[PR #2960] [MERGED] OIDC implementation #6100

New Issue

OVERLORD · 2026-02-05T10:24:30+03:00

OVERLORD commented

2026-02-05 10:24:30 +03:00

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/2960
Author: @ssddanbrown
Created: 10/7/2021
Status: ✅ Merged
Merged: 10/16/2021
Merged by: @ssddanbrown

Base: master ← Head: oidc

📝 Commits (10+)

07a6d76 First basic OpenID Connect implementation
25144a1 Deduplicated getOrRegisterUser method
10c8909 Token expiration and refreshing using the refresh_token flow
5df7db5 Ignore ID token expiry if unavailable
97cde9c Generalize refresh failure handling
13d0260 Configurable OpenID Connect services
75b4a05 Add OpenIdService to OpenIdSessionGuard constructor call
46388a5 AccessToken empty array parameter on null
6feaf25 Increase robustness of the refresh method
23402ae Initial unit tests for OpenID

📊 Changes

39 files changed (+2233 additions, -203 deletions)

View changed files

📝 .env.example.complete (+12 -0)
📝 app/Auth/Access/GroupSyncService.php (+4 -4)
📝 app/Auth/Access/Guards/AsyncExternalBaseSessionGuard.php (+1 -1)
📝 app/Auth/Access/LdapService.php (+7 -9)
📝 app/Auth/Access/LoginService.php (+1 -1)
➕ app/Auth/Access/Oidc/OidcAccessToken.php (+54 -0)
➕ app/Auth/Access/Oidc/OidcIdToken.php (+232 -0)
➕ app/Auth/Access/Oidc/OidcInvalidKeyException.php (+8 -0)
➕ app/Auth/Access/Oidc/OidcInvalidTokenException.php (+10 -0)
➕ app/Auth/Access/Oidc/OidcIssuerDiscoveryException.php (+8 -0)
➕ app/Auth/Access/Oidc/OidcJwtSigningKey.php (+108 -0)
➕ app/Auth/Access/Oidc/OidcOAuthProvider.php (+127 -0)
➕ app/Auth/Access/Oidc/OidcProviderSettings.php (+198 -0)
➕ app/Auth/Access/Oidc/OidcService.php (+210 -0)
📝 app/Auth/Access/RegistrationService.php (+26 -0)
📝 app/Auth/Access/Saml2Service.php (+22 -38)
📝 app/Config/auth.php (+7 -3)
➕ app/Config/oidc.php (+35 -0)
➕ app/Exceptions/OpenIdConnectException.php (+6 -0)
📝 app/Http/Controllers/Auth/LoginController.php (+2 -1)

...and 19 more files

📄 Description

Continuation of #2169

TODO

Look to address PHP8+ compatibility. Either choose different libraries or assist the upgrade of upstream projects.
Add basic-level auto-discovery to handle key & endpoint fetching.
Update and ensure coverage of automated testing.
Test with multiple auth providers
- Okta
- Keycloak
- Auth0
Sponsor phpseclib

References

OIDC Implementers Guide
OIDC Discovery Spec
steverhoades/oauth2-openid-connect-client
Okta Autodiscovery Example
phpseclib - Potential solution for key handling/verification.

