[Bug]: OpenID authentication loop when logged-in as an user without privileges

[jelinj8]

What happened?

Hello, I've managed with some hiccups to make authentication work together with Keycloak, including assigning of guest/user/admin privileges and password validation in LDAP (shared with Booksonic and several other LDAP-only apps). Maybe I'll write some guide for that later.

Only major problem I have with the setup right now is that when I log in as a valid user that has no relevant role I get just "Unauthorized" error message on login page (that would be OK), but only with the button to go to authenticator again, which redirects me directly back to Audiobookshelf login page (as I'm already logged in) and there is no way out of this loop (except session timeout or admin session termination in authentication provider).

What did you expect to happen?

Maybe a bit more specific message and a button like "logout and try as another user" would be much more intuitive for non-IT-admin crowd.

Steps to reproduce the issue

1. create an user in OID system, that has none of supported roles
2. login as this user - you won't be able (as an ordinary user) to logout (OID redirects you directly back to "unauthorized" login page.

Audiobookshelf version

2.17.2

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

Firefox

Logs

Logs aren't relevant here.

Additional Notes

To get out I have to kill the session from Keycloak admin or clear session cookies.

[Sapd]

and there is no way out of this loop (except session timeout or admin session termination in authentication provider)

Why couldn't the user just open up keycloak and click on logout there?

Maybe a bit more specific message

Its a bit of a trade off, the OIDC errors are generally not exposed as almost all of them are a configuration error on the admin side than a user error. As exposing them could reveal internal details of the user provided by the provider.

In that case Im also not sure if this is not a configuration error. Actually if the user is not allowed to access audiobookshelf, keycloak itself should not have allowed that. (for example if the keycloak user does not have the roles absadmin, absuser, absguest, keycloak should be also configured that the user does not have access to it).
The check in ABS if one of those groups exist is also just a sanity check against configurations error (otherwise we could have assigned the user group as default).