[Enhancement]: OIDC: Add possibility to spcecify names of group claims #2083

Author

Owner

@advplyr commented on GitHub (Apr 24, 2024):

You should be able to use whatever group names you want and just add a custom property mapping. I haven't used Authelia but I used Authentik to successfully map some groups I setup with different names.
I followed @Sapd's guide in this PR https://github.com/advplyr/audiobookshelf/pull/2769

@advplyr commented on GitHub (Apr 24, 2024): You should be able to use whatever group names you want and just add a custom property mapping. I haven't used Authelia but I used Authentik to successfully map some groups I setup with different names. I followed @Sapd's guide in this PR https://github.com/advplyr/audiobookshelf/pull/2769

deekerman commented

Author

Owner

@Sapd commented on GitHub (Apr 24, 2024):

It was in the original concept (see https://github.com/advplyr/audiobookshelf/issues/2523 ) but left out because identity providers usually provide the ability of attribute mappings. Not sure about Authelia, but KeyCloak and Authentik can do that.

@Sapd commented on GitHub (Apr 24, 2024): It was in the original concept (see https://github.com/advplyr/audiobookshelf/issues/2523 ) but left out because identity providers usually provide the ability of attribute mappings. Not sure about Authelia, but KeyCloak and Authentik can do that.

deekerman commented

Author

Owner

@v3DJG6GL commented on GitHub (Apr 24, 2024):

hmh, would it be something like this?
https://github.com/authelia/authelia/issues/2868

That's not (yet) implemented in Authelia.

All other OIDC-claim capable apps I use have the possibility to specify the names for group claims so I wasn't even aware that there's an option to map custom properties.
But yeah, it doesn't seem to be supported by Authelia...

@v3DJG6GL commented on GitHub (Apr 24, 2024): hmh, would it be something like this? https://github.com/authelia/authelia/issues/2868 That's not (yet) implemented in Authelia. All other OIDC-claim capable apps I use have the possibility to specify the names for group claims so I wasn't even aware that there's an option to map custom properties. But yeah, it doesn't seem to be supported by Authelia...

deekerman commented

Author

Owner

@Sapd commented on GitHub (Apr 24, 2024):

hmh, would it be something like this? authelia/authelia#2868

Yeah in fact that would be it.
I also just remembered another (severe) limitation of Authelia, it does not support restricting access for OpenID Connect: https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#why-doesnt-the-access-control-configuration-work-with-openid-connect-10 which makes the combination with this issue a bit worse

@Sapd commented on GitHub (Apr 24, 2024): > hmh, would it be something like this? [authelia/authelia#2868](https://github.com/authelia/authelia/issues/2868) Yeah in fact that would be it. I also just remembered another (severe) limitation of Authelia, it does not support restricting access for OpenID Connect: https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#why-doesnt-the-access-control-configuration-work-with-openid-connect-10 which makes the combination with this issue a bit worse

deekerman commented

Author

Owner

@advplyr commented on GitHub (Apr 24, 2024):

@v3DJG6GL What are some other self-hosted apps that support OIDC have that feature? I'd like to see how they implemented it.

I'm not sure if it is worth adding more complexity to our OIDC implementation if 2 out of 3 major providers support this already.

@advplyr commented on GitHub (Apr 24, 2024): @v3DJG6GL What are some other self-hosted apps that support OIDC have that feature? I'd like to see how they implemented it. I'm not sure if it is worth adding more complexity to our OIDC implementation if 2 out of 3 major providers support this already.

deekerman commented

Author

Owner

@advplyr commented on GitHub (Apr 24, 2024):

From your OP I can guess nextcloud and the jellyfin SSO plugin.

@advplyr commented on GitHub (Apr 24, 2024): From your OP I can guess nextcloud and the jellyfin SSO plugin.

deekerman commented

Author

Owner

@v3DJG6GL commented on GitHub (Apr 24, 2024):

@v3DJG6GL What are some other self-hosted apps supported OIDC that have that feature? I'd like to see how they implemented it.

