OIDC with Authentik returns raw JWT after login instead of redirecting or authenticating #5325

New Issue

OVERLORD · 2026-02-05T09:57:59+03:00

OVERLORD commented

2026-02-05 09:57:59 +03:00

Originally created by @Alex6440 on GitHub (Jun 23, 2025).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Hello,

I'm facing an issue when authenticating BookStack with Authentik using OIDC.
After a successful login via Authentik, I am redirected back to BookStack, but instead of being logged in, I see a raw token (probably the ID token) rendered in the browser, like this :

{
  "iss": "https://auth.mydomain.com/application/o/bookstack/",
  "sub": "0611d87057d0ae42e6a591a33b3521ed8f341dcc4641cb57dea55d38ceeeb007",
  "aud": "XWkcXfeNg4SPs4fKnKBzBwcfqaRGs82MuLjBaWxV",
  "exp": 1750671557,
  "iat": 1750671257,
  "auth_time": 1750607057,
  "acr": "goauthentik.io/providers/oauth2/default",
  "amr": ["pwd"],
  "sid": "56b91a767b9227f85105d1bc685b108994c05995f51c628898f6f61e6d07912b",
  "email": "mail@gmail.com",
  "email_verified": true,
  "name": "ela",
  "given_name": "ela",
  "preferred_username": "ela",
  "nickname": "ela",
  "groups": ["xxxxx-users", "xxxxx-admins"]
}

My setup :

BookStack version: v25.05.1
Auth method : OIDC
OIDC provider : Authentik
Reverse proxy : Traefik

Logs :

root@srv:/opt/docker# docker exec -it bookstack bash
www-data@bookstack-2:~/bookstack$ cat storage/logs/laravel.log
[2025-06-23 09:34:18] production.ERROR:  {"exception":"[object] (BookStack\\Exceptions\\JsonDebugException(code: 0):  at /var/www/bookstack/app/Access/Oidc/OidcService.php:193)

Authentik Config :

Bookstack Config :

   environment :
      #Authentik
      AUTH_METHOD: oidc
      AUTH_AUTO_INITIATE: false # Set this to "true" to automatically redirect the user to authentik
      OIDC_NAME: SSO # The display name shown on the login page
      OIDC_DISPLAY_NAME_CLAIMS: name|email # Claim(s) for the user's display name. Can have multiple attributes listed, separated with a '|' in which case those values will be joined with a space
      OIDC_CLIENT_ID: *****************************************
      OIDC_CLIENT_SECRET: ********************************************************************************************************************************************************************
      OIDC_ISSUER: https://auth.mydomain.com/application/o/bookstack/
      OIDC_ISSUER_DISCOVER: true
      OIDC_END_SESSION_ENDPOINT: false
      OIDC_VERIFY_SSL: true

The problem occurs 100% of the time. The token shown seems valid and contains all expected fields
It seems BookStack is just dumping the response instead of processing it
Authentik is working with other apps behind the same Traefik proxy

Let me know if you need more info !

Thanks for your help :)

Exact BookStack Version

v25.05.1

Log Content

Hosting Environment

Debian with docker solidnerd/bookstack:latest
OIDC provider : Authentik
Reverse proxy : Traefik

