starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[Bug]: Error: "[OidcAuth] openid callback error: Invalid userinfo or already linked Error: Invalid userinfo or already linked at OidcAuthStrategy.verifyCallback (/app/server/auth/OidcAuthStrategy.js:129:15)" when attempting to add/match new user #3069

New Issue
Closed
opened 2026-04-25 00:13:24 +02:00 by adam · 7 comments
adam commented 2026-04-25 00:13:24 +02:00
Owner
Copy Link
Copy Source

Originally created by @ZLoth on GitHub (Nov 3, 2025).

What happened?

I'm running into an issue with creating two users on my ABS instance using Authentik as my provider. Logins work fine.

Troubleshooting steps that I have tried:

  • I created the user in Authentik and then, in incognito mode, impersonated that user to create the ABS account. This got the Unauthorized message. This worked in the past.
  • I then created the user in ABS, then, incognito mode, impersonated that user to match up the account. This also got the Unauthorized message.
  • I temporarily enabled passwords in ABS and logged into the ABS account with a temporary password to validate the account. I then tried logging in using impersonation mode, but got the unauthorized message.
  • I impersonated another user with a working account, and was able to login.
  • I refreshed the auto-populated data for the ABS OpenID Connect Authentication and restarted the server, still unauthorized for those two accounts.

I should note that I was able to successfully create accounts and login to Kavita for these two users.

The configuration is as follows:

  • Authentik version 2025.10.0
  • Audiobookshelf version 2.30

I am running this on a TrueNAS 25.10 server which is running on Debian Linux.

Configuration for ABS:

From Authentik:
Redirect URIs:

What did you expect to happen?

User that was created in the Authetik application should have been created in ABS. Failing that, user should have been matched.

Steps to reproduce the issue

  1. Create user in Authentik
  2. Impersonate the user in Authentik
  3. Log into ABS instance.
  4. Click on the login button.

WHAT SHOULD HAPPEN: User is created or authenticated.
WHAT REALLY HAPPENS: Error message "Unauthorized"

Audiobookshelf version

2.30

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

Chrome

Logs

Both log excerpts are from Audobookshelf .

First User:

2025-11-02 13:49:00.391 - DEBUG - [OidcAuth] openid callback userinfo= { "sub": "0c4a638f33a46df28d6c406d118c33d916cd5834cd5150d5f2192b3ba747f21b", "email": "bXXXXXXXXXXXX@gmail.com", "email_verified": false, "name": "Bxxxxxx Pxxxxx", "given_name": "Bxxxxxx Pxxxxx", "preferred_username": "Bxxxxxx Pxxxxx", "nickname": "Bxxxxxx Pxxxxx", "groups": [] }
2025-11-02 13:49:00.393 - WARN - [User] openid: User not found and email "bXXXXXXXXXXXX@gmail.com" is not verified
2025-11-02 13:49:00.393 - ERROR - [OidcAuth] openid callback error: Invalid userinfo or already linked Error: Invalid userinfo or already linked at OidcAuthStrategy.verifyCallback (/app/server/auth/OidcAuthStrategy.js:129:15)
2025-11-02 13:49:00.393 - ERROR - "[Auth] No data in openid callback - Unauthorized"


Second User:

2025-11-02 13:57:15.909 - DEBUG - [OidcAuth] openid callback userinfo= { "sub": "9ac6dcc5a72662283d95f6bebc752e14402c0ffc567046fb3317134c33250160", "email": "mXXXXXXXXX3@verizon.net", "email_verified": false, "name": "Mxxxxx Pxxxxx", "given_name": "Mxxxxx Pxxxxx", "preferred_username": "Mxxxxx Pxxxxx", "nickname": "Mxxxxx Pxxxxx", "groups": [] }
2025-11-02 13:57:15.912 - WARN -[User] openid: User not found and email "mXXXXXXXXX3@verizon.net" is not verified
2025-11-02 13:57:15.912 - ERROR - [OidcAuth] openid callback error: Invalid userinfo or already linked Error: Invalid userinfo or already linked at OidcAuthStrategy.verifyCallback (/app/server/auth/OidcAuthStrategy.js:129:15)
2025-11-02 13:57:15.912 - ERROR - "[Auth] No data in openid callback - Unauthorized"

