starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[Bug]: OIDC via Keycloak not working #2525

New Issue
Closed
opened 2026-04-25 00:08:02 +02:00 by adam · 5 comments
adam commented 2026-04-25 00:08:02 +02:00
Owner
Copy Link
Copy Source

Originally created by @blknight88 on GitHub (Jan 26, 2025).

What happened?

I tried to setup OIDC with Keycloak and I cannot get it to work.

Following the provided guide, I added my Issuer URL and auto populated the values in Audiobookshelf in the Authentication section and provided the Client ID/Secret from Keycloak.

In Keycloak I set it to use a Confidential client access type and set the Redirect urls as described in the documentation.

https://www.audiobookshelf.org/guides/oidc_authentication

However when I try to login I get "Error in callback" and looking at the logs section in Audiobookshelf, I see the following error:

[Auth] Error in openid callback - SyntaxError: Unexpected token 'e', \"eyJhbGciOi\"... is not valid JSON

Looking at the "Configuring your OIDC provider" of the guide, the only area that looks to be an issue is, "UserInfo Signing Algorithm: Must be set to none/unsigned" as I am running Keycloak 26.0.8 and there is no option to set this to "none."

I already tried asking for help in Discord and after months of no responses I figured I would try here.

I also tried ChatGPT's suggestions to get around the "UserInfo Signing Algorithm: Must be set to none/unsigned" by setting Mappers on this client in Keycloak however that gives me a new error:

"[Auth] No data in openid callback - OPError: unknown_error (For more on this error consult the server log.)"

What did you expect to happen?

I expected the login to work via Keycloak.

Steps to reproduce the issue

  1. Use the latest version of Keycloak and setup OIDC per the documentation.
  2. Try to login

Audiobookshelf version

2.17.7

How are you running audiobookshelf?

Debian/PPA

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

Firefox

Logs

Additional Notes

No response

Originally created by @blknight88 on GitHub (Jan 26, 2025). ### What happened? I tried to setup OIDC with Keycloak and I cannot get it to work. Following the provided guide, I added my Issuer URL and auto populated the values in Audiobookshelf in the Authentication section and provided the Client ID/Secret from Keycloak. In Keycloak I set it to use a Confidential client access type and set the Redirect urls as described in the documentation. https://www.audiobookshelf.org/guides/oidc_authentication However when I try to login I get "Error in callback" and looking at the logs section in Audiobookshelf, I see the following error: `[Auth] Error in openid callback - SyntaxError: Unexpected token 'e', \"eyJhbGciOi\"... is not valid JSON` Looking at the "Configuring your OIDC provider" of the guide, the only area that looks to be an issue is, "UserInfo Signing Algorithm: Must be set to none/unsigned" as I am running Keycloak 26.0.8 and there is no option to set this to "none." I already tried asking for help in Discord and after months of no responses I figured I would try here. I also tried ChatGPT's suggestions to get around the "UserInfo Signing Algorithm: Must be set to none/unsigned" by setting Mappers on this client in Keycloak however that gives me a new error: `"[Auth] No data in openid callback - OPError: unknown_error (For more on this error consult the server log.)"` ### What did you expect to happen? I expected the login to work via Keycloak. ### Steps to reproduce the issue 1. Use the latest version of Keycloak and setup OIDC per the documentation. 2. Try to login ### Audiobookshelf version 2.17.7 ### How are you running audiobookshelf? Debian/PPA ### What OS is your Audiobookshelf server hosted from? Linux ### If the issue is being seen in the UI, what browsers are you seeing the problem on? Firefox ### Logs ```shell ``` ### Additional Notes _No response_
adam added the bug label 2026-04-25 00:08:02 +02:00
adam closed this issue 2026-04-25 00:08:02 +02:00
adam commented 2026-04-25 00:08:02 +02:00
Author
Owner
Copy Link
Copy Source

@HansenRene commented on GitHub (Feb 1, 2025):

I was initially worried about getting my ABS playing with keycloak after reading this Issue. However, it worked on my first attempt, which says a lot as im a novice at IDP.

steps i took in keycloak:
created new client

General settings:

  • enter id, name

Access settings:

Under Capability config:

  • enabled Client authentication
  • enabled authorization

and copied the client secret of course, and that was all for the keycloak side

in audiobookshelf I enabled OpenID Connect, entered the issuer url from keycloak and hit the auto populate button.
(something like https://myidp.mydomain.org/realms/myrealm/.well-known/openid-configuration)

  • entered client id, secret
  • set the' subfolder for redirects' to none as I dont use that
  • match existing users by mail.

