starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-03-02 22:46:56 -05:00
Code Issues 910 Projects Packages Wiki Activity

[Bug]: OpenID authentication loop when logged-in as an user without privileges #2559

New issue
Open
opened 2026-02-20 02:19:16 -05:00 by deekerman · 1 comment
deekerman commented 2026-02-20 02:19:16 -05:00
Owner
Copy link

Originally created by @jelinj8 on GitHub (Nov 26, 2024).

What happened?

Hello, I've managed with some hiccups to make authentication work together with Keycloak, including assigning of guest/user/admin privileges and password validation in LDAP (shared with Booksonic and several other LDAP-only apps). Maybe I'll write some guide for that later.

Only major problem I have with the setup right now is that when I log in as a valid user that has no relevant role I get just "Unauthorized" error message on login page (that would be OK), but only with the button to go to authenticator again, which redirects me directly back to Audiobookshelf login page (as I'm already logged in) and there is no way out of this loop (except session timeout or admin session termination in authentication provider).

obrazek

What did you expect to happen?

Maybe a bit more specific message and a button like "logout and try as another user" would be much more intuitive for non-IT-admin crowd.

Steps to reproduce the issue

  1. create an user in OID system, that has none of supported roles
  2. login as this user - you won't be able (as an ordinary user) to logout (OID redirects you directly back to "unauthorized" login page.

Audiobookshelf version

2.17.2

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

Firefox

Logs

Logs aren't relevant here.

Additional Notes

To get out I have to kill the session from Keycloak admin or clear session cookies.

Originally created by @jelinj8 on GitHub (Nov 26, 2024). ### What happened? Hello, I've managed with some hiccups to make authentication work together with Keycloak, including assigning of guest/user/admin privileges and password validation in LDAP (shared with Booksonic and several other LDAP-only apps). Maybe I'll write some guide for that later. Only major problem I have with the setup right now is that when I log in as a valid user that has no relevant role I get just "Unauthorized" error message on login page (that would be OK), but only with the button to go to authenticator again, which redirects me directly back to Audiobookshelf login page (as I'm already logged in) and there is no way out of this loop (except session timeout or admin session termination in authentication provider). ![obrazek](https://github.com/user-attachments/assets/1daddf00-eb7e-4d9e-b454-57be2a478bee) ### What did you expect to happen? Maybe a bit more specific message and a button like "logout and try as another user" would be much more intuitive for non-IT-admin crowd. ### Steps to reproduce the issue 1. create an user in OID system, that has none of supported roles 2. login as this user - you won't be able (as an ordinary user) to logout (OID redirects you directly back to "unauthorized" login page. ### Audiobookshelf version 2.17.2 ### How are you running audiobookshelf? Docker ### What OS is your Audiobookshelf server hosted from? Linux ### If the issue is being seen in the UI, what browsers are you seeing the problem on? Firefox ### Logs ```shell Logs aren't relevant here. ``` ### Additional Notes To get out I have to kill the session from Keycloak admin or clear session cookies.
deekerman commented 2026-02-20 02:19:17 -05:00
Author
Owner
Copy link

@Sapd commented on GitHub (Dec 7, 2024):

and there is no way out of this loop (except session timeout or admin session termination in authentication provider)

Why couldn't the user just open up keycloak and click on logout there?

Maybe a bit more specific message

Its a bit of a trade off, the OIDC errors are generally not exposed as almost all of them are a configuration error on the admin side than a user error. As exposing them could reveal internal details of the user provided by the provider.

In that case Im also not sure if this is not a configuration error. Actually if the user is not allowed to access audiobookshelf, keycloak itself should not have allowed that. (for example if the keycloak user does not have the roles absadmin, absuser, absguest, keycloak should be also configured that the user does not have access to it).
The check in ABS if one of those groups exist is also just a sanity check against configurations error (otherwise we could have assigned the user group as default).