Jellyfin (via SSO plugin) (https://github.com/9p4/jellyfin-plugin-sso)
Nextcloud (via Nextcloud OIDC plugin) (https://github.com/pulsejet/nextcloud-oidc-login)
MinIO (https://github.com/minio/minio)

@v3DJG6GL commented on GitHub (Apr 24, 2024): > @v3DJG6GL What are some other self-hosted apps supported OIDC that have that feature? I'd like to see how they implemented it. - Jellyfin (via SSO plugin) (https://github.com/9p4/jellyfin-plugin-sso) - Nextcloud (via Nextcloud OIDC plugin) (https://github.com/pulsejet/nextcloud-oidc-login) - MinIO (https://github.com/minio/minio)

deekerman commented

Author

Owner

@CEbbinghaus commented on GitHub (Nov 2, 2024):

Just wanted to add my support for this. kanidm/kanidm does not allow custom group names and instead provides the group names either as their unique guid or as their unique specifier group_name@host.tld which makes it completely incompatible with audiobookshelf.

Ideally there would be a UI to map group names provided as strings to the groups within audiobookshelf so the user could specify the groups.

I had a little stab at implementing it myself but I'm not overly fond nor adept at vuejs frontend dev. Will see if I can get it looking halfway decent though and submit a patch.

@CEbbinghaus commented on GitHub (Nov 2, 2024): Just wanted to add my support for this. [kanidm/kanidm](https://github.com/kanidm/kanidm) does not allow custom group names and instead provides the group names either as their unique guid or as their unique specifier `group_name@host.tld` which makes it completely incompatible with audiobookshelf. Ideally there would be a UI to map group names provided as strings to the groups within audiobookshelf so the user could specify the groups. I had a little stab at implementing it myself but I'm not overly fond nor adept at vuejs frontend dev. Will see if I can get it looking halfway decent though and submit a patch.

deekerman commented

Author

Owner

@igbjnI05bF commented on GitHub (Nov 19, 2024):

I have no idea if my issue is related to this or not, if it isn't just let me know and maybe I'll make a new issue for it.

I'm unable to get the group claim to work at all with keycloak. I've done this successfully with other apps such as Nextcloud, Jellyfin, and Grafana, but cannot get it to work with Audiobookshelf.

In my Audiobookshelf client in Keycloak I went to client scopes, audiobookshelf-dedicated, and added a client roles scope. I named the token claim name "absroles". I then went to the roles tab of audiobookshelf and created "admin", "guest", and "user" roles. I added my user to the audiobookshelf/admin role.

I cannot sign into Audiobookshelf, it says "Error in callback". The webtools show "Invalid scopes: openid profile email absroles". I don't really get it, openid, profile, and email are global realm scopes. absroles isn't (and shouldn't) be a realm scope, it's a client scope.

Am I missing something here? How do I get Audiobookshelf to see this client scope I made and respect the client roles my users are in?

@igbjnI05bF commented on GitHub (Nov 19, 2024): I have no idea if my issue is related to this or not, if it isn't just let me know and maybe I'll make a new issue for it. I'm unable to get the group claim to work at all with keycloak. I've done this successfully with other apps such as Nextcloud, Jellyfin, and Grafana, but cannot get it to work with Audiobookshelf. In my Audiobookshelf client in Keycloak I went to client scopes, audiobookshelf-dedicated, and added a client roles scope. I named the token claim name "absroles". I then went to the roles tab of audiobookshelf and created "admin", "guest", and "user" roles. I added my user to the audiobookshelf/admin role. I cannot sign into Audiobookshelf, it says "Error in callback". The webtools show "Invalid scopes: openid profile email absroles". I don't really get it, openid, profile, and email are global realm scopes. absroles isn't (and shouldn't) be a realm scope, it's a client scope. Am I missing something here? How do I get Audiobookshelf to see this client scope I made and respect the client roles my users are in?

deekerman commented

Author

Owner

@Sapd commented on GitHub (Nov 23, 2024):

@igbjnI05bF It would be better if you create a new discussion for that.

