[Bug]: OIDC Group Claim validation prevents using standard ZITADEL role claim #3035

New Issue

Open

opened 2026-04-25 00:13:09 +02:00 by adam · 7 comments

adam commented 2026-04-25 00:13:09 +02:00

Owner

Copy Link

Copy Source

Originally created by @bannert1337 on GitHub (Oct 12, 2025).

What happened?

When configuring OpenID Connect (OIDC) with ZITADEL as the identity provider, I am unable to use the standard claim for user roles. ZITADEL provides user roles within a claim named urn:zitadel:iam:org:project:roles.

When I enter this claim name into the "Group Claim" field in the Audiobookshelf OIDC settings, the UI immediately flags it as an error with the message: Group Claim: Invalid claim name.

This prevents me from mapping ZITADEL roles to Audiobookshelf user groups, which is a critical part of the OIDC integration. The validation appears to be too strict, likely disallowing colons (:) in the claim name.

What did you expect to happen?

I expected the "Group Claim" field to accept urn:zitadel:iam:org:project:roles as a valid OIDC claim name. Namespaced claims using URNs (which include colons) are a standard practice in OIDC and should be supported.

The setting should be saved without a validation error, allowing Audiobookshelf to correctly parse the roles from the ID token during the login flow.

Steps to reproduce the issue

1. Set up an OpenID Connect provider (like ZITADEL) that issues a namespaced claim containing colons for user roles/groups (e.g., urn:zitadel:iam:org:project:roles).
2. In Audiobookshelf, navigate to Settings > Users > Authentication.
3. Enable OpenID Connect as the authentication provider and fill in the required details (Issuer URL, Client ID, Client Secret).
4. Scroll down to the "Group Claim" setting.
5. Enter the value urn:zitadel:iam:org:project:roles into the input field.
6. Observe the validation error Group Claim: Invalid claim name appear immediately.

Audiobookshelf version

v2.30.0

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

None

Logs

No relevant server-side logs are generated, as this appears to be a client-side/UI validation error that occurs before the settings are saved.

Additional Notes

This issue effectively blocks integration with OIDC providers that use standard namespaced claims. A temporary workaround is to use ZITADEL's "Actions" feature to create a custom, non-namespaced claim (e.g., groups) and map the roles to it, but this adds unnecessary complexity. The ideal solution would be for Audiobookshelf to relax the validation on this field to support the full character set allowed in OIDC claim names.

Additionally, it is worth noting that the value of the urn:zitadel:iam:org:project:roles claim is a JSON object, not a flat array of strings. It would be helpful if the documentation could clarify how Audiobookshelf expects to parse group/role claims (e.g., as a flat array of strings, or if it can handle nested objects).

Originally created by @bannert1337 on GitHub (Oct 12, 2025). ### What happened? When configuring OpenID Connect (OIDC) with ZITADEL as the identity provider, I am unable to use the standard claim for user roles. ZITADEL provides user roles within a claim named `urn:zitadel:iam:org:project:roles`. When I enter this claim name into the "Group Claim" field in the Audiobookshelf OIDC settings, the UI immediately flags it as an error with the message: `Group Claim: Invalid claim name`. This prevents me from mapping ZITADEL roles to Audiobookshelf user groups, which is a critical part of the OIDC integration. The validation appears to be too strict, likely disallowing colons (`:`) in the claim name. ### What did you expect to happen? I expected the "Group Claim" field to accept `urn:zitadel:iam:org:project:roles` as a valid OIDC claim name. Namespaced claims using URNs (which include colons) are a standard practice in OIDC and should be supported. The setting should be saved without a validation error, allowing Audiobookshelf to correctly parse the roles from the ID token during the login flow. ### Steps to reproduce the issue 1. Set up an OpenID Connect provider (like ZITADEL) that issues a namespaced claim containing colons for user roles/groups (e.g., `urn:zitadel:iam:org:project:roles`). 2. In Audiobookshelf, navigate to `Settings` > `Users` > `Authentication`. 3. Enable `OpenID Connect` as the authentication provider and fill in the required details (Issuer URL, Client ID, Client Secret). 4. Scroll down to the "Group Claim" setting. 5. Enter the value `urn:zitadel:iam:org:project:roles` into the input field. 6. Observe the validation error `Group Claim: Invalid claim name` appear immediately. ### Audiobookshelf version v2.30.0 ### How are you running audiobookshelf? Docker ### What OS is your Audiobookshelf server hosted from? Linux ### If the issue is being seen in the UI, what browsers are you seeing the problem on? None ### Logs ```shell No relevant server-side logs are generated, as this appears to be a client-side/UI validation error that occurs before the settings are saved. ``` ### Additional Notes This issue effectively blocks integration with OIDC providers that use standard namespaced claims. A temporary workaround is to use ZITADEL's "Actions" feature to create a custom, non-namespaced claim (e.g., `groups`) and map the roles to it, but this adds unnecessary complexity. The ideal solution would be for Audiobookshelf to relax the validation on this field to support the full character set allowed in OIDC claim names. Additionally, it is worth noting that the value of the `urn:zitadel:iam:org:project:roles` claim is a JSON object, not a flat array of strings. It would be helpful if the documentation could clarify how Audiobookshelf expects to parse group/role claims (e.g., as a flat array of strings, or if it can handle nested objects).

adam added the bug label 2026-04-25 00:13:09 +02:00

adam commented 2026-04-25 00:13:10 +02:00

Author

Owner

Copy Link

Copy Source

@Sapd commented on GitHub (Oct 17, 2025):

