Open baua1310 opened 1 month ago
As mentioned in #4682, BookStack does cache discovered details but only for 15 minutes.
First, it would be good to test/rule-out instance cache issues.
Can you try setting the cache to be database based.
This is done by setting CACHE_DRIVER=database
in your existing .env
file, or by setting CACHE_DRIVER=database
to the environment for your BookStack app container. Remember to re-create the container if altering container environment options.
@ssddanbrown I have set the suggested environment variable:
user@SRV001:/opt/bookstack$ docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
bookstack_app lscr.io/linuxserver/bookstack:latest "/init" bookstack_app 7 hours ago Up 4 hours 80/tcp, 443/tcp
bookstack_db mariadb:11 "docker-entrypoint.s…" bookstack_db 7 hours ago Up 4 hours 3306/tcp
user@SRV001:/opt/bookstack$ docker exec bookstack_app printenv
PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=581ed5423b8b
APP_THEME=custom
OIDC_ISSUER_DISCOVER=true
CACHE_DRIVER=database
OIDC_NAME=ZITADEL
OIDC_DISPLAY_NAME_CLAIMS=name
MAIL_ENCRYPTION=tls
MAIL_PASSWORD=somepassword
PUID=1000
OIDC_GROUPS_CLAIM=custom:roles
DB_PASS=somepassword
OIDC_END_SESSION_ENDPOINT=false
MAIL_DRIVER=smtp
DB_USER=bookstack
OIDC_REMOVE_FROM_GROUPS=true
OIDC_CLIENT_ID=someid@wiki
DB_HOST=bookstack_db
APP_DEBUG=true
AUTH_AUTO_INITIATE=true
MAIL_HOST=smtp-relay.brevo.com
MAIL_FROM=wiki@some.domain
PGID=1000
APP_URL=https://wiki.some.domain
OIDC_CLIENT_SECRET=somesecret
DB_DATABASE=bookstack
AUTH_METHOD=oidc
OIDC_ADDITIONAL_SCOPES=urn:zitadel:iam:org:projects:roles
MAIL_FROM_NAME=Wiki
OIDC_USER_TO_GROUPS=true
OIDC_ISSUER=https://some-instance.zitadel.cloud
DB_PORT=3306
MAIL_PORT=587
MAIL_USERNAME=mail@some.domain
PS1=$(whoami)@$(hostname):$(pwd)\$
HOME=/root
TERM=xterm
S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
S6_VERBOSITY=1
S6_STAGE2_HOOK=/init-hook
VIRTUAL_ENV=/lsiopy
LSIO_FIRST_PARTY=true
Unfortunately, the error pattern persists. Even recreating the container does not solve the problem. This means that signing in with OIDC is not possible at all.
@baua1310 Does it start working again after removing the CACHE_DRIVER
option again, and a container recreate?
@ssddanbrown Yes after removing CACHE_DRIVER
and recreating the container sign in with OIDC started working again.
Describe the Bug
When Zitadel SaaS is used for authentication with OIDC in Bookstack, it will stop working after some time, at the latest after 24 hours, and the following error message is shown:
ID token validation failed with error: Token signature could not be validated using the provided keys
.Workaround: Deleting the bookstack docker container and recreating it fixes the error for some hours.
Steps to Reproduce
ID token validation failed with error: Token signature could not be validated using the provided keys
Expected Behaviour
When set up correctly, authentication with OIDC in bookstack works also after 24 hours.
Screenshots or Additional Context
Browser Details
Brave (1.66.118 Chromium: 125.0.6422.147 (Official Build) (64-bit)) on Windows 11 Version 23H2 (Build 22631.3593)
Exact BookStack Version
v24.05.1