OIDC Group Sync doesn't work #5032

New Issue

OVERLORD · 2026-02-05T09:35:16+03:00

OVERLORD commented

2026-02-05 09:35:16 +03:00

Originally created by @heindrickdumdum0217 on GitHub (Oct 31, 2024).

Describe the Bug

I implemented custom OIDC provider and login BookStack with the custom OIDC provider.
Login works, but group/role sync doesn't work.

Steps to Reproduce

Go to BookStack home page
Try to login with SSO
Login works, but group/role sync doesn't work

Expected Behaviour

Here are my environment variables.

PUID      = 1000
PGID      = 1000
TZ        = "Etc/UTC"
APP_DEBUG = true
APP_URL   = "https://${var.app_name}.${var.dns_zone}"

# https://www.bookstackapp.com/docs/admin/oidc-auth/
AUTH_METHOD               = "oidc"
OIDC_NAME                 = "Alinea"
OIDC_CLIENT_ID = "***"
OIDC_CLIENT_SECRET = "***"
OIDC_DISPLAY_NAME_CLAIMS  = "name"
OIDC_END_SESSION_ENDPOINT = true
OIDC_ISSUER               = "***"
OIDC_ISSUER_DISCOVER      = true
OIDC_DUMP_USER_DETAILS    = false

# https://www.bookstackapp.com/docs/admin/oidc-auth/#group-sync
OIDC_USER_TO_GROUPS     = true
OIDC_GROUPS_CLAIMS      = "roles.bookstack"
OIDC_ADDITIONAL_SCOPES  = "roles"
OIDC_REMOVE_FROM_GROUPS = true

Here is ID token payload.

I expected, my user would have admin role in bookstack, but even it removed admin role which is added manually in database.
I set OIDC_DUMP_USER_DETAILS=true, and confirmed user information contains roles

Screenshots or Additional Context

No response

Browser Details

Chrome on WIndows 11, Ubuntu 22.04

Exact BookStack Version

v24.10-ls171

Originally created by @heindrickdumdum0217 on GitHub (Oct 31, 2024). ### Describe the Bug I implemented custom OIDC provider and login BookStack with the custom OIDC provider. Login works, but group/role sync doesn't work. ### Steps to Reproduce 1. Go to BookStack home page 2. Try to login with SSO 3. Login works, but group/role sync doesn't work ### Expected Behaviour Here are my environment variables. ``` PUID = 1000 PGID = 1000 TZ = "Etc/UTC" APP_DEBUG = true APP_URL = "https://${var.app_name}.${var.dns_zone}" # https://www.bookstackapp.com/docs/admin/oidc-auth/ AUTH_METHOD = "oidc" OIDC_NAME = "Alinea" OIDC_CLIENT_ID = "***" OIDC_CLIENT_SECRET = "***" OIDC_DISPLAY_NAME_CLAIMS = "name" OIDC_END_SESSION_ENDPOINT = true OIDC_ISSUER = "***" OIDC_ISSUER_DISCOVER = true OIDC_DUMP_USER_DETAILS = false # https://www.bookstackapp.com/docs/admin/oidc-auth/#group-sync OIDC_USER_TO_GROUPS = true OIDC_GROUPS_CLAIMS = "roles.bookstack" OIDC_ADDITIONAL_SCOPES = "roles" OIDC_REMOVE_FROM_GROUPS = true ``` Here is ID token payload. ![Screenshot_1](https://github.com/user-attachments/assets/e7246c02-bf79-4898-9442-7a4a20fa1a4b) I expected, my user would have admin role in bookstack, but even it removed admin role which is added manually in database. I set `OIDC_DUMP_USER_DETAILS=true`, and confirmed user information contains roles ### Screenshots or Additional Context _No response_ ### Browser Details Chrome on WIndows 11, Ubuntu 22.04 ### Exact BookStack Version v24.10-ls171

OVERLORD added the 🐕 Support label 2026-02-05 09:35:16 +03:00

OVERLORD closed this issue

2026-02-05 09:35:17 +03:00

OVERLORD commented

2026-02-05 09:35:19 +03:00

@ssddanbrown commented on GitHub (Oct 31, 2024):

Hi @heindrickdumdum0217,

I set OIDC_DUMP_USER_DETAILS=true, and confirmed user information contains roles

Can you please share the output seen with that option set to true?
Do you still have a role in BookStack named "Admin" or have you renamed it?

@ssddanbrown commented on GitHub (Oct 31, 2024): Hi @heindrickdumdum0217, > I set OIDC_DUMP_USER_DETAILS=true, and confirmed user information contains roles - Can you please share the output seen with that option set to true? - Do you still have a role in BookStack named "Admin" or have you renamed it?

OVERLORD commented

2026-02-05 09:35:22 +03:00

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024):

@ssddanbrown
Thanks for your reply.

The output is the same with the screenshot which I attached.
Yes, we will have Admin, Editor, Viewer roles in BookStack. I can confirm in MariaDB

I tried with various way.