Additional Notes

  • Currently created users are able to log in.
  • I have been previously able to create users and login as those users through Authentik, although the last creation date for a user was on October 22nd, 2025.
  • Unsure if this is an Authentik issue or a ABS issue.
Originally created by @ZLoth on GitHub (Nov 3, 2025). ### What happened? I'm running into an issue with creating two users on my ABS instance using Authentik as my provider. Logins work fine. Troubleshooting steps that I have tried: * I created the user in Authentik and then, in incognito mode, impersonated that user to create the ABS account. This got the Unauthorized message. This worked in the past. * I then created the user in ABS, then, incognito mode, impersonated that user to match up the account. This also got the Unauthorized message. * I temporarily enabled passwords in ABS and logged into the ABS account with a temporary password to validate the account. I then tried logging in using impersonation mode, but got the unauthorized message. * I impersonated another user with a working account, and was able to login. * I refreshed the auto-populated data for the ABS OpenID Connect Authentication and restarted the server, still unauthorized for those two accounts. I should note that I was able to successfully create accounts and login to Kavita for these two users. The configuration is as follows: * Authentik version 2025.10.0 * Audiobookshelf version 2.30 I am running this on a TrueNAS 25.10 server which is running on Debian Linux. Configuration for ABS: * OpenID Connect Authentication: https://auth.mydomain.tld/application/o/audiobookshelf/ and autopopulated (I did this once or twice) * Authorize URL: https://auth.mydomain.tld/application/o/authorize/ * Token URL: https://auth.mydomain.tld/application/o/token/ * Userinfo URL: https://auth.mydomain.tld/application/o/userinfo/ * JWKS URL: https://auth.mydomain.tld/application/o/audiobookshelf/jwks/ * Logout URL: https://auth.mydomain.tld/application/o/audiobookshelf/end-session/ * Client ID and Client secret are populated with the information from Authentik * Signing Algorithm: RS256 * Match existing users by: Match by email * Auto-launch: Disabled * Auto-Register: Enabled From Authentik: Redirect URIs: * strict: https://abs.mydomain.tld/audiobookshelf/auth/openid/callback * strict: https://abs.mydomain.tld/audiobookshelf/auth/openid/mobile-redirect ### What did you expect to happen? User that was created in the Authetik application should have been created in ABS. Failing that, user should have been matched. ### Steps to reproduce the issue 1. Create user in Authentik 2. Impersonate the user in Authentik 3. Log into ABS instance. 4. Click on the login button. WHAT SHOULD HAPPEN: User is created or authenticated. WHAT REALLY HAPPENS: Error message "Unauthorized" ### Audiobookshelf version 2.30 ### How are you running audiobookshelf? Docker ### What OS is your Audiobookshelf server hosted from? Linux ### If the issue is being seen in the UI, what browsers are you seeing the problem on? Chrome ### Logs Both log excerpts are from Audobookshelf . ```shell First User: 2025-11-02 13:49:00.391 - DEBUG - [OidcAuth] openid callback userinfo= { "sub": "0c4a638f33a46df28d6c406d118c33d916cd5834cd5150d5f2192b3ba747f21b", "email": "bXXXXXXXXXXXX@gmail.com", "email_verified": false, "name": "Bxxxxxx Pxxxxx", "given_name": "Bxxxxxx Pxxxxx", "preferred_username": "Bxxxxxx Pxxxxx", "nickname": "Bxxxxxx Pxxxxx", "groups": [] } 2025-11-02 13:49:00.393 - WARN - [User] openid: User not found and email "bXXXXXXXXXXXX@gmail.com" is not verified 2025-11-02 13:49:00.393 - ERROR - [OidcAuth] openid callback error: Invalid userinfo or already linked Error: Invalid userinfo or already linked at OidcAuthStrategy.verifyCallback (/app/server/auth/OidcAuthStrategy.js:129:15) 2025-11-02 13:49:00.393 - ERROR - "[Auth] No data in openid callback - Unauthorized" Second User: 2025-11-02 13:57:15.909 - DEBUG - [OidcAuth] openid callback userinfo= { "sub": "9ac6dcc5a72662283d95f6bebc752e14402c0ffc567046fb3317134c33250160", "email": "mXXXXXXXXX3@verizon.net", "email_verified": false, "name": "Mxxxxx Pxxxxx", "given_name": "Mxxxxx Pxxxxx", "preferred_username": "Mxxxxx Pxxxxx", "nickname": "Mxxxxx Pxxxxx", "groups": [] } 2025-11-02 13:57:15.912 - WARN -[User] openid: User not found and email "mXXXXXXXXX3@verizon.net" is not verified 2025-11-02 13:57:15.912 - ERROR - [OidcAuth] openid callback error: Invalid userinfo or already linked Error: Invalid userinfo or already linked at OidcAuthStrategy.verifyCallback (/app/server/auth/OidcAuthStrategy.js:129:15) 2025-11-02 13:57:15.912 - ERROR - "[Auth] No data in openid callback - Unauthorized" ``` ### Additional Notes * Currently created users are able to log in. * I have been previously able to create users and login as those users through Authentik, although the last creation date for a user was on October 22nd, 2025. * Unsure if this is an Authentik issue or a ABS issue.
adam added the bug label 2026-04-25 00:13:24 +02:00
adam closed this issue 2026-04-25 00:13:24 +02:00
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@ZLoth commented on GitHub (Nov 4, 2025):

