Authentication OIDC / SSO fails to use refresh token for automatic login #5419

New Issue

Open

opened 2026-02-05 10:03:17 +03:00 by OVERLORD · 8 comments

OVERLORD commented 2026-02-05 10:03:17 +03:00

Owner

Copy Link

Originally created by @kilian-goetz on GitHub (Sep 3, 2025).

Describe the Bug

I am using Single Sign-On (SSO) via OIDC (Keycloak) across multiple applications, including BookStack. The SSO workflow works as expected for the initial session. For example, if I authenticate on application A, I can access BookStack (application B) without re-authenticating.

However, this seamless experience breaks after the initial access token expires (15 minutes in my configuration). While the OIDC provider issues a refresh token to maintain the user's login on application A, BookStack does not use this refresh token to renew the session. After the initial 15 minutes, trying to access BookStack results in a redirection to the login page, despite the user still being logged into the wider SSO ecosystem.

The core issue is that BookStack correctly handles the initial access token for SSO but fails to recognize or use the refresh token to extend the user's session.

Steps to Reproduce

1. Set up OIDC SSO with Keycloak for two applications, Application A and BookStack (Application B).
2. Configure a short lifespan for the access token on Keycloak (e.g. 15 minutes).
3. Log in to Application A, which authenticates the user with Keycloak.
4. Immediately navigate to BookStack. The SSO works, and the user is logged in automatically.
5. Wait for the access token to expire (15 minutes).
6. While still logged into Application A, try to access or refresh a page on BookStack.

Expected Behaviour

After the initial access token expires, BookStack should use the refresh token from the OIDC provider to automatically renew the user's session without requiring re-authentication. The user should be able to continue using BookStack seamlessly as long as they are authenticated within the SSO ecosystem.

Screenshots or Additional Context

Here are the relevant environment variables I have configured:

AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=false
OIDC_NAME=
OIDC_DISPLAY_NAME_CLAIMS=preferred_username
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_ISSUER=
OIDC_ISSUER_DISCOVER=false
OIDC_EXTERNAL_ID_CLAIM=sub
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=groups
OIDC_ADDITIONAL_SCOPES=openid,profile,email,groups
OIDC_REMOVE_FROM_GROUPS=true
APP_DEBUG=true
OIDC_DUMP_USER_DETAILS=true

Browser Details

Google Chrome version 139.0.7258.155 (Build officiel) (64 bits)

Exact BookStack Version

v25.05.1

Originally created by @kilian-goetz on GitHub (Sep 3, 2025). ### Describe the Bug I am using Single Sign-On (SSO) via OIDC (Keycloak) across multiple applications, including BookStack. The SSO workflow works as expected for the initial session. For example, if I authenticate on application A, I can access BookStack (application B) without re-authenticating. However, this seamless experience breaks after the initial access token expires (15 minutes in my configuration). While the OIDC provider issues a refresh token to maintain the user's login on application A, BookStack does not use this refresh token to renew the session. After the initial 15 minutes, trying to access BookStack results in a redirection to the login page, despite the user still being logged into the wider SSO ecosystem. The core issue is that BookStack correctly handles the initial access token for SSO but fails to recognize or use the refresh token to extend the user's session. ### Steps to Reproduce 1. Set up OIDC SSO with Keycloak for two applications, Application A and BookStack (Application B). 2. Configure a short lifespan for the access token on Keycloak (e.g. 15 minutes). 3. Log in to Application A, which authenticates the user with Keycloak. 4. Immediately navigate to BookStack. The SSO works, and the user is logged in automatically. 5. Wait for the access token to expire (15 minutes). 6. While still logged into Application A, try to access or refresh a page on BookStack. ### Expected Behaviour After the initial access token expires, BookStack should use the refresh token from the OIDC provider to automatically renew the user's session without requiring re-authentication. The user should be able to continue using BookStack seamlessly as long as they are authenticated within the SSO ecosystem. ### Screenshots or Additional Context Here are the relevant environment variables I have configured: AUTH_METHOD=oidc AUTH_AUTO_INITIATE=false OIDC_NAME=<hidden> OIDC_DISPLAY_NAME_CLAIMS=preferred_username OIDC_CLIENT_ID=<hidden> OIDC_CLIENT_SECRET=<hidden> OIDC_ISSUER=<hidden> OIDC_ISSUER_DISCOVER=false OIDC_EXTERNAL_ID_CLAIM=sub OIDC_USER_TO_GROUPS=true OIDC_GROUPS_CLAIM=groups OIDC_ADDITIONAL_SCOPES=openid,profile,email,groups OIDC_REMOVE_FROM_GROUPS=true APP_DEBUG=true OIDC_DUMP_USER_DETAILS=true ### Browser Details Google Chrome version 139.0.7258.155 (Build officiel) (64 bits) ### Exact BookStack Version v25.05.1

