Getting Keycloak roles to bookstack

[ZimneJonas]

Describe the Bug

1. Bookstack can use keycloak to log in.
2. [email protected] is loged in but has no roles.

curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"  -d "grant_type=password"  -d "client_id=bookstack"  -d "client_secret=<secret>"  -d "[email protected]"  -d "password=<pw>"  "https://idm.dev.space/realms/udp-stg/protocol/openid-connect/token"
returns token with
...
resource_access": {
    "bookstack": {
      "roles": [
        "Admin"
      ]
    },
  "scope": "email profile",
  "sid": "ca67a776-44f1-4df9-94eb-bfccfe310ddd",
...

Configuring .env works as descibed https://www.bookstackapp.com/docs/admin/oidc-auth/
But adding:

  OIDC_USER_TO_GROUPS: true,
  OIDC_GROUPS_CLAIM: resource_access.bookstack.roles,
  OIDC_ADDITIONAL_SCOPES: roles,
  OIDC_REMOVE_FROM_GROUPS: true,

does nothing
It stil returns no groups/roles

{"exp":1737830794,"iat":1737830494,"auth_time":1737830494,"jti":"887fbd78-a8b7-402b-91b3-529e34d9367a","iss":"https:\/\/idm.dev.space\/realms\/udp-stg","aud":"bookstack","sub":"9123ec2b-0199-478b-8367-97232df74cff","typ":"ID","azp":"bookstack","session_state":"d45784ad-1c99-4bc2-9f19-afc1aee69852","at_hash":"w3-00ytCTFzJJgzUdMnqVg","acr":"1","sid":"d45784ad-1c99-4bc2-9f19-afc1aee69852","email_verified":true,"name":"Admin Admin","preferred_username":"[email protected]","given_name":"Admin","family_name":"Admin","email":"[email protected]"}

Probably user error by me, but I am lost, and thankful for any help.

Steps to Reproduce

1. Configure Keycloak login https://www.bookstackapp.com/docs/admin/oidc-auth/
2. Add nested roles/groups in keycloak (checked with request)
3. Add OICD Groups to .env

Expected Behaviour

Seeing the roles given in the token, or at least an error.

Screenshots or Additional Context

OIDC_GROUPS_CLAIM: roles/groups
OIDC_ADDITIONAL_SCOPES: roles/groups
also didn't work

Browser Details

No response

Exact BookStack Version

24.10.3 & 21.12.4

[ssddanbrown]

Hi @ZimneJonas,

• What output do you see with the OIDC_DUMP_USER_DETAILS=true option set for BookStack?
• How are you setting those env options for BookStack? I don't often see that format (comma terminated lines).

[ZimneJonas]

Thank you for the quick response,

This part from the post is the return of the OIDC_DUMP_USER_DETAILS:

{"exp":1737830794,"iat":1737830494,"auth_time":1737830494,"jti":"887fbd78-a8b7-402b-91b3-529e34d9367a","iss":"https:\/\/idm.dev.space\/realms\/udp-stg","aud":"bookstack","sub":"9123ec2b-0199-478b-8367-97232df74cff","typ":"ID","azp":"bookstack","session_state":"d45784ad-1c99-4bc2-9f19-afc1aee69852","at_hash":"w3-00ytCTFzJJgzUdMnqVg","acr":"1","sid":"d45784ad-1c99-4bc2-9f19-afc1aee69852","email_verified":true,"name":"Admin Admin","preferred_username":"[email protected]","given_name":"Admin","family_name":"Admin","email":"[email protected]"}

sorry, for the confusing format, .env looks like this:
cat /config/www/.env

...
OIDC_END_SESSION_ENDPOINT=false
OIDC_ISSUER_DISCOVER=true


OIDC_DUMP_USER_DETAILS=true
OIDC_USER_TO_GROUPS=true
OIDC_ADDITIONAL_SCOPES=roles
OIDC_GROUPS_CLAIM=realm_access.roles
OIDC_REMOVE_FROM_GROUPS=true

It looks like that because I originally used a helm template to create it. But I tested by configuring the k8s pod. Changing other options like OIDC_DISPLAY_NAME_CLAIMS works well.

[ssddanbrown]

Thanks @ZimneJonas,

So ultimately Keycloak is not providing role/group data for BookStack to use.
That curl request test may not be representative, since i think there'd be scope differences compared to the actual request (where openid would be part of the scope).

I'd advise reviewing the settings on Keycloak, to ensure there's no missed settings allowing this data to be part of OIDC responses.
I can't remember Keycloak options well enough to advise what might be relevant.
May be some clues you can pick-up from this thread though: #5192