Description
Attempted Debugging
- I have read the debugging page
Searched GitHub Issues
- I have searched GitHub for the issue.
Describe the Scenario
Hi there,
I'm not sure whether this should be a support request, a bug, or a feature request. I went with my best judgement and selected a support request - apologies if it's the wrong one.
We have a BookStack v24.02 instance with Entra ID/Azure AD authentication via OIDC and Group Sync enabled which is working well; however, when a user is in a lot of groups, Entra ID will send a 'groups overage claim' so the original token size doesn't exceed HTTP header size limits. It appears that BookStack doesn't know how to handle this and therefore doesn't pull the group membership through for the user.
This behaviour is documented at the bottom of this table: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims, and here: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim
As an example, this is what we see with OIDC_DUMP_USER_DETAILS=true for a working user (all GUID's, secrets, etc. have been replaced):
{
"aud": "4a62be64-3fc8-47b0-b85e-ad03ded848bc",
"iss": "
https://login.microsoftonline.com/61d1546f-3fd1-427d-9348-74846252706a/v2.0"
,
"iat": 1709818789,
"nbf": 1709818789,
"exp": 1709822012,
"email": "jane.doe@domain.com",
"groups": [
"f01bd248-79e4-4d5c-adc2-f703adab9a8a",
"3fc3c463-cf9c-47d7-a2ee-0e86dae00ab8",
"e69e1171-e2ef-4752-af9c-46882a0c82c9",
"7fade49e-c072-4986-a9c0-6800ac12768e"
],
"name": "Jane Doe",
"oid": "835a59a6-18a8-4cdf-9ab0-e497b334495c",
"preferred_username": "jdoe2@domain.com",
"rh": "0.1y4qRc6H8ipUIN_vdg3FIbVWT4mhcBjnistNCO2RrU5wDGaJKPH.",
"sub": "pvUyn6XK5TcF_4g3jEQHGx9hDwtskzilWBdMSmAL2b7",
"tid": "61d1546f-3fd1-427d-9348-74846252706a",
"uti": "4RQkWgbnNi05m8vhc2K73d",
"ver": "2.0"
}
And for a user in a lot of groups:
{
"aud": "4a62be64-3fc8-47b0-b85e-ad03ded848bc",
"iss": "
https://login.microsoftonline.com/61d1546f-3fd1-427d-9348-74846252706a/v2.0"
,
"iat": 1709818123,
"nbf": 1709818123,
"exp": 1709822456,
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "
https://graph.windows.net/61d1546f-3fd1-427d-9348-74846252706a/users/cd679ee7-b975-4824-b0c6-2600f0f8bb9b/getMemberObjects"
}
},
"email": "john.doe@domain.com",
"name": "John Doe",
"oid": "cd679ee7-b975-4824-b0c6-2600f0f8bb9b",
"preferred_username": "jdoe1@domain.com",
"rh": "0.1y4qRc6H8ipUIN_r7LWGbhOxVXAsfKETZmQzejJlFvt0wnCoWdk.",
"sub": "p13BdumI_y2qKZ4wjbS9UgGtN8kCOTLFa7WcsWPfJox",
"tid": "61d1546f-3fd1-427d-9348-74846252706a",
"uti": "QKWR_PTnF3md2DqoO4S5Vs",
"ver": "2.0"
}
Is this something that's configurable, or is this a bug and/or a feature request?
Thanks for taking the time to look at my query, and for any advice given.
Exact BookStack Version
v24.02
Log Content
No response
Hosting Environment
Distro: Oracle Linux 9.3
PHP: 8.3.3
MySQL: 8.0.32