starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[Bug]: OIDC fails with LastLogin.io/Obligator #1820

New Issue
Closed
opened 2026-04-24 23:59:08 +02:00 by adam · 10 comments
adam commented 2026-04-24 23:59:08 +02:00
Owner
Copy Link
Copy Source

Originally created by @deanishe on GitHub (Mar 17, 2024).

Describe the issue

SSO doesn't work with LastLogin.io (a public instance of Obligator).

Login fails with the log messages:

DEBUG [Auth] OIDC redirect_uri=https://audiobookshelf.mydomain.tld/auth/openid/callback
DEBUG [Auth] openid callback userinfo= [object Object]
ERROR [Auth] No data in openid callback - Unauthorized

I've tried both lastlogin.io and my self-hosted Obligator. I also verified both of those are working correctly with the OpenID Connect Playground.

Steps to reproduce the issue

  1. Configure an Obligator instance as the OIDC provider (e.g. https://lastlogin.io/.well-known/openid-configuration)
  2. Try to log in using OIDC
  3. Experience failure :(

Audiobookshelf version

v2.8.1

How are you running audiobookshelf?

Docker

Originally created by @deanishe on GitHub (Mar 17, 2024). ### Describe the issue SSO doesn't work with [LastLogin.io](https://lastlogin.io/) (a public instance of [Obligator](https://github.com/lastlogin-io/obligator)). Login fails with the log messages: ``` DEBUG [Auth] OIDC redirect_uri=https://audiobookshelf.mydomain.tld/auth/openid/callback DEBUG [Auth] openid callback userinfo= [object Object] ERROR [Auth] No data in openid callback - Unauthorized ``` I've tried both lastlogin.io and my self-hosted Obligator. I also verified both of those are working correctly with the [OpenID Connect Playground](https://openidconnect.net/). ### Steps to reproduce the issue 1. Configure an Obligator instance as the OIDC provider (e.g. https://lastlogin.io/.well-known/openid-configuration) 2. Try to log in using OIDC 3. Experience failure :( ### Audiobookshelf version v2.8.1 ### How are you running audiobookshelf? Docker
adam added the bug label 2026-04-24 23:59:08 +02:00
adam closed this issue 2026-04-24 23:59:08 +02:00
adam commented 2026-04-24 23:59:09 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Mar 17, 2024):

I quickly tested it with Lastlogin and it works for me.

Did you use your domains als clientid as their docs say? For example http://example.com

Otherwise can you add here a line
https://github.com/advplyr/audiobookshelf/blob/166454ef43e3cdb42c644cdccdacddd3a880cd89/server/Auth.js#L101

      Logger.debug(`[Auth] userinfo stringified=`, JSON.stringify(userinfo, null, 2))
@Sapd commented on GitHub (Mar 17, 2024): I quickly tested it with Lastlogin and it works for me. Did you use your domains als clientid as their docs say? For example http://example.com Otherwise can you add here a line https://github.com/advplyr/audiobookshelf/blob/166454ef43e3cdb42c644cdccdacddd3a880cd89/server/Auth.js#L101 ``` Logger.debug(`[Auth] userinfo stringified=`, JSON.stringify(userinfo, null, 2)) ```
adam commented 2026-04-24 23:59:09 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Mar 29, 2024):

Another follow up question:
How do you match users? Do you create them before? If yes, can you also try with auto-register on?

@Sapd commented on GitHub (Mar 29, 2024): Another follow up question: How do you match users? Do you create them before? If yes, can you also try with auto-register on?
adam commented 2026-04-24 23:59:10 +02:00
Author
Owner
Copy Link
Copy Source

@deanishe commented on GitHub (Apr 1, 2024):

Did you use your domains als clientid as their docs say?

Yes. Obligator immediately throws an error if the client ID is not okay. It won't redirect back to ABS in that case.

Otherwise can you add here a line

I'm afraid I can't. It's running on a managed server.

@deanishe commented on GitHub (Apr 1, 2024): > Did you use your domains als clientid as their docs say? Yes. Obligator immediately throws an error if the client ID is not okay. It won't redirect back to ABS in that case. > Otherwise can you add here a line I'm afraid I can't. It's running on a managed server.
adam commented 2026-04-24 23:59:10 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Apr 1, 2024):

I'm afraid I can't. It's running on a managed server.