Edit I missed that you want to use the dedicated scope. Indeed that currently does not work. Because one cannot specify which scopes to request. It will always request a scope with the same name as the claim currently.

I quickly tested it however and it works and there seems to be multiple ways

First make sure you set ABS logs to "Debug" this way you can see in the logs the userinfo field which is returned.
Your goal is that userinfo should look like this:

[Auth] openid callback userinfo= { "sub": "357d8d63-6072-49fd-a4fc-c0b79e4ad5cd", "email_verified": true, "preferred_username": "youruser", "given_name": "", "family_name": "", 
"absgroups": [ "admin" ] }

Basically there must be a scope with a mapper which is for example named absgroups. It must be multi-value (so it will be an array)

In this case I did an attribute mapper. It is important to check that it will be included in user-info, the name must the for example absgroups, "token claim name" must also be the same. Also ofc the client needs to add that scope.
Then I added to my testuser the attribute "absgroups" and the value "admin".

I also tested to match roles, which also work. Note that you will need one of the latest major versions of keycloak for that to work. As there was a bug where he would not rename roles in userinfo.

For that also simply create a Client Scope and assign it in the Client. Add a "absadmin" role IN the client. Assign your user to it.
Then create those two mappings in client scopes:

@Sapd commented on GitHub (Nov 23, 2024): @igbjnI05bF It would be better if you create a new discussion for that. **Edit** I missed that you want to use the dedicated scope. Indeed that currently does not work. Because one cannot specify which scopes to request. It will always request a scope with the same name as the claim currently. I quickly tested it however and it works and there seems to be multiple ways First make sure you set ABS logs to "Debug" this way you can see in the logs the userinfo field which is returned. Your goal is that userinfo should look like this: ``` [Auth] openid callback userinfo= { "sub": "357d8d63-6072-49fd-a4fc-c0b79e4ad5cd", "email_verified": true, "preferred_username": "youruser", "given_name": "", "family_name": "", "absgroups": [ "admin" ] } ``` Basically there must be a scope with a mapper which is for example named absgroups. It must be multi-value (so it will be an array) <img width="1014" alt="image" src="https://github.com/user-attachments/assets/6d3bb2d3-c79a-4df3-ae9a-90994460dc4c"> In this case I did an attribute mapper. It is important to check that it will be included in user-info, the name must the for example absgroups, "token claim name" must also be the same. Also ofc the client needs to add that scope. Then I added to my testuser the attribute "absgroups" and the value "admin". I also tested to match roles, which also work. Note that you will need one of the latest major versions of keycloak for that to work. As there was a bug where he would not rename roles in userinfo. For that also simply create a Client Scope and assign it in the Client. Add a "absadmin" role IN the client. Assign your user to it. Then create those two mappings in client scopes: <img width="861" alt="image" src="https://github.com/user-attachments/assets/5f96df10-b55a-482d-8b86-d96bef61e135"> <img width="1398" alt="image" src="https://github.com/user-attachments/assets/f77dd2d6-8e11-4502-96ec-86cad0e0954d"> <img width="932" alt="image" src="https://github.com/user-attachments/assets/59eb0ba3-8413-4045-a9a1-c8053349b444">

deekerman commented

Author

Owner

@igbjnI05bF commented on GitHub (Nov 25, 2024):

@Sapd
I appreciate your response. I hope that we can use the dedicated scope in the future as it just seems the cleanest way to implement per-client roles and not make your keycloak realm messy. I will play with your solution later today and try to implement it that way for now. Thanks!