OVERLORD added the 🐛 Bug label 2026-02-05 10:03:17 +03:00

OVERLORD commented 2026-02-05 10:03:19 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 3, 2025):

Hi @Beladric,
We only communicate with the OIDC, and use the tokens involved, for the initial login.
After that BookStack uses its own session, the lifetime of which is controlled by the SESSION_LIFETIME env option as documented here: https://www.bookstackapp.com/docs/admin/cache-session-config/#session-timeouts

@ssddanbrown commented on GitHub (Sep 3, 2025): Hi @Beladric, We only communicate with the OIDC, and use the tokens involved, for the initial login. After that BookStack uses its own session, the lifetime of which is controlled by the `SESSION_LIFETIME` env option as documented here: https://www.bookstackapp.com/docs/admin/cache-session-config/#session-timeouts

OVERLORD commented 2026-02-05 10:03:20 +03:00

Author

Owner

Copy Link

@kilian-goetz commented on GitHub (Sep 3, 2025):

Hi @ssddanbrown,

Thanks for your response. I believe there may be a misunderstanding. Let me clarify with a concrete example:

• Imagine two applications, Application A and BookStack (Application B).
• Both are integrated with Keycloak via OIDC.
• When I log in to Application A, Keycloak issues an initial access token with a short lifespan (15 minutes in my case, 30 minutes max is recommended for security reasons).
• If I immediately navigate to BookStack, SSO works fine — I’m logged in without re-entering credentials.

However, once those 15 minutes pass:

• The initial access token expires and is replaced by a refresh token on Application A’s side.
• At this point, I am still fully authenticated in the SSO ecosystem and can continue using Application A without re-authenticating.
• But when I try to access BookStack, the login fails and I am redirected to the login page, because BookStack does not support using the refresh token to renew or validate the session.

I hope this comment is more clear about the issue I encounter. The issue isn’t due to session lifetime but rather a missing part of the OIDC flow in BookStack. 😅

@kilian-goetz commented on GitHub (Sep 3, 2025): Hi @ssddanbrown, Thanks for your response. I believe there may be a misunderstanding. Let me clarify with a concrete example: - Imagine two applications, Application A and BookStack (Application B). - Both are integrated with Keycloak via OIDC. - When I log in to Application A, Keycloak issues an initial access token with a short lifespan (15 minutes in my case, 30 minutes max is recommended for security reasons). - If I immediately navigate to BookStack, SSO works fine — I’m logged in without re-entering credentials. However, once those 15 minutes pass: - The initial access token expires and is replaced by a refresh token on Application A’s side. - At this point, I am still fully authenticated in the SSO ecosystem and can continue using Application A without re-authenticating. - But when I try to access BookStack, the login fails and I am redirected to the login page, because BookStack does not support using the refresh token to renew or validate the session. I hope this comment is more clear about the issue I encounter. The issue isn’t due to session lifetime but rather a missing part of the OIDC flow in BookStack. 😅

OVERLORD commented 2026-02-05 10:03:21 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 3, 2025):

But when I try to access BookStack, the login fails and I am redirected to the login page, because BookStack does not support using the refresh token to renew or validate the session.

BookStack will only consider its own session token/lifetime on return. The OIDC session is not considered until login is re-attempted. The refresh or use of "Application A" in this case should not have any bearing on BookStack (upon from creating a logged-in session state in your auth platform).

In the case of many auth providers, as long as you have an active session there it'd allow re-access without friction, but that might depend on the settings and behaviour of the particular auth system in use.

The issue isn’t due to session lifetime but rather a missing part of the OIDC flow in BookStack.

Retaining and re-attempting the refresh token isn't a required part of the core OIDC flow, that comes down to how an individual application may approach user/session management.

@ssddanbrown commented on GitHub (Sep 3, 2025): > But when I try to access BookStack, the login fails and I am redirected to the login page, because BookStack does not support using the refresh token to renew or validate the session. BookStack will only consider its own session token/lifetime on return. The OIDC session is not considered until login is re-attempted. The refresh or use of "Application A" in this case should not have any bearing on BookStack (upon from creating a logged-in session state in your auth platform). In the case of many auth providers, as long as you have an active session there it'd allow re-access without friction, but that might depend on the settings and behaviour of the particular auth system in use. > The issue isn’t due to session lifetime but rather a missing part of the OIDC flow in BookStack. Retaining and re-attempting the refresh token isn't a required part of the core OIDC flow, that comes down to how an individual application may approach user/session management.

OVERLORD commented 2026-02-05 10:03:21 +03:00

Author

Owner

Copy Link

@kilian-goetz commented on GitHub (Sep 4, 2025):

Hi @ssddanbrown,

Thank you for your detailed explanation. It really helped clarify the topic for me.

