[Enhancement]: OpenID Connect add setting for requested scopes #2185

New issue

Open

opened 2026-02-20 02:13:09 -05:00 by deekerman · 5 comments

deekerman commented 2026-02-20 02:13:09 -05:00

Owner

Copy link

Originally created by @exu-g on GitHub (May 24, 2024).

Type of Enhancement

Server Backend

Describe the Feature/Enhancement

Please add a setting to request specific scopes in addition to the 3 basic ones.

Something similar to this, as offered by the OpenID Connect addon for Nextcloud.

Why would this be helpful?

In practice, it's possible to have different names for the scope and its contained claim.
I usually use the application name for the scope and have a different name for the actual claim for consistency on the application side.

Scope:

Claim:

With the current settings this does not work, either I set the correct claim and the scope won't be sent at all, or I use the working scope, but can't find any groups within.

Future Implementation (Screenshot)

A simple field titled "additional scopes" would be fine.

Audiobookshelf Server Version

v2.9.0

Current Implementation (Screenshot)

Settings > Authentication > OpenID Connect Authentication

Originally created by @exu-g on GitHub (May 24, 2024). ### Type of Enhancement Server Backend ### Describe the Feature/Enhancement Please add a setting to request specific scopes in addition to the 3 basic ones. Something similar to this, as offered by the OpenID Connect addon for Nextcloud.  ### Why would this be helpful? In practice, it's possible to have different names for the scope and its contained claim. I usually use the application name for the scope and have a different name for the actual claim for consistency on the application side. Scope:  Claim:  With the current settings this does not work, either I set the correct claim and the scope won't be sent at all, or I use the working scope, but can't find any groups within. ### Future Implementation (Screenshot) A simple field titled "additional scopes" would be fine. ### Audiobookshelf Server Version v2.9.0 ### Current Implementation (Screenshot) Settings > Authentication > OpenID Connect Authentication 

deekerman added the

enhancement

authentication

labels 2026-02-20 02:13:09 -05:00

deekerman commented 2026-02-20 02:13:10 -05:00

Author

Owner

Copy link

@advplyr commented on GitHub (May 24, 2024):

Is this a duplicate of https://github.com/advplyr/audiobookshelf/issues/2878?

With Authentik and KeyCloak you can name the groups however you want and setup a mapping. Maybe you are using Authelia?

@advplyr commented on GitHub (May 24, 2024): Is this a duplicate of https://github.com/advplyr/audiobookshelf/issues/2878? With Authentik and KeyCloak you can name the groups however you want and setup a mapping. Maybe you are using Authelia?

deekerman commented 2026-02-20 02:13:10 -05:00

Author

Owner

Copy link

@exu-g commented on GitHub (May 24, 2024):

No, this is about having different scope and claim names. I am using Authentik with a custom mapping to change my group names into the ones specified by Audiobookshelf.

From my understanding, scopes are some kind of container for one or mutliple claims.
Something like this

Simplified, I have this mapping.

I can change the mapping to this and it works. Here both the scope and claim are called "audiobookshelf" and I set the same value in the Audiobookshelf OIDC settings "Group Claim" field.

But scopes can also contain multiple claims. As an example, the openid scope contains these claims:

{
  "iss": "http://my-domain.auth0.com",
  "sub": "auth0|123456",
  "aud": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "name": "Jane Doe",
  "given_name": "Jane",
  "family_name": "Doe",
  "gender": "female",
  "birthdate": "0000-10-31",
  "email": "janedoe@example.com",
  "picture": "http://example.com/janedoe/me.jpg"
}

from https://auth0.com/docs/secure/tokens/id-tokens/id-token-structure

This can also be done for custom mappings like this. Here I'm setting the Group Claim and Advanced Permission Claim within the same scope.

Visually represented something like this

With the current implementation I have to name one claim the same as the scope.
If we could specify the scope separately, the previous graphic would work.

---

After typing all this out, this is a very tiny issue most users won't ever encounter.
But it does feel more correct to separate scopes and claims.

I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.

@exu-g commented on GitHub (May 24, 2024): No, this is about having different scope and claim names. I am using Authentik with a custom mapping to change my group names into the ones specified by Audiobookshelf. From my understanding, scopes are some kind of container for one or mutliple claims. Something like this  Simplified, I have this mapping.  I can change the mapping to this and it works. Here both the scope and claim are called "audiobookshelf" and I set the same value in the Audiobookshelf OIDC settings "Group Claim" field.  But scopes can also contain multiple claims. As an example, the `openid` scope contains these claims: ``` { "iss": "http://my-domain.auth0.com", "sub": "auth0|123456", "aud": "my_client_id", "exp": 1311281970, "iat": 1311280970, "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "gender": "female", "birthdate": "0000-10-31", "email": "janedoe@example.com", "picture": "http://example.com/janedoe/me.jpg" } ``` *from https://auth0.com/docs/secure/tokens/id-tokens/id-token-structure* This can also be done for custom mappings like this. Here I'm setting the Group Claim and Advanced Permission Claim within the same scope.  Visually represented something like this  With the current implementation I have to name one claim the same as the scope. If we could specify the scope separately, the previous graphic would work. --- After typing all this out, this is a very tiny issue most users won't ever encounter. But it does feel more correct to separate scopes and claims. I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.

deekerman commented 2026-02-20 02:13:11 -05:00

Author

Owner

Copy link

@Sapd commented on GitHub (May 27, 2024):

I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.

