OpenID authentication from BookStack

Odeeno 2025-11-22 16:49:09 UTC #1

I have a local BookStack installation with a FDN and I’m attempting to activate authentication via eGroupware’s OpenID server, using documentation guidance https://www.bookstackapp.com/docs/admin/idic-auth/#bookstack-configuration

Auto-discovery mode via <issuer>/.well-known/openid-configuration does not work and I get a timeout error.

I have therefore set the following parameters:
OIDC_ISSUER_DISCOVER=false
OIDC_PUBLIC_KEY=https://example.com/egroupware/openid/endpoint.php/jwks
OIDC_AUTH_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/authorize
OIDC_TOKEN_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/access_token
OIDC_USERINFO_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/userinfo

BookStack activates the connection, eGroupware asks for permission to log in, but then I get an error “ID token validation failed with error: Failed to read signing key with error: Unexpected type of the key value provided”

Do you understand what append? Thank you.

Odeeno 2025-11-24 17:11:01 UTC #2

Perhaps the address of the public key is incorrect? It should be a .pem file
I have set:
OIDC_PUBLIC_KEY=https://example.com/egroupware/openid/endpoint.php/jwks

Odeeno 2025-11-24 17:37:44 UTC #3

I open the jwks egroupware/openid/endpoint.php/jwks, then convert the key with this https://www.authgear.com/tools/jwk-generator and saved as local file on server, but now the error is different:
"ID token validation failed with error: Missin or non-matching token issuer value"
Maybe this is not the problem.

RalfBecker 2025-11-24 18:06:14 UTC #4

This looks like a miss-configuration of your server.

You can try e.g. with curl or any web-browser what you get under the discovery URL, and compare it e.g. with our support-center: https://my.egroupware.org/.well-known/openid-configuration
Or the JWK-URL: https://my.egroupware.org/egw/openid/endpoint.php/jwks

Ralf

Odeeno 2025-11-24 18:36:36 UTC #5

I can reach the discovery URL, BookStack reaches the OpenID server, but in this case the egw’s login screen does not appear and I get this error:
“OICD Discovery Error: Unexpected issuer value found on discovery response”

This is the discovery response, seems ok. Maybe is a configuration of BookStack?

{
“issuer”: “https://example.com”,
“authorization_endpoint”: “https://example.com/egroupware/openid/endpoint.php/authorize”,
“token_endpoint”: “https://example.com/egroupware/openid/endpoint.php/access_token”,
“jwks_uri”: “https://example.com/egroupware/openid/endpoint.php/jwks”,
“response_types_supported”: [
“code”,
“code id_token”,
“id_token”,
“token id_token”
],
“subject_types_supported”: [
“public”,
“pairwise”
],
“id_token_signing_alg_values_supported”: [
“RS256”,
“ES256”,
“HS256”
],
“userinfo_endpoint”: “https://example.com/egroupware/openid/endpoint.php/userinfo”,
“claims_supported”: [
“sub”,
“iss”,
“name”,
“given_name”,
“family_name”,
“nickname”,
“profile”,
“picture”,
“website”,
“email”,
“email_verified”,
“locale”,
“zoneinfo”,
“roles”,
“groups”
],
“scopes_supported”: [
“openid”,
“basic”,
“email”,
“phone”,
“address”,
“profile”,
“roles”,
“videoconference”,
“groups”,
“email_aliases”
],
“response_modes_supported”: [
“query”
],
“grant_types_supported”: [
“authorization_code”,
“implicit”,
“refresh_token”,
“client_credentials”,
“password_credentials”
],
“token_endpoint_auth_methods_supported”: [
“client_secret_basic”
],
“display_values_supported”: [
“page”,
“popup”
],
“claim_types_supported”: [
“normal”
],
“service_documentation”: “https://github.com/EGroupware/openid”,
“request_uri_parameter_supported”: true,
“require_request_uri_registration”: true,
“end_session_endpoint”: “https://example.com/egroupware/logout.php”
}

Odeeno 2025-11-24 18:43:04 UTC #6

The timeout error is already resolved: was a DNS problem.

Odeeno 2025-11-27 09:26:44 UTC #7

Maybe it will be usefull for someone: I can authenticate in BookStack by the OpenID server integrated in eGroupware with this BookStack’s parameter :

OIDC_ISSUER_DISCOVER=true # activeted the autodiscovery
OIDC_ISSUER=https://example.com

and this active:
OIDC_PUBLIC_KEY=https://example.com/egroupware/openid/endpoint.php/jwks
OIDC_AUTH_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/authorize
OIDC_TOKEN_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/access_token
OIDC_USERINFO_ENDPOINT=https://example.com/egroupware/openid/endpoint.php/userinfo

RalfBecker 2025-12-01 09:25:41 UTC #8

That is NOT a solution but a workaround

Why would you need to enable discovery and then add all config values it should discover manually!

Either your app sends the discovery request to a different / wrong URL or some other error happens.

I would appreciate and it would probably help other users more, if you run one more diagnosis step:

remove all config, but the issuer/discovery-domain and to use discovery
tail the log of the webserver on the host and start the app (to authenticate)

The expectation would be to see a GET request against https:///.well-known/openid-configuration with a 200 HTTP status.
It you see that request, the problem must be something in the content of the discovery page Bookstack does not understand or expects and EGroupware does not supply.
If you see a .well-known request to a different url, it would be interesting which URL and ultimately obviously why Bookstack send it to that - in my understanding wrong - URL.

Ralf