@igbjnI05bF commented on GitHub (Nov 25, 2024): @Sapd I appreciate your response. I hope that we can use the dedicated scope in the future as it just seems the cleanest way to implement per-client roles and not make your keycloak realm messy. I will play with your solution later today and try to implement it that way for now. Thanks!

deekerman commented

Author

Owner

@cyclingwithelephants commented on GitHub (Apr 21, 2025):

Given it looks like this isn't going to be implemented client side, is it possible to provide an example for how to implement this with Authelia? Happy to update documentation accordingly

@cyclingwithelephants commented on GitHub (Apr 21, 2025): Given it looks like this isn't going to be implemented client side, is it possible to provide an example for how to implement this with Authelia? Happy to update documentation accordingly

deekerman commented

Author

Owner

@yourfate commented on GitHub (Apr 29, 2025):

I want this as well, with my setup (lldap + pocket ID) its kind of annoying to scope the gropus to audiobookshelf.

@yourfate commented on GitHub (Apr 29, 2025): I want this as well, with my setup (lldap + pocket ID) its kind of annoying to scope the gropus to audiobookshelf.

deekerman commented

Author

Owner

@cyclingwithelephants commented on GitHub (Apr 29, 2025):

I ended up taking the hit and lost much of a day to this, but I got it working with Authelia. I even hit a bug in the Authelia helm chart because this feature was brand new. I hope this is helpful to people.

It would be much nicer from an end user perspective to allow this mapping from Audiobookshelf's side, I do appreciate it's work though. Something as simple as being able to say "groups X,Y,Z map to admin, groups A,B,C map to user, groups D,E,F map to guest" would have made a big difference.

If somebody lets me know where to put the documentation, I'm happy to write this up for audiobookshelf, or would you rather this existed in Authelia's docs?

# -- this is a snip from the Authelia helm chart, where we configure Authelia's configmap --
configmap:
  # define a custom user attribute for Audiobookshelf role mapping
  definitions:
    user_attributes:
      audiobookshelf_roles:
        expression: '( "admins-all" in groups || "admins-audiobookshelf" in groups ) ? ["admin"]: ( "user-audiobookshelf" in groups ? ["user"]: ["guest"])'

  identity_providers:
      claims_policies:
        audiobookshelf_policy:
          # Remap the "groups" claim to your computed attribute
          custom_claims:
            custom_groups:
              attribute: audiobookshelf_roles

      # Define a new scope (custom_groups) that only returns that remapped claim
      scopes:
        custom_groups:
          claims:
            - custom_groups

      clients:
        - client_id: <redacted>
          client_name: 'audiobookshelf'
          client_secret: <redacted>
          public: false
          authorization_policy: 'two_factor'
          require_pkce: true
          pkce_challenge_method: 'S256'
          redirect_uris: <redacted>
          scopes:
            - 'openid'
            - 'profile'
            - 'custom_groups'         # instead of "groups"
            - 'email'
          claims_policy: audiobookshelf_policy  # apply the custom claims policy to this client

@cyclingwithelephants commented on GitHub (Apr 29, 2025): I ended up taking the hit and lost much of a day to this, but I got it working with Authelia. I even hit a bug in the Authelia helm chart because this feature was brand new. I hope this is helpful to people. It would be much nicer from an end user perspective to allow this mapping from Audiobookshelf's side, I do appreciate it's work though. Something as simple as being able to say "groups X,Y,Z map to admin, groups A,B,C map to user, groups D,E,F map to guest" would have made a big difference. If somebody lets me know where to put the documentation, I'm happy to write this up for audiobookshelf, or would you rather this existed in Authelia's docs? ```yaml # -- this is a snip from the Authelia helm chart, where we configure Authelia's configmap -- configmap: # define a custom user attribute for Audiobookshelf role mapping definitions: user_attributes: audiobookshelf_roles: expression: '( "admins-all" in groups || "admins-audiobookshelf" in groups ) ? ["admin"]: ( "user-audiobookshelf" in groups ? ["user"]: ["guest"])' identity_providers: claims_policies: audiobookshelf_policy: # Remap the "groups" claim to your computed attribute custom_claims: custom_groups: attribute: audiobookshelf_roles # Define a new scope (custom_groups) that only returns that remapped claim scopes: custom_groups: claims: - custom_groups clients: - client_id: <redacted> client_name: 'audiobookshelf' client_secret: <redacted> public: false authorization_policy: 'two_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: <redacted> scopes: - 'openid' - 'profile' - 'custom_groups' # instead of "groups" - 'email' claims_policy: audiobookshelf_policy # apply the custom claims policy to this client ```

deekerman commented

Author

Owner

@zodac-personal commented on GitHub (Aug 10, 2025):