Authentik upgraded to 2025.10.1 today, but issue is still occurring.

@ZLoth commented on GitHub (Nov 4, 2025): Authentik upgraded to 2025.10.1 today, but issue is still occurring.
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@Vito0912 commented on GitHub (Nov 4, 2025):

This very likely is related to https://github.com/goauthentik/authentik/pull/16206/ and is in general (even if not) unlikley an ABS bug due to receiving the data from the OIDC provider

@Vito0912 commented on GitHub (Nov 4, 2025): This very likely is related to `https://github.com/goauthentik/authentik/pull/16206/` and is in general (even if not) unlikley an ABS bug due to receiving the data from the OIDC provider
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@ZLoth commented on GitHub (Nov 4, 2025):

Okay.... so I looking quickly at the JWT payload and see the following:

{
    "iss": "https://auth.mydomain.tld/application/o/audiobookshelf/",
    "sub": "138c759015d343f2f00cd27b5de6c0aa168b75703e85a82345995d3eb3f22f64",
    "aud": "fyajmWAv4KZZdxXXxJTTLSygdrbVpHpCjMevD0fk",
    "exp": 1762284953,
    "iat": 1762283153,
    "auth_time": 1762283153,
    "acr": "goauthentik.io/providers/oauth2/default",
    "email": "bXXXXXXXXXXXX@gmail.com",
    "email_verified": false,
    "name": "Bxxxxxx Pxxxxx",
    "given_name": "Bxxxxxx Pxxxxx",
    "preferred_username": "Bxxxxxx Pxxxxx",
    "nickname": "Bxxxxxx Pxxxxx",
    "groups": []
}

The "email_verified": false is causing a failure in Audiobookshelf. When I go into AuthentikCustomizationProperty Mappingsauthentik default OAuth Mapping: OpenID 'email' , I see the following in Expression:

return {
    "email": request.user.email,
    "email_verified": False
}

Because it is hard-coded to be False instead of being mapped to a variable, it is causing issues. Creating a new scope and settings "email_verified": True fixed the issue.

This issue has been documented in the release notes as https://docs.goauthentik.io/releases/2025.10#default-oauth-scope-mappings as part of the release on October 21st.

@ZLoth commented on GitHub (Nov 4, 2025): Okay.... so I looking quickly at the JWT payload and see the following: ``` { "iss": "https://auth.mydomain.tld/application/o/audiobookshelf/", "sub": "138c759015d343f2f00cd27b5de6c0aa168b75703e85a82345995d3eb3f22f64", "aud": "fyajmWAv4KZZdxXXxJTTLSygdrbVpHpCjMevD0fk", "exp": 1762284953, "iat": 1762283153, "auth_time": 1762283153, "acr": "goauthentik.io/providers/oauth2/default", "email": "bXXXXXXXXXXXX@gmail.com", "email_verified": false, "name": "Bxxxxxx Pxxxxx", "given_name": "Bxxxxxx Pxxxxx", "preferred_username": "Bxxxxxx Pxxxxx", "nickname": "Bxxxxxx Pxxxxx", "groups": [] } ``` The `"email_verified": false` is causing a failure in Audiobookshelf. When I go into **Authentik** → **Customization** → **Property Mappings** → **authentik default OAuth Mapping: OpenID 'email'** , I see the following in **Expression**: ``` return { "email": request.user.email, "email_verified": False } ``` Because it is hard-coded to be False instead of being mapped to a variable, it is causing issues. Creating a new scope and settings `"email_verified": True` fixed the issue. This issue has been documented in the release notes as https://docs.goauthentik.io/releases/2025.10#default-oauth-scope-mappings as part of the release on October 21st.
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@ZLoth commented on GitHub (Nov 4, 2025):

