OIDC login doesn't work (keeps asking to login again) #4925

New Issue

OVERLORD · 2026-02-05T09:26:42+03:00

OVERLORD commented

2026-02-05 09:26:42 +03:00

Originally created by @davispuh on GitHub (Aug 22, 2024).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I setup BookStack with Authentik OIDC provider but when I log in with SSO I get redirected back to login page.
/oidc/callback works fine (I see data if I set OIDC_DUMP_USER_DETAILS=true)

It's like cookies wouldn't work or session doesn't get saved but don't know how to debug further. I see that bookstack_session cookie is sent.

My env vars are like

AUTH_METHOD=oidc
OIDC_CLIENT_ID=xxx
OIDC_CLIENT_SECRET=yyy
OIDC_ISSUER=https://auth.example.org/application/o/bookstack/
OIDC_ISSUER_DISCOVER=true

Exact BookStack Version

v24.05.3

Log Content

No log file

Hosting Environment

ghcr.io/linuxserver/bookstack:latest Docker image with Podman

Originally created by @davispuh on GitHub (Aug 22, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I setup BookStack with Authentik OIDC provider but when I log in with SSO I get redirected back to login page. `/oidc/callback` works fine (I see data if I set `OIDC_DUMP_USER_DETAILS=true`) ![attels](https://github.com/user-attachments/assets/6ec714d3-cec7-43b0-8f60-f5c0dfa3480a) It's like cookies wouldn't work or session doesn't get saved but don't know how to debug further. I see that `bookstack_session` cookie is sent. My env vars are like ``` AUTH_METHOD=oidc OIDC_CLIENT_ID=xxx OIDC_CLIENT_SECRET=yyy OIDC_ISSUER=https://auth.example.org/application/o/bookstack/ OIDC_ISSUER_DISCOVER=true ``` ### Exact BookStack Version v24.05.3 ### Log Content No log file ### Hosting Environment `ghcr.io/linuxserver/bookstack:latest` Docker image with Podman

OVERLORD added the 🐕 Support label 2026-02-05 09:26:42 +03:00

OVERLORD closed this issue

2026-02-05 09:26:43 +03:00

OVERLORD commented

2026-02-05 09:26:45 +03:00

@ssddanbrown commented on GitHub (Aug 22, 2024):

Hi @davispuh,

Is APP_URL set for the BookStack instance, and does it exactly match the base URL of the instance (with no trailing slash and correct protocol)?
Did normal email/password login work okay before configuring OIDC?
In the /callback request shown in your screenshot, are there any additional parameters on the URL in addition to state and code?

@ssddanbrown commented on GitHub (Aug 22, 2024): Hi @davispuh, - Is `APP_URL` set for the BookStack instance, and does it exactly match the base URL of the instance (with no trailing slash and correct protocol)? - Did normal email/password login work okay before configuring OIDC? - In the `/callback` request shown in your screenshot, are there any additional parameters on the URL in addition to `state` and `code`?

OVERLORD commented

2026-02-05 09:26:47 +03:00

@davispuh commented on GitHub (Aug 22, 2024):

Yeah APP_URL is same as I write in browser URL https://bookstack.example.org. It was without slash but I just tried adding / made no difference.
I didn't try but I tried now and it doesn't work either. Same behavior, I enter admin@admin.com and password and it redirects back to login, but password is correct it doesn't say it's wrong. There's no error message at all.
Nothing else only state and code

It really looks like something with session saving doesn't work so need some way to dig into that.

@davispuh commented on GitHub (Aug 22, 2024): * Yeah `APP_URL` is same as I write in browser URL `https://bookstack.example.org`. It was without slash but I just tried adding `/` made no difference. * I didn't try but I tried now and it doesn't work either. Same behavior, I enter `admin@admin.com` and `password` and it redirects back to login, but password is correct it doesn't say it's wrong. There's no error message at all. * Nothing else only `state` and `code` ![attels](https://github.com/user-attachments/assets/f603b931-06e4-47f3-8fa3-85c540a54eef) It really looks like something with session saving doesn't work so need some way to dig into that.

