Editor role always assigned when using OIDC

[federicochiesa]

Describe the Bug

I'm using Keycloak as an OIDC SSO with BookStack. This is the BookStack SSO configuration:

    - OIDC_NAME=SSO
    - OIDC_DISPLAY_NAME_CLAIMS=given_name|family_name
    - OIDC_CLIENT_ID=bookstack
    - OIDC_CLIENT_SECRET=xxxxxxxx
    - OIDC_ISSUER=https://xxxxxxxxx
    - OIDC_END_SESSION_ENDPOINT=false
    - OIDC_ISSUER_DISCOVER=true
    - OIDC_USER_TO_GROUPS=true
    - OIDC_GROUPS_CLAIM=resource_access.bookstack.roles
    - OIDC_REMOVE_FROM_GROUPS=true

The groups claim is right and I checked that the role appears in the token. In fact, the groups work if I assign them to the user, the problem is that the "Editor" group is always assigned no matter what group I give to the users through Keycloak.

For example, if I give a user the "Admin" group, they show up as "Admin" and "Editor", if they are given the "Viewer" group, they will show up as "Viewer" and "Editor", despite the "Editor" role not being assigned and not being in the token. If I try to remove the "Editor" role from the Bookstack UI, it will reappear as soon as the user logs in again.

Steps to Reproduce

1. Assign role to a user in Keycloak
2. Login to BookStack
3. The "Editor" group is assigned to the user in addition to the one assigned in Keycloak

Expected Behaviour

The group assigned should be only the one assigned by Keycloak

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v23.12

[ssddanbrown]

Hi @federicochiesa,

Since you have the OIDC_REMOVE_FROM_GROUPS=true setting set, the "Default Registration Role" role in the registration settings will be also assigned to the user. Is this currently set to the editor role?

[federicochiesa]

Ok, that was indeed set to editor. Since registration was disabled I thought I wouldn't need to set that option to None.