I ended up taking the hit and lost much of a day to this, but I got it working with Authelia. I even hit a bug in the Authelia helm chart because this feature was brand new. I hope this is helpful to people.

It would be much nicer from an end user perspective to allow this mapping from Audiobookshelf's side, I do appreciate it's work though. Something as simple as being able to say "groups X,Y,Z map to admin, groups A,B,C map to user, groups D,E,F map to guest" would have made a big difference.

If somebody lets me know where to put the documentation, I'm happy to write this up for audiobookshelf, or would you rather this existed in Authelia's docs?

-- this is a snip from the Authelia helm chart, where we configure Authelia's configmap --

configmap:

define a custom user attribute for Audiobookshelf role mapping

definitions:
user_attributes:
audiobookshelf_roles:
expression: '( "admins-all" in groups || "admins-audiobookshelf" in groups ) ? ["admin"]: ( "user-audiobookshelf" in groups ? ["user"]: ["guest"])'

identity_providers:
claims_policies:
audiobookshelf_policy:
# Remap the "groups" claim to your computed attribute
custom_claims:
custom_groups:
attribute: audiobookshelf_roles
  # Define a new scope (custom_groups) that only returns that remapped claim
  scopes:
    custom_groups:
      claims:
        - custom_groups

  clients:
    - client_id: <redacted>
      client_name: 'audiobookshelf'
      client_secret: <redacted>
      public: false
      authorization_policy: 'two_factor'
      require_pkce: true
      pkce_challenge_method: 'S256'
      redirect_uris: <redacted>
      scopes:
        - 'openid'
        - 'profile'
        - 'custom_groups'         # instead of "groups"
        - 'email'
      claims_policy: audiobookshelf_policy  # apply the custom claims policy to this client

I gave this a try with the latest Authelia (4.39.5), but wasn't able to get it to work. I might come back to it again, but it would be much more straightforward if we could customise the groups that ABS is looking for.

@zodac-personal commented on GitHub (Aug 10, 2025): > I ended up taking the hit and lost much of a day to this, but I got it working with Authelia. I even hit a bug in the Authelia helm chart because this feature was brand new. I hope this is helpful to people. > > It would be much nicer from an end user perspective to allow this mapping from Audiobookshelf's side, I do appreciate it's work though. Something as simple as being able to say "groups X,Y,Z map to admin, groups A,B,C map to user, groups D,E,F map to guest" would have made a big difference. > > If somebody lets me know where to put the documentation, I'm happy to write this up for audiobookshelf, or would you rather this existed in Authelia's docs? > > # -- this is a snip from the Authelia helm chart, where we configure Authelia's configmap -- > configmap: > # define a custom user attribute for Audiobookshelf role mapping > definitions: > user_attributes: > audiobookshelf_roles: > expression: '( "admins-all" in groups || "admins-audiobookshelf" in groups ) ? ["admin"]: ( "user-audiobookshelf" in groups ? ["user"]: ["guest"])' > > identity_providers: > claims_policies: > audiobookshelf_policy: > # Remap the "groups" claim to your computed attribute > custom_claims: > custom_groups: > attribute: audiobookshelf_roles > > # Define a new scope (custom_groups) that only returns that remapped claim > scopes: > custom_groups: > claims: > - custom_groups > > clients: > - client_id: <redacted> > client_name: 'audiobookshelf' > client_secret: <redacted> > public: false > authorization_policy: 'two_factor' > require_pkce: true > pkce_challenge_method: 'S256' > redirect_uris: <redacted> > scopes: > - 'openid' > - 'profile' > - 'custom_groups' # instead of "groups" > - 'email' > claims_policy: audiobookshelf_policy # apply the custom claims policy to this client I gave this a try with the latest Authelia (4.39.5), but wasn't able to get it to work. I might come back to it again, but it would be much more straightforward if we could customise the groups that ABS is looking for.

