starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-06 19:06:02 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

OIDC: Distributed claims are not retrieved during group sync #5213

New Issue
Open
opened 2026-02-05 09:48:49 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2026-02-05 09:48:49 +03:00
Owner
Copy Link

Originally created by @andrelaszlo on GitHub (Mar 7, 2025).

Describe the Bug

When OIDC is used as the primary authentication method and group sync is configured, some users are not getting the appropriate roles mapped despite being members of the corresponding groups.

Steps to Reproduce

  1. Set up OIDC with Azure (perhaps by following the excellent guide by @ssddanbrown https://foss.video/w/n67qNijhf8BdTRQys8SDYf)
  2. Be sure to set OIDC_GROUPS_CLAIM=groups in .env
  3. Add a valid group (G) to one of your BookStack roles (R), under "External Authentication IDs"
  4. Add an Azure user to G. Log in to your BookStack instance using this member and verify that they are now assigned to R as well.
  5. Remove the assigned role from the user in BookStack.
  6. Add at least 200 (sorry...) group memberships for the user in Azure.
  7. Log the user in again.
  8. Verify that the user is now not assigned the role R, despite still being a member of G.

Expected Behaviour

At step 7, the user is still a member of G so it should get assigned the role R.

Screenshots or Additional Context

Normally, a claim returned by Azure looks like this:

{
  "aud": "...",
  "iss": "https://login.microsoftonline.com/.../v2.0",
  "iat": 1741364356,
  "nbf": 1741364356,
  "exp": 1741368256,
  "aio": "...",
  "email": "john.doe@example.com",
  "family_name": "John",
  "given_name": "Doe",
  "groups": [
    "<group uuid>",
    "...",
  ],
  "name": "John Doe",
  "oid": "...",
  "preferred_username": "john.doe@example.com",
  "rh": "...",
  "sid": "...",
  "sub": "...",
  "tid": "...",
  "uti": "...",
  "ver": "2.0",
  "wids": [
    "..."
  ]
}

The list of group ids in groups can be used to map groups to BookStack roles. However, when this list grows too large, the corresponding JWT can become too large to fit in the HTTP headers, so Microsoft will instead return a distributed claim for the groups claim if the user has over 200 group memberships (for JWT, 100 for SAML), they refer to this as a groups overage claim.

Distributed claims are part of OIDC Core 1.0: [5.6.2. Aggregated and Distributed Claims](https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims.

In this case, the claim will instead look like this:

{
  "aud": "...",
  "iss": "https://login.microsoftonline.com/.../v2.0",
  "iat": 1741350002,
  "nbf": 1741350002,
  "exp": 1741353902,
  "_claim_names": {
    "groups": "src1"
  },
  "_claim_sources": {
    "src1": {
      "endpoint": "https://graph.windows.net/.../users/.../getMemberObjects"
    }
  },
  "aio": "...",
  "email": "user@example.com",
  "family_name": "Doe",
  "given_name": "John",
  "name": "John Doe",
  "oid": "...",
  "preferred_username": "john.doe@example.com",
  "rh": "...",
  "sid": "...",
  "sub": "...",
  "tid": "...",
  "uti": "...",
  "ver": "2.0",
  "wids": [
    "..."
  ]
}

In the above claim, the groups key is missing and is instead represented by _claim_names.groups: src1 and _claim_sources.src1: https://graph.windows.net/.../users/.../getMemberObjects. Supporting distributed claims is optional according to the standard, but since this breaks the OIDC_GROUPS_CLAIM feature in BookStack, I think it should be considered a bug.

Browser Details

This bug is not related to the browser being used, but was tested with Microsoft Edge.

