mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-08 03:09:39 +03:00
Allow removal or customization of default OIDC scopes (profile, email) for minimal OIDC providers #5552
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @broughtonm on GitHub (Dec 23, 2025).
Describe the feature you'd like
BookStack hardcodes OIDC scopes as ['openid', 'profile', 'email'] and only allows adding additional scopes via OIDC_ADDITIONAL_SCOPES, but provides no way to remove or replace the default profile and email scopes.
According to the OpenID Connect specification, only openid is required - profile and email are optional standard scopes. Some enterprise OIDC providers don't support these optional scopes even though they provide the necessary user claims through other means.
Specifically, I'd like to utilize OIDC with Veracross (education sector Student Information System) which don't allow enabling the profile and email scopes in their OIDC configuration, making it impossible to authenticate with BookStack despite being otherwise OIDC-compliant and providing all necessary user data (email, name, etc.).
I'd like an OIDC_SCOPES configuration option that allows replacing the default scopes entirely
Describe the benefits this would bring to existing BookStack users
Broader OIDC Provider Compatibility:
This feature would enable BookStack to authenticate with enterprise and institutional identity providers that implement minimal OIDC specifications.
Can the goal of this request already be achieved via other means?
The only workaround is manually editing OidcOAuthProvider.php to change the hardcoded scopes array, which is not a sustainable.
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
Under 3 months
Additional context
No response