@Sapd commented on GitHub (Dec 7, 2024): > and there is no way out of this loop (except session timeout or admin session termination in authentication provider) Why couldn't the user just open up keycloak and click on logout there? > Maybe a bit more specific message Its a bit of a trade off, the OIDC errors are generally not exposed as almost all of them are a configuration error on the admin side than a user error. As exposing them could reveal internal details of the user provided by the provider. In that case Im also not sure if this is not a configuration error. Actually if the user is not allowed to access audiobookshelf, keycloak itself should not have allowed that. (for example if the keycloak user does not have the roles absadmin, absuser, absguest, keycloak should be also configured that the user does not have access to it). The check in ABS if one of those groups exist is also just a sanity check against configurations error (otherwise we could have assigned the user group as default).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
book_tags_genres_dedupe
episode_download_fallback
Issue-4540-SortBy-StartedDate-and-FinishedDate
episode_meta_tagging
fix_authorize_race_condition
redirect_transcode_requests
progress_updated_sort
fix_ereader_socket_event
fix_change_empty_root_password
fix_podcast_session_track_index
fix_set_token
session_modal_user
localize_durations
fix_oidc_create_user
jwt_auth_refactor
fix_scanner_deleting_single_file_books
fix_mediaprogress_updatedat_2
experimental_next_client
podcast_episode_duration
episode-timestamps-clickable
book_author_secondary_sort_title
podcast_useragents
pathexists_user_access
fix_pathexists_join
book_author_secondary_sort
clean_duplicate_mediaprogress
sanitize_html_description
trix_prevent_attachments
check_path_api_fix
fix_mediaprogress_updatedat
increase_express_json_limit
fix_dockerfile_nunicode
search_episodes
audiobook_tools_update
episode_secondary_sorts
hls_stream_url_update
new_session_track_endpoint
audiobook_tools_enhancements
watcher_rescans_update
player_track_tooltip
fix_exclude_prefixes_crash
socket_item_events
fix_podcast_episode_scanner_promise
new_stats_controller
count_cache_for_userpermissions
parsing-opf-v3
validate_migration_files
fix-quick-match-all-crash
fix-chapter-end-sleep-timer
stringify_sequelize_query
remove-col-ambiguity
fix_next_prev_edit_description
details_trim_whitespace
fix_content_url_basepath
fix_logger_fatal
progress_bar_visibility
batch-edit-populate-map-details
feed_generator_updates
bookmark-modal-updates
migrate-library-item-in-scanner
migrate-new-library-items
migrate-podcasts-new-library-item-2
migrate-podcasts-new-library-item
fix-remove-episode-from-playlist
playback-session-use-new-library-item
refactor-library-item
fix-heatmap-caption
feed-episodes-upsert
share-media-player-media-session-api
remove-old-playlist
remove_old_collection_object
plugin-implementation-demo
feed_migration
refactor-feeds-from-item
fix_remove_authors_no_books
v2.17.3-fk-constraints-migration
migrations-first-upgrade
sqlite_2
feature/nuxt-target-server
waveform
sqlite
playlists
video
v2.32.1
v2.32.0
v2.31.0
v2.30.0
v2.29.0
v2.28.0
v2.27.0
v2.26.3
v2.26.2
v2.26.1
v2.26.0
v2.25.1
v2.25.0
v2.24.0
v2.23.0
v2.22.0
v2.21.0
v2.20.0
v2.19.5
v2.19.4
v2.19.3
v2.19.2
v2.19.1
v2.19.0
v2.18.1
v2.18.0
v2.17.7
v2.17.6
v2.17.5
v2.17.4
v2.17.3
v2.17.2
v2.17.1
v2.17.0
v2.16.2
v2.16.1
v2.16.0
v2.15.1
v2.15.0
v2.14.0
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.0
v2.10.1
v2.10.0
v2.9.0
v2.8.1
v2.8.0
v2.7.2
v2.7.1
v2.7.0
v2.6.0
v2.5.0
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.23
v2.2.22
v2.2.21
v2.2.20
v2.2.19
v2.2.18
v2.2.17
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.10
v2.2.9
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.24
v2.0.23
v2.0.22
v2.0.21
v2.0.20
v2.0.19
v2.0.18
v2.0.17
v2.0.16
v2.0.15
v2.0.14
v2.0.13
v2.0.12
v2.0.11
v2.0.10
v2.0.9
v2.0.8
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v1.7.2
v1.7.1
v1.7.0
v1.6.0
v1.5.5
v1.5.0
v1.4.11
v1.4.9
v1.4.7
v1.4.6
v1.4.4
v1.4.2
v1.4.1
v1.4.0
v1.3.4
v1.3.3
v1.3.1
v1.2.8
v1.2.6
v1.2.5
v1.2.4
v1.2.1
v1.1.15
v1.1.14
v1.1.13
v1.1.12
v1.1.11
v1.1.10
v1.1.9
v1.1.8
v1.0.0
0.9.61-beta.0
0.9.61-beta
Labels
Clear labels   
authentication

   
awaiting release

   
backlog

   
bug

   
chapter editor

   
config-issue

   
ebooks

   
encoding/embedding

   
enhancement

   
help wanted

   
listening sessions & progress

   
planned

   
possible plugin

   
progress sync

   
sorting/filtering/searching

   
unable to reproduce

   
upload

   
users & permissions

   
waiting
No labels
authentication
awaiting release
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/audiobookshelf#2559
No description provided.