Exact BookStack Version

v24.12.1

Originally created by @andrelaszlo on GitHub (Mar 7, 2025). ### Describe the Bug When OIDC is used as the primary authentication method and group sync is configured, some users are not getting the appropriate roles mapped despite being members of the corresponding groups. ### Steps to Reproduce 1. Set up OIDC with Azure (perhaps by following the excellent guide by @ssddanbrown https://foss.video/w/n67qNijhf8BdTRQys8SDYf) 2. Be sure to set `OIDC_GROUPS_CLAIM=groups` in `.env` 3. Add a valid group (_G_) to one of your BookStack roles (_R_), under "External Authentication IDs" 4. Add an Azure user to _G_. Log in to your BookStack instance using this member and verify that they are now assigned to _R_ as well. 5. Remove the assigned role from the user in BookStack. 6. Add [at least 200 (sorry...)](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim) group memberships for the user in Azure. 7. Log the user in again. 8. Verify that the user is now *not* assigned the role _R_, despite still being a member of _G_. ### Expected Behaviour At step 7, the user is still a member of _G_ so it should get assigned the role _R_. ### Screenshots or Additional Context Normally, a claim returned by Azure looks like this: ```json { "aud": "...", "iss": "https://login.microsoftonline.com/.../v2.0", "iat": 1741364356, "nbf": 1741364356, "exp": 1741368256, "aio": "...", "email": "john.doe@example.com", "family_name": "John", "given_name": "Doe", "groups": [ "<group uuid>", "...", ], "name": "John Doe", "oid": "...", "preferred_username": "john.doe@example.com", "rh": "...", "sid": "...", "sub": "...", "tid": "...", "uti": "...", "ver": "2.0", "wids": [ "..." ] } ``` The list of group ids in `groups` can be used to map groups to BookStack roles. However, when this list grows too large, the corresponding JWT can become too large to fit in the HTTP headers, so Microsoft will instead return a _distributed claim_ for the groups claim if the user has over 200 group memberships (for JWT, 100 for SAML), they [refer to this as a _groups overage claim_](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim). Distributed claims are part of OIDC Core 1.0: [5.6.2. Aggregated and Distributed Claims](https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims. In this case, the claim will instead look like this: ```json { "aud": "...", "iss": "https://login.microsoftonline.com/.../v2.0", "iat": 1741350002, "nbf": 1741350002, "exp": 1741353902, "_claim_names": { "groups": "src1" }, "_claim_sources": { "src1": { "endpoint": "https://graph.windows.net/.../users/.../getMemberObjects" } }, "aio": "...", "email": "user@example.com", "family_name": "Doe", "given_name": "John", "name": "John Doe", "oid": "...", "preferred_username": "john.doe@example.com", "rh": "...", "sid": "...", "sub": "...", "tid": "...", "uti": "...", "ver": "2.0", "wids": [ "..." ] } ``` In the above claim, the `groups` key is missing and is instead represented by `_claim_names.groups: src1` and `_claim_sources.src1: https://graph.windows.net/.../users/.../getMemberObjects`. Supporting distributed claims is optional according to the standard, but since this breaks the `OIDC_GROUPS_CLAIM` feature in BookStack, I think it should be considered a bug. ### Browser Details This bug is not related to the browser being used, but was tested with Microsoft Edge. ### Exact BookStack Version v24.12.1
OVERLORD added the 🔨 Feature Request🚪 Authentication labels 2026-02-05 09:48:49 +03:00
OVERLORD commented 2026-02-05 09:48:52 +03:00
Author
Owner
Copy Link

@andrelaszlo commented on GitHub (Mar 7, 2025):

This might be related to #5306, and now that I did some more digging I see that it's definitely a duplicate of #4885. I totally understand your stance, dealing with identity provider quirks is a never-ending nightmare. I had a quick look and didn't find a good OIDC library for PHP either.

Close?

