mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-07 11:19:38 +03:00
SSO/OICD authentication with OpenID Connect fails #5517
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mmardegan on GitHub (Nov 25, 2025).
Attempted Debugging
Searched GitHub Issues
Describe the Scenario
SSO/OICD authentication with OpenID Connect / OAuth2 server integrated in a eGroupware server fails
With autodiscover active
I get this error immediatly after click in the login screen:
“OICD Discovery Error: Unexpected issuer value found on discovery response”
I have therefore set the following parameters:
OIDC_ISSUER=https://example.com/
OIDC_ISSUER_DISCOVER=true
This is the link to the eGroupware OIDC configuration: https://github.com/EGroupware/egroupware/wiki/OpenID-Connect----OAuth2
This is the discovery response (open via browser), seems ok.
{
“issuer”: “https://example.com/”,
“authorization_endpoint”: “https://example.com/egroupware/openid/endpoint.php/authorize”,
“token_endpoint”: “https://example.com/egroupware/openid/endpoint.php/access_token”,
“jwks_uri”: “https://example.com/egroupware/openid/endpoint.php/jwks”,
“response_types_supported”: [
“code”,
“code id_token”,
“id_token”,
“token id_token”
],
“subject_types_supported”: [
“public”,
“pairwise”
],
“id_token_signing_alg_values_supported”: [
“RS256”,
“ES256”,
“HS256”
],
“userinfo_endpoint”: “https://example.com/egroupware/openid/endpoint.php/userinfo”,
“claims_supported”: [
“sub”,
“iss”,
“name”,
“given_name”,
“family_name”,
“nickname”,
“profile”,
“picture”,
“website”,
“email”,
“email_verified”,
“locale”,
“zoneinfo”,
“roles”,
“groups”
],
“scopes_supported”: [
“openid”,
“basic”,
“email”,
“phone”,
“address”,
“profile”,
“roles”,
“videoconference”,
“groups”,
“email_aliases”
],
“response_modes_supported”: [
“query”
],
“grant_types_supported”: [
“authorization_code”,
“implicit”,
“refresh_token”,
“client_credentials”,
“password_credentials”
],
“token_endpoint_auth_methods_supported”: [
“client_secret_basic”
],
“display_values_supported”: [
“page”,
“popup”
],
“claim_types_supported”: [
“normal”
],
“service_documentation”: “https://github.com/EGroupware/openid”,
“request_uri_parameter_supported”: true,
“require_request_uri_registration”: true,
“end_session_endpoint”: “https://example.com/egroupware/logout.php”
}
With autodiscovery disabled
BookStack activates the connection, eGroupware asks for permission to log in, but then I get this error:
“ID token validation failed with error: Failed to read signing key with error: Unexpected type of the key value provided”
I have therefore set the following parameters:
OIDC_ISSUER=https://example.com/
OIDC_ISSUER_DISCOVER=false
OIDC_PUBLIC_KEY=https://example.com/egroupware/openid/endpoint.php/jwks
OIDC_AUTH_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/authorize
OIDC_TOKEN_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/access_token
OIDC_USERINFO_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/userinfo
Thank you.
Exact BookStack Version
BookStack v25.11.2
Log Content
Hosting Environment
OS Debian 13
PHP 8.4.11
mariadb 11.8.3
@ssddanbrown commented on GitHub (Nov 25, 2025):
Hi @mmardegan,
That is only really shown as a result of a fairly basic check of the
OIDC_ISSUERagainst theissuerin the autodiscovery response. Are you sure the actual values there are 100% exactly the same? No different in trailing slash for example? no difference in starting protocol? Are there any kind of special characters contained within this value?@mmardegan commented on GitHub (Nov 25, 2025):
Hi @ssddanbrown , thank you in advace.
Yes I am sure that the value of the issuer is the same: and also it not contain strange caracter (example.com is not the real domain). If I try to open that url in the same webbrowser I get the json above. The BookStack server also resolve the ip of OICD server.
I dont understand, the servers are in a LAN.
And for the second option, with autodiscovery disabled, is correct this parameter? I get a json, not a key.pem
OIDC_PUBLIC_KEY=https://example.com/egroupware/openid/endpoint.php/jwks
{"keys":[{"alg":"RS256","kty":"RSA","kid":" xxxxxxxxxxxxxxxxx ","use":"sig","n":" xxxxxxxxxxxxxxxxxx ","e":"AQAB"}]}
edit: same json in response if I do a curl in the bookstack server
@ssddanbrown commented on GitHub (Nov 27, 2025):
If you'd like to debug the difference in issue value, to see what BookStack is comparing, you could find the following file and line:
46001d61d0/app/Access/Oidc/OidcProviderSettings.php (L126)Then above that line add:
This should stop the login process before the error, and dump out both issuer values to the browser.
No, the JWKS_URI, which you're using there, is quite a different thing. BookStack needs a
file:///keys/idp-public-key.pemlike reference as per our docs to a PEM format file on the host system.You may be able to find converts for JWKS data (the data found when you visit the JWKS_URI) but I'd be cautious about pasting in cert data into random websites.
@mmardegan commented on GitHub (Nov 27, 2025):
The issue is resolved: but I don't know why.
I did some test: I activeted the autodiscovery
OIDC_ISSUER_DISCOVER=true
and the I try to modify the issuer address
from OIDC_ISSUER=https://example.com/ to OIDC_ISSUER=http://example.com -> I get an error, it can't find the server; than I try
from OIDC_ISSUER=https://example.com/ to OIDC_ISSUER=https://example.com -> it can login on the server.
I'm quite sure I had already try this configuration and it didn't run.
Maybe because in this test i dont comment out this parameter contrary to the previews:
OIDC_PUBLIC_KEY=https://example.com/egroupware/openid/endpoint.php/jwks
OIDC_AUTH_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/authorize
OIDC_TOKEN_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/access_token
OIDC_USERINFO_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/userinfo