This may need to be integrated to https://www.audiobookshelf.org/guides/oidc_authentication .

Steps to fix this "email_verified": false for Audiobookshelf:

  1. Log into your Authentik instance and go into the administrative instance.
  2. Go to CustomizationProperty Mappings.
  3. Click on Create
  4. Select Scope Mapping and click on Next.
  5. Insert the following values (Scope Name and Expression are case sensitive!):

Name: OAuth Mapping: OpenID 'email' with "email_verified": True
Scope Name: email
Description: Email address
Expression:

return {
    "email": request.user.email,
    "email_verified": True
}
  1. Click on Finish.
  2. Go to ApplicationsProviders
  3. Click on Provider for Audiobookshelf.
  4. In the Overview tab, click on the Edit button.
  5. Expand the Advanced Protocol Settings.
  6. In the ScopeSelected Scopes section, select authentik default OAuth Mapping: OpenID 'email' and click on the left arrow to remove it from the Selected Scopes list.
  7. In the ScopeAvailable Scopes section. select OAuth Mapping: OpenID 'email' with "email_verified": True and click on the right arrow to add it to the Selected Scopes list.
  8. Ensure that authentik default OAuth Mapping: OpenID 'openid' and authentik default OAuth Mapping: OpenID 'profile' are still in the Selected Scopes list.
  9. Click on the Update button.
  10. Click on the Preview tab to test it with one of your users. "email_verified": true should now be returned.
@ZLoth commented on GitHub (Nov 4, 2025): This may need to be integrated to https://www.audiobookshelf.org/guides/oidc_authentication . Steps to fix this `"email_verified": false` for Audiobookshelf: 1. Log into your Authentik instance and go into the administrative instance. 2. Go to **Customization** → **Property Mappings**. 3. Click on **Create** 4. Select **Scope Mapping** and click on **Next**. 5. Insert the following values (Scope Name and Expression are case sensitive!): Name: `OAuth Mapping: OpenID 'email' with "email_verified": True` Scope Name: `email` Description: `Email address` Expression: ``` return { "email": request.user.email, "email_verified": True } ``` 6. Click on **Finish**. 7. Go to **Applications** → **Providers** 8. Click on `Provider for Audiobookshelf`. 9. In the **Overview** tab, click on the **Edit** button. 10. Expand the **Advanced Protocol** Settings. 11. In the **Scope** → **Selected Scopes** section, select `authentik default OAuth Mapping: OpenID 'email'` and click on the left arrow to remove it from the **Selected Scopes** list. 12. In the **Scope** → **Available Scopes** section. select `OAuth Mapping: OpenID 'email' with "email_verified": True` and click on the right arrow to add it to the **Selected Scopes** list. 13. Ensure that `authentik default OAuth Mapping: OpenID 'openid'` and `authentik default OAuth Mapping: OpenID 'profile'` are still in the Selected Scopes list. 14. Click on the **Update** button. 15. Click on the **Preview** tab to test it with one of your users. `"email_verified": true` should now be returned.
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@MRobi1 commented on GitHub (Nov 6, 2025):

This didn't quite fix it for me.
I've been using Authentik for quite some time as an OIDC provider for audiobookshelf. I tried to login this morning and was met with the "Unauthorized". I've also disabled password login so navigating to https://abs.yoursite.com/login/?autoLaunch=0 only gives me the option to login via OIDC.

