Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bookstack OIDC fail to login with a empty groups claims #5101

Closed
Misaka-L opened this issue Jul 5, 2024 · 1 comment
Closed

Bookstack OIDC fail to login with a empty groups claims #5101

Misaka-L opened this issue Jul 5, 2024 · 1 comment
Labels
🐛 Bug 🚪 Authentication 🏭 Back-End
Milestone
BookStack v24.05.3

Comments

@Misaka-L
Copy link

Misaka-L commented Jul 5, 2024

Describe the Bug

If the roles field in the response of the OIDC system is a empty array and user try to login without exist user in bookstack, they will get this error:

5df29eb4ce027e79cbcea686dab12f99

Steps to Reproduce

  1. Return a empty groups claims in OIDC user response
  2. Try to login without exist user in bookstack
  3. Throw error

Expected Behaviour

User login success and create a new bookstack account with a default role if the groups claims is empty (it should can be config by editing .env or web ui?).

Screenshots or Additional Context

OIDC User info dump

{
    "sub": "****",
    "name": "****",
    "picture": null,
    "updated_at": 1719400164865,
    "username": "****",
    "created_at": 1719398180979,
    "email": "****@****.com",
    "email_verified": true,
    "roles": [],
    "at_hash": "****",
    "aud": "ja7i8qdjfsn6asiwlce4o",
    "exp": 1720193283,
    "iat": 1720189683,
    "iss": "https://****/oidc"
}

.env

AUTH_METHOD=oidc

AUTH_AUTO_INITIATE=true

OIDC_NAME=****
OIDC_DISPLAY_NAME_CLAIMS=name

OIDC_CLIENT_ID=****
OIDC_CLIENT_SECRET=****

OIDC_ISSUER=https://****/oidc

OIDC_END_SESSION_ENDPOINT=true
OIDC_ISSUER_DISCOVER=true

OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=roles
OIDC_ADDITIONAL_SCOPES=roles
OIDC_REMOVE_FROM_GROUPS=true

OIDC_DUMP_USER_DETAILS=false

5df29eb4ce027e79cbcea686dab12f99

Browser Details

Microsoft Edge 127.0.2651.15 Beta (64-bit) on Windows 11 24H2 (26120.961)

Exact BookStack Version

v24.05.2
@ssddanbrown ssddanbrown added this to the BookStack v24.05.3 milestone Jul 6, 2024
ssddanbrown added a commit that referenced this issue Jul 14, 2024
@ssddanbrown
OIDC: Fixed incorrect detection of group detail population
767699a 
An empty (but valid formed) groups list provided via the OIDC ID token
would be considered as a lacking detail, and therefore trigger a lookup
to the userinfo endpoint in an attempt to get that information.

This fixes this to properly distinguish between not-provided and empty
state, to avoid userinfo where provided as valid but empty.

Includes test to cover.
For #5101
@ssddanbrown
Copy link
Member

Thanks for reporting @Misaka-L.
I could confirm that BookStack was not differentiating between non-provided and an empty groups list in the OIDC ID token data, and therefore would default to calling the userinfo endpoint upon an empty group list in an attempt to gain more information.

I'm not sure why the userinfo call was failing for you though, I did double check this against a live OIDC system to ensure the userinfo part works as expected, which it does from my test.

Otherwise, I've addressed the providing of empty groups in commit 767699a, so the userinfo won't be called if a valid empty group list is provided, and this will be part of the next patch release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug 🚪 Authentication 🏭 Back-End
Milestone
BookStack v24.05.3
Development

No branches or pull requests
2 participants
@ssddanbrown @Misaka-L