Yeah I thought (when I developed that feature) to show the claims as greyed-out box which would update with the name of the group claims etc., which would make claim == scope then clear.

But you also got a point that it makes sense to add a box and to allow to add claims to allow configurations as you showed. There then just must be a warning to the user that he also has to put in the name of the scope which contains the claim explicitly in the additional claims field.

PS: I know you just made example pictures, but to prevent you a debugging session, keep in mind that in "abspermissions" in Authentik you have to write the booleans als true python booleans like this. Otherwise they won't be provided as JSON boolean types:

abspermissions = {
  "abspermissions": {
    "canDownload": False, # Upper case without "
     "canUpload": True
     ....
   }
}

@Sapd commented on GitHub (May 27, 2024): > I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work. Yeah I thought (when I developed that feature) to show the claims as greyed-out box which would update with the name of the group claims etc., which would make claim == scope then clear. But you also got a point that it makes sense to add a box and to allow to add claims to allow configurations as you showed. There then just must be a warning to the user that he also has to put in the name of the scope which contains the claim explicitly in the additional claims field. PS: I know you just made example pictures, but to prevent you a debugging session, keep in mind that in "abspermissions" in Authentik you have to write the booleans als true python booleans like this. Otherwise they won't be provided as JSON boolean types: ```python abspermissions = { "abspermissions": { "canDownload": False, # Upper case without " "canUpload": True .... } } ```

deekerman commented 2026-02-20 02:13:11 -05:00

Author

Owner

Copy link

@igbjnI05bF commented on GitHub (Nov 16, 2024):

I'm very confused here, most of this is above my head. I'm unable to get the group claim to work at all with keycloak. I've done this successfully with other apps such as Nextcloud, Jellyfin, and Grafana, but cannot get it to work with Audiobookshelf.

In my Audiobookshelf client in Keycloak I went to client scopes, audiobookshelf-dedicated, and added a client roles scope. I named the token claim name "absroles". I then went to the roles tab of audiobookshelf and created "admin", "guest", and "user" roles. I added my user to the audiobookshelf/admin role.

I cannot sign into Audiobookshelf, it says "Error in callback". The webtools show "Invalid scopes: openid profile email absroles". I don't really get it, openid, profile, and email are global realm scopes. absroles isn't (and shouldn't) be a realm scope, it's a client scope.

Am I missing something here? How do I get Audiobookshelf to see this client scope I made and respect the client roles my users are in?

@igbjnI05bF commented on GitHub (Nov 16, 2024): I'm very confused here, most of this is above my head. I'm unable to get the group claim to work at all with keycloak. I've done this successfully with other apps such as Nextcloud, Jellyfin, and Grafana, but cannot get it to work with Audiobookshelf. In my Audiobookshelf client in Keycloak I went to client scopes, audiobookshelf-dedicated, and added a client roles scope. I named the token claim name "absroles". I then went to the roles tab of audiobookshelf and created "admin", "guest", and "user" roles. I added my user to the audiobookshelf/admin role. I cannot sign into Audiobookshelf, it says "Error in callback". The webtools show "Invalid scopes: openid profile email absroles". I don't really get it, openid, profile, and email are global realm scopes. absroles isn't (and shouldn't) be a realm scope, it's a client scope. Am I missing something here? How do I get Audiobookshelf to see this client scope I made and respect the client roles my users are in?

deekerman commented 2026-02-20 02:13:11 -05:00

Author

Owner

Copy link

@megheaiulian commented on GitHub (Mar 18, 2025):

I think the issue is at https://github.com/advplyr/audiobookshelf/blob/master/server/Auth.js#L514.
It adds the authOpenIDGroupClaim as a scope value but I think it shouldn't as that is just the property to make groups from.

@megheaiulian commented on GitHub (Mar 18, 2025): I think the issue is at https://github.com/advplyr/audiobookshelf/blob/master/server/Auth.js#L514. It adds the `authOpenIDGroupClaim` as a scope value but I think it shouldn't as that is just the property to make groups from.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.1

v1.4.0

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels   

authentication

  

awaiting release

  

backlog

  

bug

  

chapter editor

  

config-issue

  

ebooks

  

encoding/embedding

  

enhancement

  

help wanted

  

listening sessions & progress

  

planned

  

possible plugin

  

progress sync

  

sorting/filtering/searching

  

unable to reproduce

  

upload

  

users & permissions

  

waiting

No labels

authentication

awaiting release

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/audiobookshelf#2185

No description provided.