@andrelaszlo commented on GitHub (Mar 7, 2025): This might be related to #5306, and now that I did some more digging I see that it's definitely a duplicate of #4885. I totally understand your stance, dealing with identity provider quirks is a never-ending nightmare. I had a quick look and didn't find a good OIDC library for PHP either. Close?
OVERLORD commented 2026-02-05 09:48:54 +03:00
Author
Owner
Copy Link

@andrelaszlo commented on GitHub (Mar 7, 2025):

I might eventually have some time to hack on it, if you'd be interested in a PR.

@andrelaszlo commented on GitHub (Mar 7, 2025): I might eventually have some time to hack on it, if you'd be interested in a PR.
OVERLORD commented 2026-02-05 09:48:55 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Mar 7, 2025):

Thanks for raising @andrelaszlo,
I've recategorized this as a auth feature request, since I don't see it as a bug in existing supported functionality.

I totally understand your stance, dealing with identity provider quirks is a never-ending nightmare. I had a quick look and didn't find a good OIDC library for PHP either. Close?

To be fair, In those issues I didn't realise that Azure/Entra was at least using (a lesser used) part of the OIDC spec, rather than something custom.
That said, I'm hesitant to grow the scope/features of OIDC further without a decent amount of proven need (ideally provide need across multiple auth systems).

Do you know if Entra provides all groups via the userinfo endpoint?
We've now added support for that so that could be an easier route to support if provided by Entra.

@ssddanbrown commented on GitHub (Mar 7, 2025): Thanks for raising @andrelaszlo, I've recategorized this as a auth feature request, since I don't see it as a bug in existing supported functionality. > I totally understand your stance, dealing with identity provider quirks is a never-ending nightmare. I had a quick look and didn't find a good OIDC library for PHP either. Close? To be fair, In those issues I didn't realise that Azure/Entra was at least using (a lesser used) part of the OIDC spec, rather than something custom. That said, I'm hesitant to grow the scope/features of OIDC further without a decent amount of proven need (ideally provide need across multiple auth systems). Do you know if Entra provides all groups via the userinfo endpoint? We've now added support for that so that could be an easier route to support if provided by Entra.
OVERLORD commented 2026-02-05 09:48:59 +03:00
Author
Owner
Copy Link

@andrelaszlo commented on GitHub (Mar 7, 2025):

Ok, thanks for the thoughtful review :)

Do you know if Entra provides all groups via the userinfo endpoint?

That would have been neat, but unfortunately it doesn't look like it's a supported claim according to the UserInfo endpoint (OIDC) docs:

{
    "sub": "OLu859SGc2Sr9ZsqbkG-QbeLgJlb41KcdiPoLYNpSFA",
    "name": "Mikah Ollenburg", // all names require the “profile” scope.
    "family_name": " Ollenburg",
    "given_name": "Mikah",
    "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
    "email": "mikoll@contoso.com" // requires the “email” scope.
}

The claims shown in the response are all those that the UserInfo endpoint can return. [...] You can't add to or customize the information returned by the UserInfo endpoint.

@andrelaszlo commented on GitHub (Mar 7, 2025): Ok, thanks for the thoughtful review :) > Do you know if Entra provides all groups via the userinfo endpoint? That would have been neat, but unfortunately it doesn't look like it's a supported claim according to the [UserInfo endpoint (OIDC) docs](https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#userinfo-response): > ```json > { > "sub": "OLu859SGc2Sr9ZsqbkG-QbeLgJlb41KcdiPoLYNpSFA", > "name": "Mikah Ollenburg", // all names require the “profile” scope. > "family_name": " Ollenburg", > "given_name": "Mikah", > "picture": "https://graph.microsoft.com/v1.0/me/photo/$value", > "email": "mikoll@contoso.com" // requires the “email” scope. > } > ``` > The claims shown in the response are all those that the UserInfo endpoint can return. [...] You can't add to or customize the information returned by the UserInfo endpoint.
OVERLORD commented 2026-02-05 09:49:00 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Mar 8, 2025):

Darn! Microsoft always has to be awkward.