I was getting the same error above. Followed these steps. Now getting this error

audiobookshelf  | 2025-11-06T17:57:12.385518000Z [2025-11-06 17:57:12.385] INFO: [User] openid: User not found, checking existing with email "email@myemail.com"
audiobookshelf  | 2025-11-06T17:57:12.386364000Z [2025-11-06 17:57:12.385] WARN: [User] openid: User found with email "email@myemail.com" but is already matched with sub "c6d58cbc45f6f8072086331cfee5144d05c8485ac02c83bea16670ef954e8999"
audiobookshelf  | 2025-11-06T17:57:12.412517000Z [2025-11-06 17:57:12.385] ERROR: [OidcAuth] openid callback error: Invalid userinfo or already linked
audiobookshelf  | 2025-11-06T17:57:12.412576000Z Error: Invalid userinfo or already linked

So it appears as-if my e-mail is now being passed through, but still cannot log in because that e-mail is already linked to an existing user.

I appear to be fully locked out

@MRobi1 commented on GitHub (Nov 6, 2025): This didn't quite fix it for me. I've been using Authentik for quite some time as an OIDC provider for audiobookshelf. I tried to login this morning and was met with the "Unauthorized". I've also disabled password login so navigating to https://abs.yoursite.com/login/?autoLaunch=0 only gives me the option to login via OIDC. I was getting the same error above. Followed these steps. Now getting this error ``` audiobookshelf | 2025-11-06T17:57:12.385518000Z [2025-11-06 17:57:12.385] INFO: [User] openid: User not found, checking existing with email "email@myemail.com" audiobookshelf | 2025-11-06T17:57:12.386364000Z [2025-11-06 17:57:12.385] WARN: [User] openid: User found with email "email@myemail.com" but is already matched with sub "c6d58cbc45f6f8072086331cfee5144d05c8485ac02c83bea16670ef954e8999" audiobookshelf | 2025-11-06T17:57:12.412517000Z [2025-11-06 17:57:12.385] ERROR: [OidcAuth] openid callback error: Invalid userinfo or already linked audiobookshelf | 2025-11-06T17:57:12.412576000Z Error: Invalid userinfo or already linked ``` So it appears as-if my e-mail is now being passed through, but still cannot log in because that e-mail is already linked to an existing user. I appear to be fully locked out
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@Vito0912 commented on GitHub (Nov 6, 2025):

@MRobi1 If you link your account with an OIDC provider, it sets a unique ID for the user linked to your ABS account (provided by your OIDC provider).
As you can see from the message (you already have linked that account), there are a few possible reasons why this can happen:

A) You reset your Authentik instance, which will then generate a new sub
B) You change the way the sub is generated (e.g. changing the subject mode in Authentik)
C) Possibly something I don't know. Anyway, this also doesn't seem to be an ABS issue but an issue caused by the sub changing.

To recover your account you either have to fix the sub or if you changed something on your Authentik instance irreversible you need to unlink the account

@Vito0912 commented on GitHub (Nov 6, 2025): @MRobi1 If you link your account with an OIDC provider, it sets a unique ID for the user linked to your ABS account (provided by your OIDC provider). As you can see from the message (you already have linked that account), there are a few possible reasons why this can happen: A) You reset your Authentik instance, which will then generate a new sub B) You change the way the sub is generated (e.g. changing the subject mode in Authentik) C) Possibly something I don't know. Anyway, this also doesn't seem to be an ABS issue but an issue caused by the sub changing. To recover your account you either have to fix the sub or if you changed something on your Authentik instance irreversible you need to unlink the account
adam commented 2026-04-25 00:13:25 +02:00
Author
Owner
Copy Link
Copy Source

@MRobi1 commented on GitHub (Nov 7, 2025):

OK I'm back in business. Since I had disabled password login, I was fully locked out. Had to manually edit the database to remove all OIDC settings. Then I could log in with my password again. Had to reconfigure OIDC which got me to the same error, but since I was now able to login normally I could unlink OIDC through settings.

Not sure what changed. I hadn't touched the config on either side in around 1yr+

@MRobi1 commented on GitHub (Nov 7, 2025): OK I'm back in business. Since I had disabled password login, I was fully locked out. Had to manually [edit the database ](https://github.com/advplyr/audiobookshelf/issues/4139#issuecomment-3499960020) to remove all OIDC settings. Then I could log in with my password again. Had to reconfigure OIDC which got me to the same error, but since I was now able to login normally I could unlink OIDC through settings. Not sure what changed. I hadn't touched the config on either side in around 1yr+
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#3069
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?