OIDC Group Sync doesn't work

[heindrickdumdum0217]

Describe the Bug

I implemented custom OIDC provider and login BookStack with the custom OIDC provider. Login works, but group/role sync doesn't work.

Steps to Reproduce

1. Go to BookStack home page
2. Try to login with SSO
3. Login works, but group/role sync doesn't work

Expected Behaviour

Here are my environment variables.

PUID      = 1000
PGID      = 1000
TZ        = "Etc/UTC"
APP_DEBUG = true
APP_URL   = "https://${var.app_name}.${var.dns_zone}"

# https://www.bookstackapp.com/docs/admin/oidc-auth/
AUTH_METHOD               = "oidc"
OIDC_NAME                 = "Alinea"
OIDC_CLIENT_ID = "***"
OIDC_CLIENT_SECRET = "***"
OIDC_DISPLAY_NAME_CLAIMS  = "name"
OIDC_END_SESSION_ENDPOINT = true
OIDC_ISSUER               = "***"
OIDC_ISSUER_DISCOVER      = true
OIDC_DUMP_USER_DETAILS    = false

# https://www.bookstackapp.com/docs/admin/oidc-auth/#group-sync
OIDC_USER_TO_GROUPS     = true
OIDC_GROUPS_CLAIMS      = "roles.bookstack"
OIDC_ADDITIONAL_SCOPES  = "roles"
OIDC_REMOVE_FROM_GROUPS = true

Here is ID token payload.

I expected, my user would have admin role in bookstack, but even it removed admin role which is added manually in database. I set OIDC_DUMP_USER_DETAILS=true, and confirmed user information contains roles

Screenshots or Additional Context

No response

Browser Details

Chrome on WIndows 11, Ubuntu 22.04

Exact BookStack Version

v24.10-ls171

[ssddanbrown]

Hi @heindrickdumdum0217,

I set OIDC_DUMP_USER_DETAILS=true, and confirmed user information contains roles

• Can you please share the output seen with that option set to true?
• Do you still have a role in BookStack named "Admin" or have you renamed it?

[heindrickdumdum0217]

@ssddanbrown Thanks for your reply.

• The output is the same with the screenshot which I attached.
• Yes, we will have Admin, Editor, Viewer roles in BookStack. I can confirm in MariaDB

I tried with various way.

1. I removed nested structure and returned roles claim directly, and updated OIDC_GROUPS_CLAIMS="roles"

   {
   "roles": ["Admin"]
   }

   It still doesn't work.

2. I updated OIDC provider to return original roles which is used in the provider and tried to map roles with BookStack roles using external_auth_id in the role table, it also doesn't work.

[ssddanbrown]

@heindrickdumdum0217 Can you run the below command against your running/active BookStack instance (ran from the root of the instance install folder):

php artisan tinker --execute="dd(config('oidc.groups_claim'))"

Then share the output.

[heindrickdumdum0217]

@ssddanbrown

Aha, it's strange. Here is output.

"groups" // vendor/psy/psysh/src/ExecutionClosure.php(40) : eval()'d code:1

But if I check environment variable (I'm setting environment variables instead of .env file)

echo $OIDC_GROUPS_CLAIMS
roles

It's strange. I manage all other BookStack configuration using environment variables and seems they work. When I change environment variable and restart the instance for example AUTH_METHOD from standard to oidc vice versa, it works.

[heindrickdumdum0217]

@ssddanbrown

Let me give you more concrete information. We deployed BookStack using Docker on EKS. And BookStack pod envornment variables are from Kubernetes config map and secret. If I change AUTH_METHOD from standard to oidc and restart BookStack pod, change works as expected.

[ssddanbrown]

Okay, so the env changes just weren't applied to the existing environment. Good to hear it's now working! I'll therefore close this off.

[heindrickdumdum0217]

@ssddanbrown

No, env changes works for AUTH_METHOD, but seems not work for OIDC_GROUP_CLAIMS As you can see when I check using echo command it returns roles, but php artisan command returns groups

[ssddanbrown]

Oh, sorry, misunderstood, but I see the issue, you are setting OIDC_GROUPS_CLAIMS, but the setting is non-plural: OIDC_GROUPS_CLAIM.

Change it to OIDC_GROUPS_CLAIM and see if things start working as expected.

[heindrickdumdum0217]

Thank you, @ssddanbrown

Great support.