As a workaround, we expose an event via our logical theme system which allows customization of OIDC data, as shown here:
https://www.bookstackapp.com/blog/bookstack-release-v23-05/#oidc-id-token-logical-theme-event

We provide the access token data as part of that.
It should be possible to use that to perform the further fetch from Entra (assuming to the claim src endpoint) to gain full group data, then supplement the ID token data with fetched groups.

@ssddanbrown commented on GitHub (Mar 8, 2025): Darn! Microsoft always has to be awkward. As a workaround, we expose an event via our logical theme system which allows customization of OIDC data, as shown here: https://www.bookstackapp.com/blog/bookstack-release-v23-05/#oidc-id-token-logical-theme-event We provide the access token data as part of that. It should be possible to use that to perform the further fetch from Entra (assuming to the claim src endpoint) to gain full group data, then supplement the ID token data with fetched groups.
OVERLORD commented 2026-02-05 09:49:02 +03:00
Author
Owner
Copy Link

@Tomblarom commented on GitHub (Dec 10, 2025):

For the record, I'm also experiencing this exact issue. Unfortunately, I'm already using this logical theme hack and would have to implement a workaround into my existing logical theme.

Given the existing issues, wouldn't it make sense to implement this directly in Bookstack?

To be honest, when initially setting up Bookstack and dealing with all sorts of different variables (groups, roles, id-connectors, creds, ..), I really wouldn't have thought, that my issue originates from a group limitation, called "Groups overage claim".. My assumption here is, that I am not the only one who didn't realize this and that the actual demand for this implementation is significantly higher.

@Tomblarom commented on GitHub (Dec 10, 2025): For the record, I'm also experiencing this exact issue. Unfortunately, I'm already using [this logical theme hack](https://www.bookstackapp.com/hacks/oidc-azure-avatar-images/) and would have to implement a workaround into my existing logical theme. Given the existing issues, wouldn't it make sense to implement this directly in Bookstack? To be honest, when initially setting up Bookstack and dealing with all sorts of different variables (groups, roles, id-connectors, creds, ..), I really wouldn't have thought, that my issue originates from a group limitation, called "Groups overage claim".. My assumption here is, that I am not the only one who didn't realize this and that the actual demand for this implementation is significantly higher.
OVERLORD commented 2026-02-05 09:49:04 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Dec 11, 2025):

Here's a logical theme solution, which combines the existing avatar hack, with extra logic to fetch group data over the Graph API where not provided in the ID token:

Note: This does NOT follow the OIDC spec using distributed claims (see next section below).

functions.php code 

<?php

use BookStack\Facades\Theme;
use BookStack\Http\HttpRequestService;
use BookStack\Theming\ThemeEvents;
use BookStack\Uploads\UserAvatars;
use BookStack\Users\Models\User;
use GuzzleHttp\Psr7\Request;

// Variable to track the access token for later use
$accessToken = '';

// Listen for the OIDC ID token validation events so we can capture the access token and check
// if we need to perform additional lookups for user groups.
Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, function (array $idTokenData, array $accessTokenData) use (&$accessToken) {
    $accessToken = $accessTokenData['access_token'] ?? '';

    // Check if there's group data in the response, or if we need to perform a lookup instead
    $needGroupLookup = !isset($idTokenData['groups']) && isset($idTokenData['_claim_names']['groups']);
    if ($needGroupLookup) {
        $idTokenData['groups'] = fetchUserGroupsFromGraphApi($accessToken);
    }

    return $idTokenData;
});

// Listen for the auth register event to download and assign the profile image to the user
Theme::listen(ThemeEvents::AUTH_REGISTER, function (string $authSystem, User $user) use (&$accessToken) {
    if ($authSystem === 'oidc' && $accessToken) {
        downloadAndAssignUserAvatar($user, $accessToken);
    }
});