As mentioned, I only just started playing with idp's, but ABS implementation of oidc looked alot like the one for mealie, so I basically made the config identical to that one.
hope it helps

@HansenRene commented on GitHub (Feb 1, 2025): I was initially worried about getting my ABS playing with keycloak after reading this Issue. However, it worked on my first attempt, which says a lot as im a novice at IDP. steps i took in keycloak: created new client General settings: - enter id, name Access settings: - enter valid root, home, redirect, logout URI's (basically https://myaudiobookshelf.mydomain.org/*) Under Capability config: - enabled Client authentication - enabled authorization and copied the client secret of course, and that was all for the keycloak side in audiobookshelf I enabled OpenID Connect, entered the issuer url from keycloak and hit the auto populate button. (something like https://myidp.mydomain.org/realms/myrealm/.well-known/openid-configuration) - entered client id, secret - set the' subfolder for redirects' to none as I dont use that - match existing users by mail. As mentioned, I only just started playing with idp's, but ABS implementation of oidc looked alot like the one for mealie, so I basically made the config identical to that one. hope it helps
adam commented 2026-04-25 00:08:02 +02:00
Author
Owner
Copy Link
Copy Source

@blknight88 commented on GitHub (Feb 2, 2025):

hey @PorreKaj,

Thank you for sharing your experience on how you got yours working.
After deleting my Client from Keycloak to start over, I was able to get it working by following your instructions!

A suggestion for you, using "*" is great for troubleshooting, but is a security risk and thankfully by using the suggested values from the audiobbookshelf guide, I was able to get that working by using the following for my "Valid redirect URIs" in Keycloak:

https://www.audiobookshelf.org/guides/oidc_authentication/

  • /auth/openid/callback
  • /auth/openid/mobile-redirect

Image

Also I did not need to enable "authorization" either so not sure that is needed.

I think the issue for me was changing "Match existing users by" to "email" instead of "username," even though with this change logging in via username via Keycloak still works. Also Disabling "Auto Register" which I had enabled previously.

The only issue I have now is I can't figure out what the "Valid post logout redirect URIs" is supposed to be. It works if it is set to "https://myaudiobookshelf.mydomain.org/*" however this would be a security risk.

@blknight88 commented on GitHub (Feb 2, 2025): hey @PorreKaj, Thank you for sharing your experience on how you got yours working. After deleting my Client from Keycloak to start over, I was able to get it working by following your instructions! A suggestion for you, using "*" is great for troubleshooting, but is a security risk and thankfully by using the suggested values from the audiobbookshelf guide, I was able to get that working by using the following for my "Valid redirect URIs" in Keycloak: https://www.audiobookshelf.org/guides/oidc_authentication/ - /auth/openid/callback - /auth/openid/mobile-redirect ![Image](https://github.com/user-attachments/assets/465e350f-b8bb-43c2-adc1-4a85bfeeed71) Also I did not need to enable "authorization" either so not sure that is needed. I think the issue for me was changing "Match existing users by" to "email" instead of "username," even though with this change logging in via username via Keycloak still works. Also Disabling "Auto Register" which I had enabled previously. The only issue I have now is I can't figure out what the "Valid post logout redirect URIs" is supposed to be. It works if it is set to "https://myaudiobookshelf.mydomain.org/*" however this would be a security risk.
adam commented 2026-04-25 00:08:03 +02:00
Author
Owner
Copy Link
Copy Source

@advplyr commented on GitHub (Feb 2, 2025):

Is there a bug with Abs?

@advplyr commented on GitHub (Feb 2, 2025): Is there a bug with Abs?
adam commented 2026-04-25 00:08:03 +02:00
Author
Owner
Copy Link
Copy Source

@blknight88 commented on GitHub (Feb 2, 2025):

@advplyr this is not a bug, I thought it might be, but not anymore, I will close this after this comment.

For anyone else watching this, I did figure out the "Valid post logout redirect URIs" setting, this probably should be added to the documentation, but if you want to set it up without using the insecure wildcard "*" you just need to use "/audiobookshelf/login"

Image

@blknight88 commented on GitHub (Feb 2, 2025): @advplyr this is not a bug, I thought it might be, but not anymore, I will close this after this comment. For anyone else watching this, I did figure out the "Valid post logout redirect URIs" setting, this probably should be added to the documentation, but if you want to set it up without using the insecure wildcard "*" you just need to use "/audiobookshelf/login" ![Image](https://github.com/user-attachments/assets/d4d90f8e-0f16-40aa-9552-21cbf5083223)
adam commented 2026-04-25 00:08:03 +02:00
Author
Owner
Copy Link
Copy Source

@ovizii commented on GitHub (Sep 15, 2025):

For anyone else watching this, I did figure out the "Valid post logout redirect URIs" setting, this probably should be added to the documentation, but if you want to set it up without using the insecure wildcard "*" you just need to use "/audiobookshelf/login"

This really needs to go into the documentation. I just googled for an hour trying to fix this weird behaviour until I found this tread.

@ovizii commented on GitHub (Sep 15, 2025): > For anyone else watching this, I did figure out the "Valid post logout redirect URIs" setting, this probably should be added to the documentation, but if you want to set it up without using the insecure wildcard "*" you just need to use "/audiobookshelf/login" This really needs to go into the documentation. I just googled for an hour trying to fix this weird behaviour until I found this tread.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#2525
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?