H2CK
commented
4 weeks ago It seems that BookStack does not support a redirect response for the discovery endpoint (.well-known/openid-configuration). Using Nextcloud it is not possible to provide this endpoint without a configured redirect in your web server.
But as I have seen in the BookStack documentation ist is also possible to configure the OIDC client without using the discovery functionality. For this you can set OIDC_ISSUER_DISCOVER=false.
In this case you have to set the following attributes manually:
# Path to identity provider token signing public RSA key
OIDC_PUBLIC_KEY=file:///keys/idp-public-key.pem
# Full URL to the OIDC authorize endpoint
OIDC_AUTH_ENDPOINT=https://mynextclouddomain.tld/index.php/apps/oidc/authorize
# Full URL to the OIDC token endpoint
OIDC_TOKEN_ENDPOINT=https://mynextclouddomain.tld/index.php/apps/oidc/token
# Full URL to the OIDC userinfo endpoint
# Won't be used if all required claims are provided in the ID token.
OIDC_USERINFO_ENDPOINT=https://mynextclouddomain.tld/index.php/apps/oidc/userinfoThe public key can be found in the administration section.
As alternative you could raise a feature request at BookStack to support also redirects for the discovery endpoint. For security reasons this could be limited to be allowed only for the same hostname.
MarioOsswald
I tried yesterday the available NextCloud OIDC App from https://github.com/H2CK/oidc The Purpose of this app is to use NC as the identity provider for the BookStack wiki solution. I came close to get this working, but could not solve an issue with the Issuer definition, in particular, I guess, it's a rewrite problem or something related to it. I've posted this also on the BS github section, but the claim over there is that they stick strongly to the ODIC specs, which does not mention allowing redirects for autodiscovery.
The details are: I specified in BS .env file OIDC_ISSUER=https://mynextclouddomain.tld When I try a browser request with "https://mynextclouddomain.tld/.well-known/openid-configuration", the NC nginx redirects correctly to "https://mynextclouddomain.tld/index.php/.well-known/openid-configuration" and displays all the desired details, among them at first line 'issuer: "https://mynextclouddomain.tld/"'. The problem is that BS doesn't get the results from the redirected URL. Instead, I receive an error "OIDC Discovery Error: Error discovering provider settings from issuer at URL https://mynextclouddomain.tld/.well-known/openid-configuration". The request from BS is not redirected the way the browser request was.
My approach was to change the .env variable to OIDC_ISSUER=https://mynextclouddomain.tld/index.php This solves the discovery problem, but then leads to an error message like "OIDC Discovery Error: Unexpected issuer value found on discovery response". There is then an obvious mismatch, since on BS's side the issuer variable includes the index.php (OIDC_ISSUER=https://mynextclouddomain.tld/index.php), while the discovery response delivers only 'issuer: "https://mynextclouddomain.tld/"'.
A "curl https://mynextclouddomain.tld/.well-known/openid-configuration" delivers html head title 301 Moved Permanently /title/head body center h1 301 Moved Permanently /h1 /center hr center nginx /center /body /html
while a "curl -L https://mynextclouddomain.tld/.well-known/openid-configuration" or "curl https://mynextclouddomain.tld/index.php/.well-known/openid-configuration" delivers the desired results.
I'm not experienced enough with NC or nginx redirect / rewrite features. Since the browser redirects correctly (without any required change from my side), I thought that's enough. I tried a few configurations, with no success. But probably someone more experienced has an immediate idea what to do, so that BS receives the auto discovery results from the correct redirected URL.