// Function to fetch the user's groups from the Microsoft Graph API
function fetchUserGroupsFromGraphApi(string $accessToken): array
{
    // Create the HTTP client for fetching the group data
    /** @var HttpRequestService $http */
    $http = app()->make(HttpRequestService::class);
    $client = $http->buildClient(4);

    // Append on the API version since Microsoft seems to require this, yet not provide this in the endpoint.
    $sourceUrl = 'https://graph.microsoft.com/v1.0/me/memberOf';

    // Collect the groups from the Graph API, via a loop to page over the results.
    $groups = [];
    while ($sourceUrl) {
        // Fetch a page of groups via an authorized request
        $response = $client->sendRequest(new Request('GET', $sourceUrl, [
            'Authorization' => 'Bearer ' . $accessToken,
        ]));

        // Gather the response data and break if there's no data
        $responseData = json_decode($response->getBody()->getContents(), true);
        if (!$responseData || !isset($responseData['value'])) {
            break;
        }

        // Extract the IDs from the groups in the response data and add them to those collected.
        // If using groups display names (not recommended), you'd need to change 'id' to 'displayName' in the line below
        $groups = array_merge($groups, array_map(fn($group) => $group['id'], $responseData['value']));
        // Update the source URL to the next page if there is one
        $sourceUrl = $responseData['@odata.nextLink'] ?? '';
    }

    // Return back the user groups
    return $groups;
}

// Function to download and assign the profile image to the user
function downloadAndAssignUserAvatar(User $user, string $accessToken): void
{
    // Create the HTTP client for fetching the profile image
    /** @var HttpRequestService $http */
    $http = app()->make(HttpRequestService::class);
    $client = $http->buildClient(4);

    // Fetch the profile image via an authorized request
    $response = $client->sendRequest(new Request('GET', 'https://graph.microsoft.com/v1.0/me/photo/$value', [
        'Authorization' => 'Bearer ' . $accessToken,
    ]));

    // If the response is successful and the content type is an image, assign the image to the user
    $allowedContentTypes = ['image/jpeg', 'image/png'];
    if ($response->getStatusCode() === 200 && in_array($response->getHeader('Content-Type')[0], $allowedContentTypes)) {
        $avatars = app()->make(UserAvatars::class);
        $extension = explode('/', $response->getHeader('Content-Type')[0])[1];
        $avatars->assignToUserFromExistingData($user, $response->getBody()->getContents(), $extension);
    }
}

To use this I had to add 'Microsoft Graph > GroupMember.Read.All' to the app registration's API permissions, then grant admin consent for this permission. It may be possible to have a tighter-scoped permission, but I'm not familiar enough with Microsoft Graph to know for sure.

Entra with Distributed Claims

I tried to originally follow the OIDC spec, and use the Distributed claims via the source URL provided in the token from Entra.
I did not have any luck though going down this road.

On the _claim_sources Entra provides back a graph.windows.net claim source URL.
Using this fails, as the URL requires a version number so you'd have to append: ?api-version=1.6 to it manually.

Calling that URL gets further, but fails with:
{"odata.error":{"code":"Authentication_MissingOrMalformed","codeForMetrics":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}}

Even when using the access token from the OIDC flow.
It seems that the graph.windows.net API has different authentication requirements.

Modifying the core original access token flow, to request the access token with a 'resource' of 'https://graph.windows.net/', results in an error:

AADSTS9010010: The resource parameter provided in the request doesn't match with the requested scopes. Trace ID: 12c19830-1785-4601-9f16-334d4f581900 Correlation ID: b407a328-24c8-4dc2-a88e-270e3b0c3de2 Timestamp: 2025-12-11 17:02:12Z

At this point I gave up on this path, since it was getting deeper and deeper into edits to adapt existing OIDC flow logic.

The 'graph.windows.net' endpoint is for the Azure AD Graph API, which seems to be deprecated and was fully retired as of August 31, 2025 according to Microsoft's docs.

I tried creating a new application registration in Entra, in case this is something specific to older Entra applications, but the result is the same.