The regex here https://github.com/advplyr/audiobookshelf/blob/a87ea327151fcb7ec67ce981bb6a44878a9ab343/client/pages/config/authentication.vue#L308-L313
must be made less strict and include : then

@Sapd commented on GitHub (Oct 17, 2025): The regex here https://github.com/advplyr/audiobookshelf/blob/a87ea327151fcb7ec67ce981bb6a44878a9ab343/client/pages/config/authentication.vue#L308-L313 must be made less strict and include : then

adam commented 2026-04-25 00:13:10 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Oct 17, 2025):

If it's just the frontend, you could create your own request until this maybe get's fixed

@Vito0912 commented on GitHub (Oct 17, 2025): If it's just the frontend, you could create your own request until this maybe get's fixed

adam commented 2026-04-25 00:13:10 +02:00

Author

Owner

Copy Link

Copy Source

@Maxklos commented on GitHub (Feb 12, 2026):

I have the same problem. Can you please provide the workaround Zitadel Action to remap the claims from urn:zitadel:iam:org:project:roles (JSON) to groups (list)? The PR works great but still struggles with the JSON translation

@Maxklos commented on GitHub (Feb 12, 2026): I have the same problem. Can you please provide the workaround Zitadel Action to remap the claims from urn:zitadel:iam:org:project:roles (JSON) to groups (list)? The PR works great but still struggles with the JSON translation

adam commented 2026-04-25 00:13:10 +02:00

Author

Owner

Copy Link

Copy Source

@Sapd commented on GitHub (Feb 12, 2026):

@Maxklos can you please give me a full example of the response (also additional docs link are also helpful)

Edit: did you test my PR already? Please comment under it for further support with that PR

@Sapd commented on GitHub (Feb 12, 2026): @Maxklos can you please give me a full example of the response (also additional docs link are also helpful) Edit: did you test my PR already? Please comment under it for further support with that PR

adam commented 2026-04-25 00:13:10 +02:00

Author

Owner

Copy Link

Copy Source

@Maxklos commented on GitHub (Feb 12, 2026):

I commented on the PR with the log output: https://github.com/advplyr/audiobookshelf/pull/5031#issuecomment-3889777188 . @bannert1337 mentioned A temporary workaround is to use ZITADEL's "Actions" feature to create a custom, non-namespaced claim (e.g., groups) and map the roles to it, but this adds unnecessary complexity. I wanted to test the JS code for the action to further test Zitadel in combination with ABS. I intended to split the conversation into the topic of the JSON bug (comment below your PR) and the Zitadel Action (comment here).

@Maxklos commented on GitHub (Feb 12, 2026): I commented on the PR with the log output: https://github.com/advplyr/audiobookshelf/pull/5031#issuecomment-3889777188 . @bannert1337 mentioned `A temporary workaround is to use ZITADEL's "Actions" feature to create a custom, non-namespaced claim (e.g., groups) and map the roles to it, but this adds unnecessary complexity.` I wanted to test the JS code for the action to further test Zitadel in combination with ABS. I intended to split the conversation into the topic of the JSON bug (comment below your PR) and the Zitadel Action (comment here).

adam commented 2026-04-25 00:13:10 +02:00

Author

Owner

Copy Link

Copy Source

@tfmm commented on GitHub (Feb 19, 2026):

Sorry for the mild hijack, feel free to delete if this is not ok.

@Maxklos I'm trying to setup ABS in Zitadel, and was wondering if you could share your Zitadel-side config. The settings I've tried don't appreciate mixing http(s) and audiobookshelf protocols. Thanks!

@tfmm commented on GitHub (Feb 19, 2026): Sorry for the mild hijack, feel free to delete if this is not ok. @Maxklos I'm trying to setup ABS in Zitadel, and was wondering if you could share your Zitadel-side config. The settings I've tried don't appreciate mixing http(s) and audiobookshelf protocols. Thanks!

adam commented 2026-04-25 00:13:11 +02:00

Author

Owner

Copy Link

Copy Source

@Maxklos commented on GitHub (Feb 21, 2026):

With this PR it's simple. On Zitadel Side: Application Type: Web & Response Types: Code. Set Everything up in the ABS SSO Settings and you are basically good to go. If you want different users to have different ABS roles, you have to set "Roles" in the Project settings and give every user the "Authorizations" Level you want. Zitadel & Audiobookshelf ONLY work together if you use the PR Linked. But with the fantastic work of Sapd it's a breath. Oh and I serve ABS via Pangolin/Newt, with that as a reverse Proxy HTTPS is not an issue. Where exactly do you have troubles? You are welcome to e-mail me if you still struggle.

@Maxklos commented on GitHub (Feb 21, 2026): With [this PR](https://github.com/advplyr/audiobookshelf/pull/5031) it's simple. On Zitadel Side: Application Type: _Web_ & Response Types: _Code_. Set Everything up in the ABS SSO Settings and you are basically good to go. If you want different users to have different ABS roles, you have to set "Roles" in the Project settings and give every user the "Authorizations" Level you want. Zitadel & Audiobookshelf **ONLY** work together if you use the PR Linked. But with the fantastic work of Sapd it's a breath. Oh and I serve ABS via Pangolin/Newt, with that as a reverse Proxy HTTPS is not an issue. Where exactly do you have troubles? You are welcome to e-mail me if you still struggle.

adam referenced this issue 2026-04-25 00:17:17 +02:00

[PR #3035] [MERGED] fr update #3847

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.35.1

v2.35.0

v2.34.0

v2.33.2

v2.33.1

v2.33.0

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.0

v1.4.1

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels

authentication

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

pull-request

Mirrored from GitHub Pull Request

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam (Adam Melkus)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/audiobookshelf#3035