Originally created by @Alex6440 on GitHub (Jun 23, 2025). ### Attempted Debugging - [x] I have read the debugging page ### Searched GitHub Issues - [x] I have searched GitHub for the issue. ### Describe the Scenario Hello, I'm facing an issue when authenticating BookStack with Authentik using OIDC. After a successful login via Authentik, I am redirected back to BookStack, but instead of being logged in, I see a raw token (probably the ID token) rendered in the browser, like this : ``` json { "iss": "https://auth.mydomain.com/application/o/bookstack/", "sub": "0611d87057d0ae42e6a591a33b3521ed8f341dcc4641cb57dea55d38ceeeb007", "aud": "XWkcXfeNg4SPs4fKnKBzBwcfqaRGs82MuLjBaWxV", "exp": 1750671557, "iat": 1750671257, "auth_time": 1750607057, "acr": "goauthentik.io/providers/oauth2/default", "amr": ["pwd"], "sid": "56b91a767b9227f85105d1bc685b108994c05995f51c628898f6f61e6d07912b", "email": "mail@gmail.com", "email_verified": true, "name": "ela", "given_name": "ela", "preferred_username": "ela", "nickname": "ela", "groups": ["xxxxx-users", "xxxxx-admins"] } ``` ### My setup : - BookStack version: v25.05.1 - Auth method : OIDC - OIDC provider : Authentik - Reverse proxy : Traefik ### Logs : ``` shell root@srv:/opt/docker# docker exec -it bookstack bash www-data@bookstack-2:~/bookstack$ cat storage/logs/laravel.log [2025-06-23 09:34:18] production.ERROR: {"exception":"[object] (BookStack\\Exceptions\\JsonDebugException(code: 0): at /var/www/bookstack/app/Access/Oidc/OidcService.php:193) ``` ### Authentik Config : ![Image](https://github.com/user-attachments/assets/f66087ac-e5e9-493b-a84d-cc8a40f38be4) ![Image](https://github.com/user-attachments/assets/586edf8e-43de-4869-a006-f9bc6c807bc3) ![Image](https://github.com/user-attachments/assets/0c048a03-6dfa-41c8-985f-a67923b2fe23) ### Bookstack Config : ``` yaml environment : #Authentik AUTH_METHOD: oidc AUTH_AUTO_INITIATE: false # Set this to "true" to automatically redirect the user to authentik OIDC_NAME: SSO # The display name shown on the login page OIDC_DISPLAY_NAME_CLAIMS: name|email # Claim(s) for the user's display name. Can have multiple attributes listed, separated with a '|' in which case those values will be joined with a space OIDC_CLIENT_ID: ***************************************** OIDC_CLIENT_SECRET: ******************************************************************************************************************************************************************** OIDC_ISSUER: https://auth.mydomain.com/application/o/bookstack/ OIDC_ISSUER_DISCOVER: true OIDC_END_SESSION_ENDPOINT: false OIDC_VERIFY_SSL: true ``` The problem occurs 100% of the time. The token shown seems valid and contains all expected fields It seems BookStack is just dumping the response instead of processing it Authentik is working with other apps behind the same Traefik proxy Let me know if you need more info ! Thanks for your help :) ### Exact BookStack Version v25.05.1 ### Log Content ```text ``` ### Hosting Environment Debian with docker solidnerd/bookstack:latest OIDC provider : Authentik Reverse proxy : Traefik

OVERLORD added the 🐕 Support label 2026-02-05 09:57:59 +03:00

OVERLORD closed this issue

2026-02-05 09:58:01 +03:00

OVERLORD commented

2026-02-05 09:58:02 +03:00

@ssddanbrown commented on GitHub (Jun 23, 2025):

Hi @Alex6440,

This can occur when the OIDC_DUMP_USER_DETAILS=true option/value is set.
Please ensure this is not set in your docker env or in any .env file which may be held in mounted volumes.
Make sure you're re-creating the bookstack container between docker env config changes too, as just restarting may not allow these options to take effect.

@ssddanbrown commented on GitHub (Jun 23, 2025): Hi @Alex6440, This can occur when the `OIDC_DUMP_USER_DETAILS=true` option/value is set. Please ensure this is not set in your docker env or in any `.env` file which may be held in mounted volumes. Make sure you're re-creating the bookstack container between docker env config changes too, as just restarting may not allow these options to take effect.

OVERLORD commented

2026-02-05 09:58:03 +03:00

@Alex6440 commented on GitHub (Jun 23, 2025):

Hi @ssddanbrown,

Thanks a lot for your quick response !

You were absolutely right.

The issue was caused by an old test config where OIDC_DUMP_USER_DETAILS=true had been left behind in the container’s environment

After removing that setting and fully recreating the container, everything is now working perfectly with Authentik

Really appreciate your help

Best,
Alex

@Alex6440 commented on GitHub (Jun 23, 2025): Hi @ssddanbrown, Thanks a lot for your quick response ! You were absolutely right. The issue was caused by an old test config where OIDC_DUMP_USER_DETAILS=true had been left behind in the container’s environment After removing that setting and fully recreating the container, everything is now working perfectly with Authentik Really appreciate your help Best, Alex

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5325