OIDC login doesn't work (keeps asking to login again)

[davispuh]

Attempted Debugging

• [X] I have read the debugging page

Searched GitHub Issues

• [X] I have searched GitHub for the issue.

Describe the Scenario

I setup BookStack with Authentik OIDC provider but when I log in with SSO I get redirected back to login page. /oidc/callback works fine (I see data if I set OIDC_DUMP_USER_DETAILS=true)

It's like cookies wouldn't work or session doesn't get saved but don't know how to debug further. I see that bookstack_session cookie is sent.

My env vars are like

AUTH_METHOD=oidc
OIDC_CLIENT_ID=xxx
OIDC_CLIENT_SECRET=yyy
OIDC_ISSUER=https://auth.example.org/application/o/bookstack/
OIDC_ISSUER_DISCOVER=true

Exact BookStack Version

v24.05.3

Log Content

No log file

Hosting Environment

ghcr.io/linuxserver/bookstack:latest Docker image with Podman

[ssddanbrown]

Hi @davispuh,

• Is APP_URL set for the BookStack instance, and does it exactly match the base URL of the instance (with no trailing slash and correct protocol)?
• Did normal email/password login work okay before configuring OIDC?
• In the /callback request shown in your screenshot, are there any additional parameters on the URL in addition to state and code?

[davispuh]

• Yeah APP_URL is same as I write in browser URL https://bookstack.example.org. It was without slash but I just tried adding / made no difference.
• I didn't try but I tried now and it doesn't work either. Same behavior, I enter admin@admin.com and password and it redirects back to login, but password is correct it doesn't say it's wrong. There's no error message at all.
• Nothing else only state and code

It really looks like something with session saving doesn't work so need some way to dig into that.

[davispuh]

In /app/www/storage/framework/sessions I see session files. I deleted all of them and tried again. After opening login page there is

$ cat yUsmBoYyBreOCh17MFvj5XZ0ARGarsoIax225VXk
a:3:{s:6:"_token";s:40:"VH6RLIFVb4xS6oClBFRvJuJ8pVWKg4qvrQCfaYXX";s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}

Then after login there are 2 files:

$ cat yUsmBoYyBreOCh17MFvj5XZ0ARGarsoIax225VXk
a:4:{s:6:"_token";s:40:"qWrzdzSdH9AH57rMKLhgFDpv3Tk7lJsXj1kdZakh";s:3:"url";a:1:{s:8:"intended";s:20:"https://bookstack.example.org";}s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
$ cat K1WkQ9gI2FBhqRir4tcP7A6HUIxkddTyUKPC2Hqu
a:7:{s:6:"_token";s:40:"tQpxnysQ36wV1CtgTucuOwM2XDAk56NmEnpxdeWM";s:9:"_previous";a:1:{s:3:"url";s:26:"https://bookstack.example.org/login";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}s:55:"login_standard_59ba36addc2b2f9401580f014c7f58ea4e30989d";i:1;s:51:"login_ldap_80419bb419cfe6844528c34d42daecea68292a06";i:1;s:52:"login_saml2_68cb028f07b60f58d8e38f79b41505d620d0b238";i:1;s:51:"login_oidc_68cb028f07b60f58d8e38f79b41505d620d0b238";i:1;}

[davispuh]

I figured it out, I have Bookstack behind Nginx with custom 302 error page and that caused this issue.

In Nginx there is

error_page 302 /errors/HTTP302.html;

add_header Location $upstream_http_location;
add_header Set-Cookie $upstream_http_set_cookie;

removing this error page it works fine.

It probably breaks because BookStack is sending 3x set-cookie headers.

[davispuh]

Adding additional cookie header in Nginx

add_header Set-Cookie bookstack_session=$upstream_cookie_bookstack_session;

makes custom 302 error page work but still seems bit buggy with sessions so looks like best option is not use custom 302 page.

[ssddanbrown]

Glad you found the cause! Not sure what value there is for setting a custom 302 error page, since 302 response codes are not supposed to be considered as errors, and can be heavily utilised in applications for redirect functionality.