search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
15.46k stars 1.94k forks source link

Bookstack OIDC fail to login with a empty groups claims #5101

Closed Misaka-L closed 4 months ago

Misaka-L commented 4 months ago

Describe the Bug

If the roles field in the response of the OIDC system is a empty array and user try to login without exist user in bookstack, they will get this error:

5df29eb4ce027e79cbcea686dab12f99

Steps to Reproduce

  1. Return a empty groups claims in OIDC user response
  2. Try to login without exist user in bookstack
  3. Throw error

Expected Behaviour

User login success and create a new bookstack account with a default role if the groups claims is empty (it should can be config by editing .env or web ui?).

Screenshots or Additional Context

OIDC User info dump

{
    "sub": "****",
    "name": "****",
    "picture": null,
    "updated_at": 1719400164865,
    "username": "****",
    "created_at": 1719398180979,
    "email": "****@****.com",
    "email_verified": true,
    "roles": [],
    "at_hash": "****",
    "aud": "ja7i8qdjfsn6asiwlce4o",
    "exp": 1720193283,
    "iat": 1720189683,
    "iss": "https://****/oidc"
}

.env

AUTH_METHOD=oidc

AUTH_AUTO_INITIATE=true

OIDC_NAME=****
OIDC_DISPLAY_NAME_CLAIMS=name

OIDC_CLIENT_ID=****
OIDC_CLIENT_SECRET=****

OIDC_ISSUER=https://****/oidc

OIDC_END_SESSION_ENDPOINT=true
OIDC_ISSUER_DISCOVER=true

OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=roles
OIDC_ADDITIONAL_SCOPES=roles
OIDC_REMOVE_FROM_GROUPS=true

OIDC_DUMP_USER_DETAILS=false

5df29eb4ce027e79cbcea686dab12f99

Browser Details

Microsoft Edge 127.0.2651.15 Beta (64-bit) on Windows 11 24H2 (26120.961)

Exact BookStack Version

v24.05.2

ssddanbrown commented 4 months ago

Thanks for reporting @Misaka-L. I could confirm that BookStack was not differentiating between non-provided and an empty groups list in the OIDC ID token data, and therefore would default to calling the userinfo endpoint upon an empty group list in an attempt to gain more information.

I'm not sure why the userinfo call was failing for you though, I did double check this against a live OIDC system to ensure the userinfo part works as expected, which it does from my test.

Otherwise, I've addressed the providing of empty groups in commit 767699a0664c13fea1293654578f571ec4a08fa3, so the userinfo won't be called if a valid empty group list is provided, and this will be part of the next patch release.