Overall this seems wrong and a potentially broken part of Entra's OIDC support, like this corner case has not been updated since the AzureAD Graph API deprecation. Maybe there is something that's causing this at an Entra application level, but I couldn't find any relevant controls/causes. It's also possible I'm just doing something wrong and haven't spotted my mistake, and this should be much simpler.

If someone has some level of real support communication with Microsoft, I'd welcome you to raise this with them and share back the response!

An alternative workaround for Entra

When exploring the above, I did come across this option when configuring the "Groups" claim in the "Token configuration" part of the app registration:

Image

If this does what I understand, this may be a more sensible solution for some which won't require customizations or non-standard functionality. I'm assuming you could assign groups to the application to filter the user groups to just those which you're actually matching up with BookStack roles.

Unfortunately, I could not test this myself since I get this when attempting to assigned groups to my application:

Groups are not available for assignment due to your Active Directory plan level. You can assign individual users to the application.

I can however assign the application via editing a group's members, but this does not seem to allow the reverse relation.

If you're on a paid Entra plan, you may have better luck with this.

@ssddanbrown commented on GitHub (Dec 11, 2025): Here's a [logical theme](https://www.bookstackapp.com/hacks/applying/#logical-theme-system) solution, which combines the existing avatar hack, with extra logic to fetch group data over the Graph API where not provided in the ID token: **Note:** This does **_NOT_** follow the OIDC spec using distributed claims (see next section below). <details><summary>functions.php code</summary> <p> ```php <?php use BookStack\Facades\Theme; use BookStack\Http\HttpRequestService; use BookStack\Theming\ThemeEvents; use BookStack\Uploads\UserAvatars; use BookStack\Users\Models\User; use GuzzleHttp\Psr7\Request; // Variable to track the access token for later use $accessToken = ''; // Listen for the OIDC ID token validation events so we can capture the access token and check // if we need to perform additional lookups for user groups. Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, function (array $idTokenData, array $accessTokenData) use (&$accessToken) { $accessToken = $accessTokenData['access_token'] ?? ''; // Check if there's group data in the response, or if we need to perform a lookup instead $needGroupLookup = !isset($idTokenData['groups']) && isset($idTokenData['_claim_names']['groups']); if ($needGroupLookup) { $idTokenData['groups'] = fetchUserGroupsFromGraphApi($accessToken); } return $idTokenData; }); // Listen for the auth register event to download and assign the profile image to the user Theme::listen(ThemeEvents::AUTH_REGISTER, function (string $authSystem, User $user) use (&$accessToken) { if ($authSystem === 'oidc' && $accessToken) { downloadAndAssignUserAvatar($user, $accessToken); } }); // Function to fetch the user's groups from the Microsoft Graph API function fetchUserGroupsFromGraphApi(string $accessToken): array { // Create the HTTP client for fetching the group data /** @var HttpRequestService $http */ $http = app()->make(HttpRequestService::class); $client = $http->buildClient(4); // Append on the API version since Microsoft seems to require this, yet not provide this in the endpoint. $sourceUrl = 'https://graph.microsoft.com/v1.0/me/memberOf'; // Collect the groups from the Graph API, via a loop to page over the results. $groups = []; while ($sourceUrl) { // Fetch a page of groups via an authorized request $response = $client->sendRequest(new Request('GET', $sourceUrl, [ 'Authorization' => 'Bearer ' . $accessToken, ])); // Gather the response data and break if there's no data $responseData = json_decode($response->getBody()->getContents(), true); if (!