If it’s not too indiscreet, I’m curious about the design choice : why was supporting refresh tokens in BookStack not implemented ? And why not leave it as a user-configurable option, similar to how Grafana allows including or excluding refresh token support via a third-party variable ?

I appreciate your time and insights.

Kind regards, Beladric

@kilian-goetz commented on GitHub (Sep 4, 2025): Hi @ssddanbrown, Thank you for your detailed explanation. It really helped clarify the topic for me. If it’s not too indiscreet, I’m curious about the design choice : why was supporting refresh tokens in BookStack not implemented ? And why not leave it as a user-configurable option, similar to how Grafana allows including or excluding refresh token support via a third-party variable ? I appreciate your time and insights. Kind regards, Beladric

OVERLORD commented 2026-02-05 10:03:23 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 4, 2025):

why was supporting refresh tokens in BookStack not implemented ?

Because:

• It's not a required part of the core OIDC auth process.
  • And the use of refresh tokens specifically for session management is not defined in the spec.
• It would complicate how we need to handle auth/session management, with an extra alternative flow which we'd need to manage.
• It has not been desired/requested previously.
• There's not really any benefit in the vast majority of cases, since the user can just be routed through re-auth, where'd they'd typically have an active session on the authentication provider.

@ssddanbrown commented on GitHub (Sep 4, 2025): > why was supporting refresh tokens in BookStack not implemented ? Because: - It's not a required part of the core OIDC auth process. - And the use of refresh tokens specifically for session management is not defined in the spec. - It would complicate how we need to handle auth/session management, with an extra alternative flow which we'd need to manage. - It has not been desired/requested previously. - There's not really any benefit in the vast majority of cases, since the user can just be routed through re-auth, where'd they'd typically have an active session on the authentication provider.

OVERLORD commented 2026-02-05 10:03:24 +03:00

Author

Owner

Copy Link

@kilian-goetz commented on GitHub (Sep 4, 2025):

@ssddanbrown

One more time many thanks for the answers and the work done on BookStack 😄.

Since this is not actually a bug but more of a design choice, I’ll go ahead and close this issue.

Before I do, I’d like to ask for your opinion. Do you think it would make sense to open a feature request for optional refresh token support, or is this considered too much of a breaking/complex change with too little demand to be worth considering?

Thanks again for your time and work on BookStack!
Kind regards, Beladric.

@kilian-goetz commented on GitHub (Sep 4, 2025): @ssddanbrown One more time many thanks for the answers and the work done on BookStack 😄. Since this is not actually a bug but more of a design choice, I’ll go ahead and close this issue. Before I do, I’d like to ask for your opinion. Do you think it would make sense to open a feature request for optional refresh token support, or is this considered too much of a breaking/complex change with too little demand to be worth considering? Thanks again for your time and work on BookStack! Kind regards, Beladric.

OVERLORD commented 2026-02-05 10:03:25 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 5, 2025):

Do you think it would make sense to open a feature request for optional refresh token support, or is this considered too much of a breaking/complex change with too little demand to be worth considering?

Since there's been no demand so far, It's probably not something I'd see as worthwhile to add.
To be honest, I'd be surprised if there's not options on the OIDC provider side of things to retain a user session across apps, which would result in a smooth auto-login flow for your users which are still authenticated in the provider. That's what I'd expect to happen in most cases.

@ssddanbrown commented on GitHub (Sep 5, 2025): > Do you think it would make sense to open a feature request for optional refresh token support, or is this considered too much of a breaking/complex change with too little demand to be worth considering? Since there's been no demand so far, It's probably not something I'd see as worthwhile to add. To be honest, I'd be surprised if there's not options on the OIDC provider side of things to retain a user session across apps, which would result in a smooth auto-login flow for your users which are still authenticated in the provider. That's what I'd expect to happen in most cases.

OVERLORD commented 2026-02-05 10:03:27 +03:00

Author

Owner

Copy Link

@kilian-goetz commented on GitHub (Sep 9, 2025):

Yes I completely agree. This kind of logic should ideally be handled at the SSO/provider level rather than by the client applications.

In my case I do face this limitation, but if I’m the only one it doesn’t seem worth integrating directly into BookStack.

Do you think it would still make sense for me to open a feature request, and just let it live to see if there’s broader interest from other users in the future? That way I can close this bug report but still have a place to track the request.

@kilian-goetz commented on GitHub (Sep 9, 2025): Yes I completely agree. This kind of logic should ideally be handled at the SSO/provider level rather than by the client applications. In my case I do face this limitation, but if I’m the only one it doesn’t seem worth integrating directly into BookStack. Do you think it would still make sense for me to open a feature request, and just let it live to see if there’s broader interest from other users in the future? That way I can close this bug report but still have a place to track the request.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5419