search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
14.37k stars 1.82k forks source link

OIDC with Zitadel SaaS stops working after some time (signature could not be validated using the provided keys) #5049

Open baua1310 opened 1 month ago

baua1310 commented 1 month ago

Describe the Bug

When Zitadel SaaS is used for authentication with OIDC in Bookstack, it will stop working after some time, at the latest after 24 hours, and the following error message is shown: ID token validation failed with error: Token signature could not be validated using the provided keys.

Workaround: Deleting the bookstack docker container and recreating it fixes the error for some hours.

Steps to Reproduce

  1. set up OIDC with Zitadel SaaS as described in #4682 by @megastary
  2. test successful sign in with SSO
  3. wait 24 hours
  4. retry sign in with SSO
  5. see error: ID token validation failed with error: Token signature could not be validated using the provided keys

Expected Behaviour

When set up correctly, authentication with OIDC in bookstack works also after 24 hours.

Screenshots or Additional Context

Screenshot 2024-06-04 064557

Browser Details

Brave (1.66.118 Chromium: 125.0.6422.147 (Official Build) (64-bit)) on Windows 11 Version 23H2 (Build 22631.3593)

Exact BookStack Version

v24.05.1

ssddanbrown commented 1 month ago

As mentioned in #4682, BookStack does cache discovered details but only for 15 minutes.

First, it would be good to test/rule-out instance cache issues. Can you try setting the cache to be database based. This is done by setting CACHE_DRIVER=database in your existing .env file, or by setting CACHE_DRIVER=database to the environment for your BookStack app container. Remember to re-create the container if altering container environment options.

baua1310 commented 1 month ago

@ssddanbrown I have set the suggested environment variable:

user@SRV001:/opt/bookstack$ docker compose ps
NAME            IMAGE                                  COMMAND                  SERVICE         CREATED       STATUS       PORTS
bookstack_app   lscr.io/linuxserver/bookstack:latest   "/init"                  bookstack_app   7 hours ago   Up 4 hours   80/tcp, 443/tcp
bookstack_db    mariadb:11                             "docker-entrypoint.s…"   bookstack_db    7 hours ago   Up 4 hours   3306/tcp
user@SRV001:/opt/bookstack$ docker exec bookstack_app printenv
PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=581ed5423b8b
APP_THEME=custom
OIDC_ISSUER_DISCOVER=true
CACHE_DRIVER=database
OIDC_NAME=ZITADEL
OIDC_DISPLAY_NAME_CLAIMS=name
MAIL_ENCRYPTION=tls
MAIL_PASSWORD=somepassword
PUID=1000
OIDC_GROUPS_CLAIM=custom:roles
DB_PASS=somepassword
OIDC_END_SESSION_ENDPOINT=false
MAIL_DRIVER=smtp
DB_USER=bookstack
OIDC_REMOVE_FROM_GROUPS=true
OIDC_CLIENT_ID=someid@wiki
DB_HOST=bookstack_db
APP_DEBUG=true
AUTH_AUTO_INITIATE=true
MAIL_HOST=smtp-relay.brevo.com
MAIL_FROM=wiki@some.domain
PGID=1000
APP_URL=https://wiki.some.domain
OIDC_CLIENT_SECRET=somesecret
DB_DATABASE=bookstack
AUTH_METHOD=oidc
OIDC_ADDITIONAL_SCOPES=urn:zitadel:iam:org:projects:roles
MAIL_FROM_NAME=Wiki
OIDC_USER_TO_GROUPS=true
OIDC_ISSUER=https://some-instance.zitadel.cloud
DB_PORT=3306
MAIL_PORT=587
MAIL_USERNAME=mail@some.domain
PS1=$(whoami)@$(hostname):$(pwd)\$
HOME=/root
TERM=xterm
S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
S6_VERBOSITY=1
S6_STAGE2_HOOK=/init-hook
VIRTUAL_ENV=/lsiopy
LSIO_FIRST_PARTY=true

Unfortunately, the error pattern persists. Even recreating the container does not solve the problem. This means that signing in with OIDC is not possible at all.

ssddanbrown commented 1 month ago

@baua1310 Does it start working again after removing the CACHE_DRIVER option again, and a container recreate?

baua1310 commented 1 month ago

@ssddanbrown Yes after removing CACHE_DRIVER and recreating the container sign in with OIDC started working again.