$responseData || !isset($responseData['value'])) { break; } // Extract the IDs from the groups in the response data and add them to those collected. // If using groups display names (not recommended), you'd need to change 'id' to 'displayName' in the line below $groups = array_merge($groups, array_map(fn($group) => $group['id'], $responseData['value'])); // Update the source URL to the next page if there is one $sourceUrl = $responseData['@odata.nextLink'] ?? ''; } // Return back the user groups return $groups; } // Function to download and assign the profile image to the user function downloadAndAssignUserAvatar(User $user, string $accessToken): void { // Create the HTTP client for fetching the profile image /** @var HttpRequestService $http */ $http = app()->make(HttpRequestService::class); $client = $http->buildClient(4); // Fetch the profile image via an authorized request $response = $client->sendRequest(new Request('GET', 'https://graph.microsoft.com/v1.0/me/photo/$value', [ 'Authorization' => 'Bearer ' . $accessToken, ])); // If the response is successful and the content type is an image, assign the image to the user $allowedContentTypes = ['image/jpeg', 'image/png']; if ($response->getStatusCode() === 200 && in_array($response->getHeader('Content-Type')[0], $allowedContentTypes)) { $avatars = app()->make(UserAvatars::class); $extension = explode('/', $response->getHeader('Content-Type')[0])[1]; $avatars->assignToUserFromExistingData($user, $response->getBody()->getContents(), $extension); } } ``` </p> </details> To use this I had to add 'Microsoft Graph > GroupMember.Read.All' to the app registration's API permissions, then grant admin consent for this permission. It may be possible to have a tighter-scoped permission, but I'm not familiar enough with Microsoft Graph to know for sure. ### Entra with Distributed Claims I tried to originally follow the OIDC spec, and use the Distributed claims via the source URL provided in the token from Entra. I did not have any luck though going down this road. On the `_claim_sources` Entra provides back a `graph.windows.net` claim source URL. Using this fails, as the URL requires a version number so you'd have to append: `?api-version=1.6` to it manually. Calling that URL gets further, but fails with: {"odata.error":{"code":"Authentication_MissingOrMalformed","codeForMetrics":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}} Even when using the access token from the OIDC flow. It seems that the graph.windows.net API has different authentication requirements. Modifying the core original access token flow, to request the access token with a 'resource' of 'https://graph.windows.net/', results in an error: ``` AADSTS9010010: The resource parameter provided in the request doesn't match with the requested scopes. Trace ID: 12c19830-1785-4601-9f16-334d4f581900 Correlation ID: b407a328-24c8-4dc2-a88e-270e3b0c3de2 Timestamp: 2025-12-11 17:02:12Z ``` At this point I gave up on this path, since it was getting deeper and deeper into edits to adapt existing OIDC flow logic. The 'graph.windows.net' endpoint is for the Azure AD Graph API, which seems to be deprecated and was fully retired as of August 31, 2025 according to Microsoft's docs. I tried creating a new application registration in Entra, in case this is something specific to older Entra applications, but the result is the same. Overall this seems wrong and a potentially broken part of Entra's OIDC support, like this corner case has not been updated since the AzureAD Graph API deprecation. Maybe there is something that's causing this at an Entra application level, but I couldn't find any relevant controls/causes. It's also possible I'm just doing something wrong and haven't spotted my mistake, and this should be much simpler. If someone has some level of real support communication with Microsoft, I'd welcome you to raise this with them and share back the response! ### An alternative workaround for Entra When exploring the above, I did come across this option when configuring the "Groups" claim in the "Token configuration" part of the app registration: <img width="1067" height="503" alt="Image" src="https://github.com/user-attachments/assets/20b7f94f-209c-41b1-a807-572758b80911" /> If this does what I understand, this may be a more sensible solution for some which won't require customizations or non-standard functionality. I'm assuming you could assign groups to the application to filter the user groups to just those which you're actually matching up with BookStack roles. Unfortunately, I could not test this myself since I get this when attempting to assigned groups to my application: > Groups are not available for assignment due to your Active Directory plan level. You can assign individual users to the application. I can however assign the application via editing a group's members, but this does not seem to allow the reverse relation. If you're on a paid Entra plan, you may have better luck with this.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🚪 Authentication 🔨 Feature Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#5213
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?