deekerman commented

Author

Owner

@Lasithih commented on GitHub (Sep 2, 2025):

I am using Keycloak and OIDC in general works when I don't use the groups claim. But when I turn it on, "Error in callback" error message is shown.

This is what my groups mapper looks like.

I know this works because I use the same config for syncing groups to Proxmox.

This is the error I see in the browser.

error: invalid_scope
error_description: Invalid scopes: openid profile email groups

Any idea what I am doing wrong here?

Thanks!

@Lasithih commented on GitHub (Sep 2, 2025): I am using Keycloak and OIDC in general works when I don't use the groups claim. But when I turn it on, "Error in callback" error message is shown. <img width="310" height="311" alt="Image" src="https://github.com/user-attachments/assets/c8e064bb-cc3a-4888-9636-8ff24ef080dc" /> --- This is what my groups mapper looks like. <img width="1386" height="1224" alt="Image" src="https://github.com/user-attachments/assets/093f839d-3016-46ae-a05d-8aa4781f8dc5" /> I know this works because I use the same config for syncing groups to Proxmox. This is the error I see in the browser. ``` error: invalid_scope error_description: Invalid scopes: openid profile email groups ``` Any idea what I am doing wrong here? Thanks!

deekerman commented

Author

Owner

@Sapd commented on GitHub (Sep 2, 2025):

@Lasithih See my explanation above, it handles that exact case: https://github.com/advplyr/audiobookshelf/issues/2878#issuecomment-2495505329

I will overwrite some things towards end of this year which should also fix that issue entirely.

@Sapd commented on GitHub (Sep 2, 2025): @Lasithih See my explanation above, it handles that exact case: https://github.com/advplyr/audiobookshelf/issues/2878#issuecomment-2495505329 I will overwrite some things towards end of this year which should also fix that issue entirely.

deekerman commented

Author

Owner

@Lasithih commented on GitHub (Sep 5, 2025):

@Sapd I tried both User Attribute and Role Name Mapper. But for some reason I'm stuck with the same error.

@Lasithih commented on GitHub (Sep 5, 2025): @Sapd I tried both User Attribute and Role Name Mapper. But for some reason I'm stuck with the same error.

deekerman commented

Author

Owner

@languagegame commented on GitHub (Oct 15, 2025):

pocket

I also would like to see this mapping in audiobookshelf for pocket ID. Not all OIDC providers (yet) providing mapping capabilities, so helpful to have this in audiobookshelf itself. In other words, the user sets the group claim and then is allowed to determine which group name maps to admin, user and guest in audiobookshelf

@languagegame commented on GitHub (Oct 15, 2025): > pocket I also would like to see this mapping in audiobookshelf for pocket ID. Not all OIDC providers (yet) providing mapping capabilities, so helpful to have this in audiobookshelf itself. In other words, the user sets the group claim and then is allowed to determine which group name maps to admin, user and guest in audiobookshelf

deekerman commented

Author

Owner

@MadManChLP commented on GitHub (Oct 30, 2025):

anything new to this becaws i want to use authentik but cant get it to work because i cant ise the group naming admin, user and guest for some security reasons

@MadManChLP commented on GitHub (Oct 30, 2025): anything new to this becaws i want to use authentik but cant get it to work because i cant ise the group naming admin, user and guest for some security reasons

deekerman commented

Author

Owner

@Sapd commented on GitHub (Oct 30, 2025):

anything new to this becaws i want to use authentik but cant get it to work because i cant ise the group naming admin, user and guest for some security reasons

On Authentik its a none issue because you can user mappers.

