Editor role always assigned when using OIDC #5012

New Issue

Closed

opened 2026-02-05 09:33:31 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 09:33:31 +03:00

Owner

Copy Link

Originally created by @federicochiesa on GitHub (Oct 16, 2024).

Describe the Bug

I'm using Keycloak as an OIDC SSO with BookStack.
This is the BookStack SSO configuration:

    - OIDC_NAME=SSO
    - OIDC_DISPLAY_NAME_CLAIMS=given_name|family_name
    - OIDC_CLIENT_ID=bookstack
    - OIDC_CLIENT_SECRET=xxxxxxxx
    - OIDC_ISSUER=https://xxxxxxxxx
    - OIDC_END_SESSION_ENDPOINT=false
    - OIDC_ISSUER_DISCOVER=true
    - OIDC_USER_TO_GROUPS=true
    - OIDC_GROUPS_CLAIM=resource_access.bookstack.roles
    - OIDC_REMOVE_FROM_GROUPS=true

The groups claim is right and I checked that the role appears in the token. In fact, the groups work if I assign them to the user, the problem is that the "Editor" group is always assigned no matter what group I give to the users through Keycloak.

For example, if I give a user the "Admin" group, they show up as "Admin" and "Editor", if they are given the "Viewer" group, they will show up as "Viewer" and "Editor", despite the "Editor" role not being assigned and not being in the token. If I try to remove the "Editor" role from the Bookstack UI, it will reappear as soon as the user logs in again.

Steps to Reproduce

1. Assign role to a user in Keycloak
2. Login to BookStack
3. The "Editor" group is assigned to the user in addition to the one assigned in Keycloak

Expected Behaviour

The group assigned should be only the one assigned by Keycloak

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v23.12

Originally created by @federicochiesa on GitHub (Oct 16, 2024). ### Describe the Bug I'm using Keycloak as an OIDC SSO with BookStack. This is the BookStack SSO configuration: ``` - OIDC_NAME=SSO - OIDC_DISPLAY_NAME_CLAIMS=given_name|family_name - OIDC_CLIENT_ID=bookstack - OIDC_CLIENT_SECRET=xxxxxxxx - OIDC_ISSUER=https://xxxxxxxxx - OIDC_END_SESSION_ENDPOINT=false - OIDC_ISSUER_DISCOVER=true - OIDC_USER_TO_GROUPS=true - OIDC_GROUPS_CLAIM=resource_access.bookstack.roles - OIDC_REMOVE_FROM_GROUPS=true ``` The groups claim is right and I checked that the role appears in the token. In fact, the groups work if I assign them to the user, the problem is that the "Editor" group is always assigned no matter what group I give to the users through Keycloak. For example, if I give a user the "Admin" group, they show up as "Admin" and "Editor", if they are given the "Viewer" group, they will show up as "Viewer" and "Editor", despite the "Editor" role not being assigned and not being in the token. If I try to remove the "Editor" role from the Bookstack UI, it will reappear as soon as the user logs in again. ### Steps to Reproduce 1. Assign role to a user in Keycloak 2. Login to BookStack 3. The "Editor" group is assigned to the user in addition to the one assigned in Keycloak ### Expected Behaviour The group assigned should be only the one assigned by Keycloak ### Screenshots or Additional Context _No response_ ### Browser Details _No response_ ### Exact BookStack Version v23.12

OVERLORD added the 🐛 Bug label 2026-02-05 09:33:31 +03:00

OVERLORD closed this issue 2026-02-05 09:33:33 +03:00

OVERLORD commented 2026-02-05 09:33:35 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Oct 16, 2024):

Hi @federicochiesa,

Since you have the OIDC_REMOVE_FROM_GROUPS=true setting set, the "Default Registration Role" role in the registration settings will be also assigned to the user. Is this currently set to the editor role?

@ssddanbrown commented on GitHub (Oct 16, 2024): Hi @federicochiesa, Since you have the `OIDC_REMOVE_FROM_GROUPS=true` setting set, the "Default Registration Role" role in the registration settings will be also assigned to the user. Is this currently set to the editor role?

OVERLORD commented 2026-02-05 09:33:36 +03:00

Author

Owner

Copy Link

@federicochiesa commented on GitHub (Oct 16, 2024):

Ok, that was indeed set to editor. Since registration was disabled I thought I wouldn't need to set that option to None.

@federicochiesa commented on GitHub (Oct 16, 2024): Ok, that was indeed set to editor. Since registration was disabled I thought I wouldn't need to set that option to None.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5012