OIDC configuration problems for Synology SSO Server #5114

Closed
opened 2026-02-05 09:41:17 +03:00 by OVERLORD · 3 comments
Owner

Originally created by @tomo2403 on GitHub (Jan 12, 2025).

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

I've configured authentication with OIDC. The IDP is Synology SSO Server. After login, I receive this error:

Caution

ID token validation failed with error: Missing or non-matching token issuer value

This is a part of my config:

AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=false
OIDC_NAME=SSO
OIDC_DISPLAY_NAME_CLAIMS=username
OIDC_CLIENT_ID="..."
OIDC_CLIENT_SECRET="..."
OIDC_ISSUER=https://mydomain.com/webman/sso/
OIDC_END_SESSION_ENDPOINT=false
OIDC_ISSUER_DISCOVER=false
OIDC_PUBLIC_KEY=file:///config/idp-public-key.pem
OIDC_AUTH_ENDPOINT=https://mydomain.com/webman/sso/SSOOauth.cgi
OIDC_TOKEN_ENDPOINT=https://mydomain.com/webman/sso/SSOAccessToken.cgi
OIDC_USERINFO_ENDPOINT=https://mydomain.com/webman/sso/SSOUserInfo.cgi

# Enable OIDC group sync.
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=groups
OIDC_ADDITIONAL_SCOPES=groups
OIDC_REMOVE_FROM_GROUPS=true

Note

I'm currently unable to use auto-discover due to DNS problems in my home network. mydomain.com is anonymized and only available in my home network.

Exact BookStack Version

v24.12.1

Log Content

Output after login at Idp and OIDC_DUMP_USER_DETAILS=true

{
  "aud": "1dbb77dba088b05c27fd9b8e5484cdd3",
  "auth_time": 1736689934,
  "email": "admin@mydomain.com",
  "exp": 1736690114,
  "groups": [
    "docker",
    "users",
    "administrators"
  ],
  "iat": 1736689934,
  "iss": "http://mydomain.com/webman/sso",
  "sub": "myuser",
  "username": "myuser"
}

Note

iss is different from OIDC_ISSUER. Changing https to http or/and removing the trailing slash in OIDC_ISSUER throws an unexpected error.

Hosting Environment

PHP 8.3.15 inside Docker (Image: https://github.com/linuxserver/docker-bookstack) on Synology NAS (DSM 7.2.2)

Originally created by @tomo2403 on GitHub (Jan 12, 2025). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I've configured authentication with OIDC. The IDP is [Synology SSO Server](https://kb.synology.com/en-global/DSM/help/SSOServer/sso_server_desc?version=7). After login, I receive this error: > [!CAUTION] > ID token validation failed with error: Missing or non-matching token issuer value This is a part of my config: ```env AUTH_METHOD=oidc AUTH_AUTO_INITIATE=false OIDC_NAME=SSO OIDC_DISPLAY_NAME_CLAIMS=username OIDC_CLIENT_ID="..." OIDC_CLIENT_SECRET="..." OIDC_ISSUER=https://mydomain.com/webman/sso/ OIDC_END_SESSION_ENDPOINT=false OIDC_ISSUER_DISCOVER=false OIDC_PUBLIC_KEY=file:///config/idp-public-key.pem OIDC_AUTH_ENDPOINT=https://mydomain.com/webman/sso/SSOOauth.cgi OIDC_TOKEN_ENDPOINT=https://mydomain.com/webman/sso/SSOAccessToken.cgi OIDC_USERINFO_ENDPOINT=https://mydomain.com/webman/sso/SSOUserInfo.cgi # Enable OIDC group sync. OIDC_USER_TO_GROUPS=true OIDC_GROUPS_CLAIM=groups OIDC_ADDITIONAL_SCOPES=groups OIDC_REMOVE_FROM_GROUPS=true ``` > [!NOTE] > I'm currently unable to use auto-discover due to DNS problems in my home network. mydomain.com is anonymized and only available in my home network. ### Exact BookStack Version v24.12.1 ### Log Content Output after login at Idp and `OIDC_DUMP_USER_DETAILS=true` ```json { "aud": "1dbb77dba088b05c27fd9b8e5484cdd3", "auth_time": 1736689934, "email": "admin@mydomain.com", "exp": 1736690114, "groups": [ "docker", "users", "administrators" ], "iat": 1736689934, "iss": "http://mydomain.com/webman/sso", "sub": "myuser", "username": "myuser" } ``` > [!NOTE] > `iss` is different from `OIDC_ISSUER`. Changing `https` to `http` or/and removing the trailing slash in `OIDC_ISSUER` throws an unexpected error. ### Hosting Environment PHP 8.3.15 inside Docker (Image: https://github.com/linuxserver/docker-bookstack) on Synology NAS (DSM 7.2.2)
OVERLORD added the 🐕 Support label 2026-02-05 09:41:17 +03:00
Author
Owner

@ssddanbrown commented on GitHub (Jan 13, 2025):

Hi @tomo2403,
The defined Issuer must match the iss value exactly, and both must start with https://.

If the OIDC auth system is returning an iss value not starting with https://, that indicates a configuration issue on the auth system side of things.

@ssddanbrown commented on GitHub (Jan 13, 2025): Hi @tomo2403, The defined Issuer **must** match the `iss` value exactly, and both **must** start with `https://`. If the OIDC auth system is returning an `iss` value not starting with `https://`, that indicates a configuration issue on the auth system side of things.
Author
Owner

@tomo2403 commented on GitHub (Jan 15, 2025):

Hello @ssddanbrown,
thank you for the clarification. Does iss also need to end with a trailing slash?

@tomo2403 commented on GitHub (Jan 15, 2025): Hello @ssddanbrown, thank you for the clarification. Does `iss` also need to end with a trailing slash?
Author
Owner

@ssddanbrown commented on GitHub (Jan 16, 2025):

@tomo2403 That totally depends on whether the auth system is configured to have a trailing slash. It's neither required or prohobited by the spec. The OIDC_ISSUER just needs to match whether or not your auth system is using a trailing slash (the iss value observed).

@ssddanbrown commented on GitHub (Jan 16, 2025): @tomo2403 That totally depends on whether the auth system is configured to have a trailing slash. It's neither required or prohobited by the spec. The `OIDC_ISSUER` just needs to match whether or not your auth system is using a trailing slash (the `iss` value observed).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#5114