OVERLORD commented

2026-02-05 09:26:48 +03:00

@davispuh commented on GitHub (Aug 22, 2024):

In /app/www/storage/framework/sessions I see session files. I deleted all of them and tried again.
After opening login page there is

$ cat yUsmBoYyBreOCh17MFvj5XZ0ARGarsoIax225VXk
a:3:{s:6:"_token";s:40:"VH6RLIFVb4xS6oClBFRvJuJ8pVWKg4qvrQCfaYXX";s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}

Then after login there are 2 files:

$ cat yUsmBoYyBreOCh17MFvj5XZ0ARGarsoIax225VXk
a:4:{s:6:"_token";s:40:"qWrzdzSdH9AH57rMKLhgFDpv3Tk7lJsXj1kdZakh";s:3:"url";a:1:{s:8:"intended";s:20:"https://bookstack.example.org";}s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
$ cat K1WkQ9gI2FBhqRir4tcP7A6HUIxkddTyUKPC2Hqu
a:7:{s:6:"_token";s:40:"tQpxnysQ36wV1CtgTucuOwM2XDAk56NmEnpxdeWM";s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}s:55:"login_standard_59ba36addc2b2f9401580f014c7f58ea4e30989d";i:1;s:51:"login_ldap_80419bb419cfe6844528c34d42daecea68292a06";i:1;s:52:"login_saml2_68cb028f07b60f58d8e38f79b41505d620d0b238";i:1;s:51:"login_oidc_68cb028f07b60f58d8e38f79b41505d620d0b238";i:1;}

@davispuh commented on GitHub (Aug 22, 2024): In `/app/www/storage/framework/sessions` I see session files. I deleted all of them and tried again. After opening login page there is ``` $ cat yUsmBoYyBreOCh17MFvj5XZ0ARGarsoIax225VXk a:3:{s:6:"_token";s:40:"VH6RLIFVb4xS6oClBFRvJuJ8pVWKg4qvrQCfaYXX";s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}} ``` Then after login there are 2 files: ``` $ cat yUsmBoYyBreOCh17MFvj5XZ0ARGarsoIax225VXk a:4:{s:6:"_token";s:40:"qWrzdzSdH9AH57rMKLhgFDpv3Tk7lJsXj1kdZakh";s:3:"url";a:1:{s:8:"intended";s:20:"https://bookstack.example.org";}s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}} $ cat K1WkQ9gI2FBhqRir4tcP7A6HUIxkddTyUKPC2Hqu a:7:{s:6:"_token";s:40:"tQpxnysQ36wV1CtgTucuOwM2XDAk56NmEnpxdeWM";s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}s:55:"login_standard_59ba36addc2b2f9401580f014c7f58ea4e30989d";i:1;s:51:"login_ldap_80419bb419cfe6844528c34d42daecea68292a06";i:1;s:52:"login_saml2_68cb028f07b60f58d8e38f79b41505d620d0b238";i:1;s:51:"login_oidc_68cb028f07b60f58d8e38f79b41505d620d0b238";i:1;} ```

OVERLORD commented

2026-02-05 09:26:50 +03:00

@davispuh commented on GitHub (Aug 22, 2024):

I figured it out, I have Bookstack behind Nginx with custom 302 error page and that caused this issue.

In Nginx there is

error_page 302 /errors/HTTP302.html;

add_header Location $upstream_http_location;
add_header Set-Cookie $upstream_http_set_cookie;

removing this error page it works fine.

It probably breaks because BookStack is sending 3x set-cookie headers.

@davispuh commented on GitHub (Aug 22, 2024): I figured it out, I have Bookstack behind Nginx with custom 302 error page and that caused this issue. In Nginx there is ``` error_page 302 /errors/HTTP302.html; add_header Location $upstream_http_location; add_header Set-Cookie $upstream_http_set_cookie; ``` removing this error page it works fine. It probably breaks because BookStack is sending 3x set-cookie headers.

OVERLORD commented

2026-02-05 09:26:53 +03:00

@davispuh commented on GitHub (Aug 22, 2024):

Adding additional cookie header in Nginx

add_header Set-Cookie bookstack_session=$upstream_cookie_bookstack_session;

makes custom 302 error page work but still seems bit buggy with sessions so looks like best option is not use custom 302 page.

@davispuh commented on GitHub (Aug 22, 2024): Adding additional cookie header in Nginx ``` add_header Set-Cookie bookstack_session=$upstream_cookie_bookstack_session; ``` makes custom `302` error page work but still seems bit buggy with sessions so looks like best option is not use custom 302 page.

OVERLORD commented

2026-02-05 09:26:54 +03:00

@ssddanbrown commented on GitHub (Aug 22, 2024):

Glad you found the cause!
Not sure what value there is for setting a custom 302 error page, since 302 response codes are not supposed to be considered as errors, and can be heavily utilised in applications for redirect functionality.

@ssddanbrown commented on GitHub (Aug 22, 2024): Glad you found the cause! Not sure what value there is for setting a custom 302 error page, since 302 response codes are not supposed to be considered as errors, and can be heavily utilised in applications for redirect functionality.

OVERLORD referenced this issue

2026-02-05 10:32:02 +03:00

[PR #4921] [MERGED] v23.02.3 changes #6430

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4925