302 1766 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:29 +0000] "GET /oidc/callback?code=xavchangedkvalyJ9gKVIJg-_rkUchangedw&state=fd3db65changed45d59b2 HTTP/1.1" 302 410 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:09:30 +0000] "GET /login HTTP/1.1" 200 8073 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:28:08 +0000] "POST /oidc/login HTTP/1.1" 302 1766 "https://url.to.bookstack.com/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:28:11 +0000] "GET /oidc/callback?code=zi_XpJAQEVLchangedg&state=905changed5a02d HTTP/1.1" 302 386 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:28:12 +0000] "GET / HTTP/1.1" 200 24005 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:28:12 +0000] "GET /uploads/images/user/2025-06/thumbs-30-30/hbtnje7rz6-avatar.png HTTP/1.1" 304 0 "https://url.to.bookstack.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.21 - - [05/Jun/2025:13:28:12 +0000] "GET /uploads/images/user/2025-06/thumbs-30-30/ku0ijbpqhv-avatar.png HTTP/1.1" 304 0 "https://url.to.bookstack.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0" XX.XX.X.42 - - [05/Jun/2025:13:32:41 +0000] "GET /plugins/.git/config HTTP/1.1" 404 7800 "-" "msnbot-media/1.1 ( http://search.msn.com/msnbot.htm)" ``` @ssddanbrown Have you ever had the chance to look into your suggested caching issue? (btw: I think you do a great job, whether this issue gets resolved or not!) PS: There is one thing that I've configured different than my predecessors; Bookstack is registered within Zitadel as PKCE app. Since zitadel does not provide a client secret for such cases and bookstack needs one, I had to generate a random value by myself which I feed into the bookstack container on startup.
OVERLORD commented 2026-02-05 09:18:08 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jun 5, 2025):

@ssddanbrown Have you ever had the chance to look into your suggested caching issue?

@AndrinGautschi Not yet. To be honest it's an awkward one to attempt to replicate due to needing to be done over time, and since I think there's a fair chance of this being something Zitadel specific (just based upon not having this ever reported for another OIDC system). Just need to properly dedicate the time needed.

Do you get that zitadel log error message every time this occurs? Just trying to understand how connected that is to what's happening in BookStack.

As an aside, Zitadel has recently taken millions in VC funding, and has just switched their licensing to AGPLv3+CLA. Can't speak specifically to the project or its owners or management, but this is usually an indicator that the project is going in a certain growth-focus direction which often impacts users eventually. The funding provided by the same which funded Minio, which has been in the news recently for its open-source-user unfriendly changes.

@ssddanbrown commented on GitHub (Jun 5, 2025): > @ssddanbrown Have you ever had the chance to look into your suggested caching issue? @AndrinGautschi Not yet. To be honest it's an awkward one to attempt to replicate due to needing to be done over time, and since I think there's a fair chance of this being something Zitadel specific (just based upon not having this ever reported for another OIDC system). Just need to properly dedicate the time needed. Do you get that zitadel log error message every time this occurs? Just trying to understand how connected that is to what's happening in BookStack. --- As an aside, Zitadel has recently taken millions in VC funding, and has just switched their licensing to AGPLv3+CLA. Can't speak specifically to the project or its owners or management, but this is usually an indicator that the project is going in a certain growth-focus direction which often impacts users eventually. The funding provided by the same which funded Minio, which has been in the news recently for its open-source-user unfriendly changes.
OVERLORD commented 2026-02-05 09:18:09 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jun 5, 2025):

Not validated, but potentially related to https://github.com/zitadel/zitadel/discussions/2042.
Might be just that Zitadel (compared to others) has no smooth key rotation (Direct change with no/minimal crossover period) leading to no available keys for a moment, and in which case we should maybe (following the spec's advice) re-fetch the keys on unfamiliar key if we've used our own cache values.

@ssddanbrown commented on GitHub (Jun 5, 2025): Not validated, but potentially related to https://github.com/zitadel/zitadel/discussions/2042. Might be just that Zitadel (compared to others) has no smooth key rotation (Direct change with no/minimal crossover period) leading to no available keys for a moment, and in which case we should maybe (following the spec's advice) re-fetch the keys on unfamiliar key if we've used our own cache values.
OVERLORD commented 2026-02-05 09:18:11 +03:00
Author
Owner
Copy Link

@AndrinGautschi commented on GitHub (Jun 18, 2025):

Thanks. Unfortunately, I'm very busy right now with something else. I'll come back with proper telemetry data as soon as I've found time to investigate further.

@AndrinGautschi commented on GitHub (Jun 18, 2025): Thanks. Unfortunately, I'm very busy right now with something else. I'll come back with proper telemetry data as soon as I've found time to investigate further.
OVERLORD commented 2026-02-05 09:18:12 +03:00
Author
Owner
Copy Link

@AndrinGautschi commented on GitHub (Aug 27, 2025):

Due to other issues with Zitadel, especially concerning their newest update, we internally changed products and moved to Authentik. So far, this seems to work perfectly fine. So for anyone who struggles implementing auth between Zitadel and Bookstack: SAML2.0 seems, according to https://github.com/BookStackApp/BookStack/issues/5049#issuecomment-2691032746, work fine.

@AndrinGautschi commented on GitHub (Aug 27, 2025): Due to other issues with Zitadel, especially concerning their newest update, we internally changed products and moved to Authentik. So far, this seems to work perfectly fine. So for anyone who struggles implementing auth between Zitadel and Bookstack: SAML2.0 seems, according to https://github.com/BookStackApp/BookStack/issues/5049#issuecomment-2691032746, work fine.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🐛 Bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#4810
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?