Bookstack: Support Generic OAuth/OIDC Login

IdentityServer is a little different from the other providers we are currently using, since it is not a hosted service.

Is there an app which includes IndentityServer and is easy to setup/build and we can use for testing?

I also would like to use my Keycloak as an IdP for Bookstack.
Keycloak is easy to setup with Docker & Docker-Compose.

IdentityServer looks like a pure OpenID Server - Keycloak also supports OpenID and Oauth2 (wich is a subset of OpenID)

Maybe Generic Oauth2 Login would be a good start.

Generic Oauth2 Login +1

2nd that. A generic OAuth Provider would be very helpful in integrating BookStack with Keycloak or Nextcloud.

3rd that.

While I'm using keycloak with LDAP, I'd rather switch it to oauth, which I use with almost every other service.

As Bookstack use Laravel Socialite for managing Oauth and Oauth Provider, I think the best solution is to check there https://github.com/SocialiteProviders/Providers if the provider exists and add it if wanted (seems a few line if the oauth api is known), then it can be easily added to bookstack.
Keycloak is not in the official repo, but I find this one,
https://github.com/avdevs/keycloak
I haven't tested thought

Just as a note to the above, I am becoming more strict about what Oauth providers are added to BookStack & instead looking to support more generic protocols instead. Have recently had a dig into SAML & OpenID but found it difficult to fully understand the core processes used by most systems in addition to the variance that would need to be supported.

For me too we use Keycloak with oauth on every system.
It would be grate if this feature would be availebil. +1

I implemented a MVP for SAML support in #1576

I've updated the title to make this less about "Identity Server" and more about adding generic OIDC/OAuth support since that has wider benefits and is more likely something I'd look to implement.

+1
We use Keycloak and would like to be able to use it here.

Also use Keycloak, and would very much appreciate support here.

Keycloak should be usable via the SAML2 client available with 0.28.0!

I can confirm that it's possible to use keycloak via the SAML integration, we have that setup for our Bookstack instance.

@Xiphoseer could you please share your configuration settings, both on keycloak and bookstack site? That would be really helpful, currently working on setting this up!

@col-panic I'm not on the team that set this up, but I have sent a link to your question to someone who is.

Thanks a lot @Xiphoseer - i've already come quite far. It seems however, that migrating away from LDAP my existing users won't be accepted. I can login, but it simply throws me back to the login page ...

@col-panic that sounds like the key (external auth id) that Bookstack uses to match users is set to a different field.

You could check whether one of them uses a numeric UID while the other had a a username and change the SAML config to match the LDAP one. As long as keycloak exposes the attribute, you can set which one to use in the Bookstack config iirc.

here is the configuration i used to enable keycloak saml with bookstack:

  AUTH_METHOD: saml2
  SAML2_NAME: keycloak
  SAML2_EMAIL_ATTRIBUTE: urn:oid:1.2.840.113549.1.9.1
  SAML2_EXTERNAL_ID_ATTRIBUTE: sub # not sure if this correct, keycloak may be overriding with force name id format set to ON
  SAML2_DISPLAY_NAME_ATTRIBUTES: urn:oid:2.5.4.42|urn:oid:2.5.4.4
  SAML2_IDP_ENTITYID: <keycloak host>/auth/realms/<keycloak realm>/protocol/saml/descriptor
  SAML2_AUTOLOAD_METADATA: true

I found the attribute ids by using SAML2_DUMP_USER_DETAILS=true in the env in case you would like to verify your settings are correct.

as for my keycloak client here is my configuration (i'm new to saml clients so there may be options that are not required as i basing the configuration off of several guides)

* client id: <bookstack_app_url>/saml2/metadata
* Include AuthnStatement: on
* include ontimeuse condition: off
* sign documents: on
* optimize redirect signing key lookup: off
* sign assertions: on
* signature algorithm: RSA_SHA256
* saml signature key name: CERT_SUBJECT
* canonicalization method: EXCLUSIVE
* encrypt assertions: off
* client signature required: off
* force post binding: off
* front channel logout: off
* force name id format: on
* name id format: username
* root url: <app_url>/saml2/acs
* valid redirect url: <app_url>/saml2/acs
* base url:  empty
* master saml processing url: empty
* idp initiated sso url name: bookstack
* idp initiated sso relay state: <app_url>/saml2/acs

fine grain saml endpoint configuration
* assertion consumer service post binding url: empty
* asserting consumer service redirect binding url: <app_url>/saml2/acs
* logout service post binding url: empty
* logout service redirect binding url: empty

@hugocortes @Xiphoseer thank you very much guys!!!

My inclusion of the client configuration can be seen here https://github.com/elexis/elexis-environment/blob/master/docker/ee-util/assets/stage_ee_start_setup/keycloak/bookstack-saml.json with the clientId set as shown above!

+1 for generic oauth here - we host our own oauth and would like to use it for bookstack.