I removed nested structure and returned roles claim directly, and updated OIDC_GROUPS_CLAIMS="roles"

{
  "roles": ["Admin"]
}

It still doesn't work.

I updated OIDC provider to return original roles which is used in the provider and tried to map roles with BookStack roles using external_auth_id in the role table, it also doesn't work.

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024): @ssddanbrown Thanks for your reply. - The output is the same with the screenshot which I attached. - Yes, we will have `Admin`, `Editor`, `Viewer` roles in BookStack. I can confirm in MariaDB I tried with various way. 1. I removed nested structure and returned roles claim directly, and updated `OIDC_GROUPS_CLAIMS="roles"` ``` { "roles": ["Admin"] } ``` It still doesn't work. 2. I updated OIDC provider to return original roles which is used in the provider and tried to map roles with BookStack roles using `external_auth_id` in the role table, it also doesn't work.

OVERLORD commented

2026-02-05 09:35:25 +03:00

@ssddanbrown commented on GitHub (Oct 31, 2024):

@heindrickdumdum0217 Can you run the below command against your running/active BookStack instance (ran from the root of the instance install folder):

php artisan tinker --execute="dd(config('oidc.groups_claim'))"

Then share the output.

@ssddanbrown commented on GitHub (Oct 31, 2024): @heindrickdumdum0217 Can you run the below command against your running/active BookStack instance (ran from the root of the instance install folder): ```bash php artisan tinker --execute="dd(config('oidc.groups_claim'))" ``` Then share the output.

OVERLORD commented

2026-02-05 09:35:27 +03:00

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024):

@ssddanbrown

Aha, it's strange.
Here is output.

"groups" // vendor/psy/psysh/src/ExecutionClosure.php(40) : eval()'d code:1

But if I check environment variable (I'm setting environment variables instead of .env file)

echo $OIDC_GROUPS_CLAIMS
roles

It's strange.
I manage all other BookStack configuration using environment variables and seems they work.
When I change environment variable and restart the instance for example AUTH_METHOD from standard to oidc vice versa, it works.

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024): @ssddanbrown Aha, it's strange. Here is output. ``` "groups" // vendor/psy/psysh/src/ExecutionClosure.php(40) : eval()'d code:1 ``` But if I check environment variable (I'm setting environment variables instead of `.env` file) ``` echo $OIDC_GROUPS_CLAIMS roles ``` It's strange. I manage all other BookStack configuration using environment variables and seems they work. When I change environment variable and restart the instance for example `AUTH_METHOD` from `standard` to `oidc` vice versa, it works.

OVERLORD commented

2026-02-05 09:35:29 +03:00

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024):

@ssddanbrown

Let me give you more concrete information.
We deployed BookStack using Docker on EKS.
And BookStack pod envornment variables are from Kubernetes config map and secret.
If I change AUTH_METHOD from standard to oidc and restart BookStack pod, change works as expected.

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024): @ssddanbrown Let me give you more concrete information. We deployed BookStack using Docker on EKS. And BookStack pod envornment variables are from Kubernetes config map and secret. If I change `AUTH_METHOD` from `standard` to `oidc` and restart BookStack pod, change works as expected.

OVERLORD commented

2026-02-05 09:35:31 +03:00

@ssddanbrown commented on GitHub (Oct 31, 2024):

Okay, so the env changes just weren't applied to the existing environment. Good to hear it's now working! I'll therefore close this off.

@ssddanbrown commented on GitHub (Oct 31, 2024): Okay, so the env changes just weren't applied to the existing environment. Good to hear it's now working! I'll therefore close this off.

OVERLORD commented

2026-02-05 09:35:32 +03:00

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024):

@ssddanbrown

No, env changes works for AUTH_METHOD, but seems not work for OIDC_GROUP_CLAIMS
As you can see when I check using echo command it returns roles, but php artisan command returns groups

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024): @ssddanbrown No, env changes works for AUTH_METHOD, but seems not work for `OIDC_GROUP_CLAIMS` As you can see when I check using `echo` command it returns `roles`, but php artisan command returns `groups`

OVERLORD commented

2026-02-05 09:35:34 +03:00

@ssddanbrown commented on GitHub (Oct 31, 2024):

Oh, sorry, misunderstood, but I see the issue, you are setting OIDC_GROUPS_CLAIMS, but the setting is non-plural: OIDC_GROUPS_CLAIM.

Change it to OIDC_GROUPS_CLAIM and see if things start working as expected.

@ssddanbrown commented on GitHub (Oct 31, 2024): Oh, sorry, misunderstood, but I see the issue, you are setting `OIDC_GROUPS_CLAIMS`, but the setting is non-plural: `OIDC_GROUPS_CLAIM`. Change it to `OIDC_GROUPS_CLAIM` and see if things start working as expected.

OVERLORD commented

2026-02-05 09:35:37 +03:00

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024):

Thank you, @ssddanbrown

Great support.

@heindrickdumdum0217 commented on GitHub (Oct 31, 2024): Thank you, @ssddanbrown Great support.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5032