Can you swap the docker image simply with ghcr.io/advplyr/audiobookshelf:edge ? It should include better error messages (and it also might directly work bc of some changes).

@Sapd commented on GitHub (Apr 1, 2024): > I'm afraid I can't. It's running on a managed server. Can you swap the docker image simply with `ghcr.io/advplyr/audiobookshelf:edge` ? It should include better error messages (and it also might directly work bc of some changes).
adam commented 2026-04-24 23:59:10 +02:00
Author
Owner
Copy Link
Copy Source

@deanishe commented on GitHub (Apr 1, 2024):

Can you swap the docker image

No, I'm afraid not. As I said, it's a managed server. There's an "Update" button I can hit to update the Docker image when a newer release is available, but that's basically all I can do.

@deanishe commented on GitHub (Apr 1, 2024): > Can you swap the docker image No, I'm afraid not. As I said, it's a managed server. There's an "Update" button I can hit to update the Docker image when a newer release is available, but that's basically all I can do.
adam commented 2026-04-24 23:59:11 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Apr 3, 2024):

Can you swap the docker image

No, I'm afraid not. As I said, it's a managed server. There's an "Update" button I can hit to update the Docker image when a newer release is available, but that's basically all I can do.

I see, you would have to wait until the next release then which includes the changes

@Sapd commented on GitHub (Apr 3, 2024): > > Can you swap the docker image > > No, I'm afraid not. As I said, it's a managed server. There's an "Update" button I can hit to update the Docker image when a newer release is available, but that's basically all I can do. I see, you would have to wait until the next release then which includes the changes
adam commented 2026-04-24 23:59:11 +02:00
Author
Owner
Copy Link
Copy Source

@TheJenious0917 commented on GitHub (Apr 14, 2024):

@Sapd - I am experiencing the same issue here. I'm using Microsoft Entra (Azure AD) for OIDC in my case. I switched to the edge release like you suggested.

In the logs I now see my name details returned, but I do not see email fields/claims and the user is "not found" in abs. I have abs set to match based on email, and I do not have Allow Registration enabled simple because I was trying to test out matching up this Entra account with the local one I had created. In the Entra app I added some access/ID token claims to include email and profile information as a troubleshooting step, which did not help.

Here's the log:

[2024-04-13 23:59:19.454] DEBUG: [Auth] OIDC redirect_uri=https://abs.mydomain.com/auth/openid/callback (Auth.js:450)
[2024-04-13 23:59:20.236] DEBUG: [Auth] openid callback userinfo= {
  "sub": "some guid? not sure if this is secret or not",
  "name": "My full name",
  "family_name": "MyLastName",
  "given_name": "MyFirstName",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
} (Auth.js:102)
[2024-04-13 23:59:20.242] WARN: [Auth] openid: User not found and no email in userinfo (Auth.js:163)
[2024-04-13 23:59:20.243] ERROR: [Auth] openid callback error: User not active or not found
Error: User not active or not found
    at OpenIDConnectStrategy._verify (/server/Auth.js:115:17) (Auth.js:126)
[2024-04-13 23:59:20.244] ERROR: "[Auth] No data in openid callback - Unauthorized" (Auth.js:563)

Let me know if you need any additional server config info or logs or anything. Was happy to see you guys have SSO support added! Though once we get this issue figured out, I'd love to see if you have any documentation on configuring oidc via environment variables in my compose file...

@TheJenious0917 commented on GitHub (Apr 14, 2024): @Sapd - I am experiencing the same issue here. I'm using Microsoft Entra (Azure AD) for OIDC in my case. I switched to the edge release like you suggested. In the logs I now see my name details returned, but I do not see email fields/claims and the user is "not found" in abs. I have abs set to match based on email, and I do not have Allow Registration enabled simple because I was trying to test out matching up this Entra account with the local one I had created. In the Entra app I added some access/ID token claims to include email and profile information as a troubleshooting step, which did not help. Here's the log: ``` [2024-04-13 23:59:19.454] DEBUG: [Auth] OIDC redirect_uri=https://abs.mydomain.com/auth/openid/callback (Auth.js:450) [2024-04-13 23:59:20.236] DEBUG: [Auth] openid callback userinfo= { "sub": "some guid? not sure if this is secret or not", "name": "My full name", "family_name": "MyLastName", "given_name": "MyFirstName", "picture": "https://graph.microsoft.com/v1.0/me/photo/$value" } (Auth.js:102) [2024-04-13 23:59:20.242] WARN: [Auth] openid: User not found and no email in userinfo (Auth.js:163) [2024-04-13 23:59:20.243] ERROR: [Auth] openid callback error: User not active or not found Error: User not active or not found at OpenIDConnectStrategy._verify (/server/Auth.js:115:17) (Auth.js:126) [2024-04-13 23:59:20.244] ERROR: "[Auth] No data in openid callback - Unauthorized" (Auth.js:563) ``` Let me know if you need any additional server config info or logs or anything. Was happy to see you guys have SSO support added! Though once we get this issue figured out, I'd love to see if you have any documentation on configuring oidc via environment variables in my compose file...
adam commented 2026-04-24 23:59:12 +02:00
Author
Owner
Copy Link
Copy Source

