These are my notes for using Authentik as the OIDC authentication for BookStack. This was a bit of a task for me to figure out even following the documentation from BookStack and from Authentik.

I’m not going to include a step-by-step guide since those pages do a pretty good job, but the bullet points from my experience.

• In the Authentik provider for BookStack, make sure to set the Signing Key (to prevent “Only RS256 signature validation is allowed. Token reports using HS256” error) and to not set Encryption Key (to prevent “Could not parse out valid payload within the provided token” error).
• The redirect URI needs to be without the trailing slash with strict URIs.
• If you’re adding Authentik to an existing BookStack instance, edit your users and set the External Authentication ID to the sub for your Authentik user. (You can find this in the Authentik provider’s Preview tab.)
• If you enable Group Sync in BookStack, you’ll need to edit the BookStack role’s External Authentication IDs. The group name is normalized by BookStack to be all lowercase with spaces replaced with dashes — for example, BookStack Admins would be bookstack-admins.

This is what my environment variables look like for OIDC settings:

• OIDC_END_SESSION_ENDPOINT: true
• AUTH_AUTO_INITIATE: true
• OIDC_ISSUER_DISCOVER: true
• OIDC_DISPLAY_NAME_CLAIMS: name
•  OIDC_USER_TO_GROUPS: true
• OIDC_GROUPS_CLAIM: groups
• OIDC_REMOVE_FROM_GROUPS: true