@Sapd commented on GitHub (Oct 30, 2025): > anything new to this becaws i want to use authentik but cant get it to work because i cant ise the group naming admin, user and guest for some security reasons On Authentik its a none issue because you can user mappers.

deekerman commented

Author

Owner

@MadManChLP commented on GitHub (Oct 31, 2025):

im quite new to authentik so how do i ned to configure it could you please tell me more

@MadManChLP commented on GitHub (Oct 31, 2025): im quite new to authentik so how do i ned to configure it could you please tell me more

deekerman commented

Author

Owner

@Sapd commented on GitHub (Oct 31, 2025):

im quite new to authentik so how do i ned to configure it could you please tell me more

See here: https://github.com/advplyr/audiobookshelf/pull/2769

@Sapd commented on GitHub (Oct 31, 2025): > im quite new to authentik so how do i ned to configure it could you please tell me more See here: https://github.com/advplyr/audiobookshelf/pull/2769

deekerman commented

Author

Owner

@MadManChLP commented on GitHub (Oct 31, 2025):

thanks

@MadManChLP commented on GitHub (Oct 31, 2025): thanks

deekerman commented

Author

Owner

@staticdev commented on GitHub (Feb 3, 2026):

@Lasithih See my explanation above, it handles that exact case: #2878 (comment)

I will overwrite some things towards end of this year which should also fix that issue entirely.

@Sapd I am available to collaborate with that also. Using Keycloak here, and I am also contributing to Jellyfin SSO and Nextcloud OIDC plugin. Abs native OIDC is the best self-hosting experience I had so far, only the groups handling is missing this last step to be 100% smooth. ;)

@staticdev commented on GitHub (Feb 3, 2026): > [@Lasithih](https://github.com/Lasithih) See my explanation above, it handles that exact case: [#2878 (comment)](https://github.com/advplyr/audiobookshelf/issues/2878#issuecomment-2495505329) > > I will overwrite some things towards end of this year which should also fix that issue entirely. @Sapd I am available to collaborate with that also. Using Keycloak here, and I am also contributing to Jellyfin SSO and Nextcloud OIDC plugin. Abs native OIDC is the best self-hosting experience I had so far, only the groups handling is missing this last step to be 100% smooth. ;)

deekerman commented

Author

Owner

@Sapd commented on GitHub (Feb 5, 2026):

@Lasithih See my explanation above, it handles that exact case: #2878 (comment)
I will overwrite some things towards end of this year which should also fix that issue entirely.

@Sapd I am available to collaborate with that also. Using Keycloak here, and I am also contributing to Jellyfin SSO and Nextcloud OIDC plugin. Abs native OIDC is the best self-hosting experience I had so far, only the groups handling is missing this last step to be 100% smooth. ;)

Yeah I will probably try to make some time for a sweep. Also there are other points open like removing the passport layer.

@Sapd commented on GitHub (Feb 5, 2026): > > [@Lasithih](https://github.com/Lasithih) See my explanation above, it handles that exact case: [#2878 (comment)](https://github.com/advplyr/audiobookshelf/issues/2878#issuecomment-2495505329) > > I will overwrite some things towards end of this year which should also fix that issue entirely. > > [@Sapd](https://github.com/Sapd) I am available to collaborate with that also. Using Keycloak here, and I am also contributing to Jellyfin SSO and Nextcloud OIDC plugin. Abs native OIDC is the best self-hosting experience I had so far, only the groups handling is missing this last step to be 100% smooth. ;) Yeah I will probably try to make some time for a sweep. Also there are other points open like removing the passport layer.

deekerman commented

Author

Owner

@Sapd commented on GitHub (Feb 5, 2026):

@staticdev If you have time you can test that please: https://github.com/advplyr/audiobookshelf/pull/5031

@Sapd commented on GitHub (Feb 5, 2026): @staticdev If you have time you can test that please: https://github.com/advplyr/audiobookshelf/pull/5031

deekerman commented