@TheJenious0917 commented on GitHub (Apr 14, 2024):

Oh, I should add -

I set user matching to "Do not match" and then enabled user registration and my user account was created. Email address or username from the provider are not included in the created user details in ABS that I can tell. Here's the logs for that event.

[2024-04-14 00:12:23.372] DEBUG: [Auth] OIDC redirect_uri=https://abs.mydomain.com/auth/openid/callback (Auth.js:450)
[2024-04-14 00:12:24.629] DEBUG: [Auth] openid callback userinfo= {
  "sub": "that same string again",
  "name": "My full name",
  "family_name": "MyLastName",
  "given_name": "MyFirstName",
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
} (Auth.js:102)
[2024-04-14 00:12:24.633] INFO: [Auth] openid: Auto-registering user with sub "that same string again" {
  sub: 'that same string again',
  name: 'My full name',
  family_name: 'MyLastName',
  given_name: 'MyFirstName',
  picture: 'https://graph.microsoft.com/v1.0/me/photo/$value'
}
[2024-04-14 00:12:24.649] DEBUG: [ApiCacheManager] user.afterCreate: Clearing cache (ApiCacheManager.js:21)
@TheJenious0917 commented on GitHub (Apr 14, 2024): Oh, I should add - I set user matching to "Do not match" and then enabled user registration and my user account was created. Email address or username from the provider are not included in the created user details in ABS that I can tell. Here's the logs for that event. ``` [2024-04-14 00:12:23.372] DEBUG: [Auth] OIDC redirect_uri=https://abs.mydomain.com/auth/openid/callback (Auth.js:450) [2024-04-14 00:12:24.629] DEBUG: [Auth] openid callback userinfo= { "sub": "that same string again", "name": "My full name", "family_name": "MyLastName", "given_name": "MyFirstName", "picture": "https://graph.microsoft.com/v1.0/me/photo/$value" } (Auth.js:102) [2024-04-14 00:12:24.633] INFO: [Auth] openid: Auto-registering user with sub "that same string again" { sub: 'that same string again', name: 'My full name', family_name: 'MyLastName', given_name: 'MyFirstName', picture: 'https://graph.microsoft.com/v1.0/me/photo/$value' } [2024-04-14 00:12:24.649] DEBUG: [ApiCacheManager] user.afterCreate: Clearing cache (ApiCacheManager.js:21) ```
adam commented 2026-04-24 23:59:12 +02:00
Author
Owner
Copy Link
Copy Source

@TheJenious0917 commented on GitHub (Apr 14, 2024):

Uh, sorry. Another update. I figured out that even though my email address is part of my Microsoft account, the actual identity property of "email" in my contact info was blank and was therefore sending nothing back in the claim. As soon as I filled that in in my Entra user contact info, it worked with user match based on email. So this is solved for me now.

@TheJenious0917 commented on GitHub (Apr 14, 2024): Uh, sorry. Another update. I figured out that even though my email address is part of my Microsoft account, the actual identity property of "email" in my contact info was blank and was therefore sending nothing back in the claim. As soon as I filled that in in my Entra user contact info, it worked with user match based on email. So this is solved for me now.
adam commented 2026-04-24 23:59:12 +02:00
Author
Owner
Copy Link
Copy Source

@Sapd commented on GitHub (Apr 22, 2024):

@deanishe You can try again with the latest version

@Sapd commented on GitHub (Apr 22, 2024): @deanishe You can try again with the latest version
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#1820
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?