For Docs

Mention default cache time of 15 mins for auto-discovery.
Advise that only RS256 id token signing is currently supported.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/2960 **Author:** [@ssddanbrown](https://github.com/ssddanbrown) **Created:** 10/7/2021 **Status:** ✅ Merged **Merged:** 10/16/2021 **Merged by:** [@ssddanbrown](https://github.com/ssddanbrown) **Base:** `master` ← **Head:** `oidc` --- ### 📝 Commits (10+) - [`07a6d76`](https://github.com/BookStackApp/BookStack/commit/07a6d7655fd77b9c33360b855a0c08d922b2f3ed) First basic OpenID Connect implementation - [`25144a1`](https://github.com/BookStackApp/BookStack/commit/25144a13c7150c75a023cb039972a3f784bee8cf) Deduplicated getOrRegisterUser method - [`10c8909`](https://github.com/BookStackApp/BookStack/commit/10c890947f9ea5661729f88e9e85464522498dd7) Token expiration and refreshing using the refresh_token flow - [`5df7db5`](https://github.com/BookStackApp/BookStack/commit/5df7db510524a156a0a1f0d659a06a02dd5d3644) Ignore ID token expiry if unavailable - [`97cde9c`](https://github.com/BookStackApp/BookStack/commit/97cde9c56a3268da179c2701d209a9a1224bac85) Generalize refresh failure handling - [`13d0260`](https://github.com/BookStackApp/BookStack/commit/13d0260cc97c5cce9399f44afa65b70857499da6) Configurable OpenID Connect services - [`75b4a05`](https://github.com/BookStackApp/BookStack/commit/75b4a05200ebf6b107b4448915f811f247bcba69) Add OpenIdService to OpenIdSessionGuard constructor call - [`46388a5`](https://github.com/BookStackApp/BookStack/commit/46388a591b7cff9364dff2502419ffdafab0137c) AccessToken empty array parameter on null - [`6feaf25`](https://github.com/BookStackApp/BookStack/commit/6feaf25c902d8cf1315ca0612e3f54387dbb55f4) Increase robustness of the refresh method - [`23402ae`](https://github.com/BookStackApp/BookStack/commit/23402ae81287bdfd0539d20a3a81c38d9efce1e5) Initial unit tests for OpenID ### 📊 Changes **39 files changed** (+2233 additions, -203 deletions) <details> <summary>View changed files</summary> 📝 `.env.example.complete` (+12 -0) 📝 `app/Auth/Access/GroupSyncService.php` (+4 -4) 📝 `app/Auth/Access/Guards/AsyncExternalBaseSessionGuard.php` (+1 -1) 📝 `app/Auth/Access/LdapService.php` (+7 -9) 📝 `app/Auth/Access/LoginService.php` (+1 -1) ➕ `app/Auth/Access/Oidc/OidcAccessToken.php` (+54 -0) ➕ `app/Auth/Access/Oidc/OidcIdToken.php` (+232 -0) ➕ `app/Auth/Access/Oidc/OidcInvalidKeyException.php` (+8 -0) ➕ `app/Auth/Access/Oidc/OidcInvalidTokenException.php` (+10 -0) ➕ `app/Auth/Access/Oidc/OidcIssuerDiscoveryException.php` (+8 -0) ➕ `app/Auth/Access/Oidc/OidcJwtSigningKey.php` (+108 -0) ➕ `app/Auth/Access/Oidc/OidcOAuthProvider.php` (+127 -0) ➕ `app/Auth/Access/Oidc/OidcProviderSettings.php` (+198 -0) ➕ `app/Auth/Access/Oidc/OidcService.php` (+210 -0) 📝 `app/Auth/Access/RegistrationService.php` (+26 -0) 📝 `app/Auth/Access/Saml2Service.php` (+22 -38) 📝 `app/Config/auth.php` (+7 -3) ➕ `app/Config/oidc.php` (+35 -0) ➕ `app/Exceptions/OpenIdConnectException.php` (+6 -0) 📝 `app/Http/Controllers/Auth/LoginController.php` (+2 -1) _...and 19 more files_ </details> ### 📄 Description Continuation of #2169 ## TODO - [x] Look to address PHP8+ compatibility. Either choose different libraries or assist the upgrade of upstream projects. - [x] Add basic-level auto-discovery to handle key & endpoint fetching. - [x] Update and ensure coverage of automated testing. - [x] Test with multiple auth providers - [x] Okta - [x] Keycloak - [x] Auth0 - [x] Sponsor phpseclib ## References - [OIDC Implementers Guide](https://openid.net/specs/openid-connect-basic-1_0.html#IDToken) - [OIDC Discovery Spec](https://openid.net/specs/openid-connect-discovery-1_0.html) - [steverhoades/oauth2-openid-connect-client](https://github.com/steverhoades/oauth2-openid-connect-client) - [Okta Autodiscovery Example](https://dev-377627.oktapreview.com/.well-known/openid-configuration) - [phpseclib](https://phpseclib.com/) - Potential solution for key handling/verification. ## For Docs - Mention default cache time of 15 mins for auto-discovery. - Advise that only RS256 id token signing is currently supported. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

OVERLORD added the pull-request label 2026-02-05 10:24:30 +03:00

OVERLORD closed this issue

2026-02-05 10:24:32 +03:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#6100