OAuth Configuration
Calibre-Web Automated supports advanced OAuth 2.0 and OpenID Connect (OIDC) authentication, allowing users to log in using external identity providers like Keycloak, Authentik, Google, Microsoft Azure AD, and many others. This guide covers everything you need to know about configuring and using OAuth authentication in CWA.
β Fixed in v3.2+: OAuth users now automatically inherit all default configuration settings configured in CWA's Basic Configuration, ensuring parity with manually created users.
Default Settings Applied to New OAuth Users:
- π Default Role: Configured role permissions (unless admin group override applies)
- π Sidebar View: Default sidebar visibility settings (books, series, authors, etc.)
- π Locale: Default interface language (English, German, French, etc.)
- π Default Language: Default book language filter
- π·οΈ Tag Restrictions: Default allowed/denied tags
- π Content Restrictions: Default allowed/denied column values (categories, publishers, etc.)
- π¨ Theme: Default CWA theme setting
- π± Kobo Sync: Default Kobo integration settings
How it Works: When a new user logs in via OAuth for the first time, CWA automatically applies all default configuration settings from Admin Panel β Basic Configuration β Feature Configuration. This ensures OAuth users get the same default permissions and interface settings as users created manually by administrators.
Default User Permissions: Default permissions are configured in Admin Panel β Edit UI Configuration
Admin Group Override: If the OAuth user is a member of the configured admin group (set in OAuth configuration), they receive admin role permissions instead of the default role, but all other default settings still apply.
CWA's OAuth implementation provides enterprise-grade authentication with the following features:
- β Auto-Discovery: Automatic endpoint configuration via OIDC metadata URLs
- β Manual Override: Full manual control over OAuth endpoints when needed
- β Field Mapping: Configurable JWT field extraction for usernames and emails
- β Custom Scopes: Flexible OAuth scope configuration
- β Admin Groups: Automatic admin role assignment based on OAuth groups
- β Group-Based Roles: Users with configured groups automatically get admin privileges
- β Built-in Providers: GitHub, Google, and one configurable Generic provider
- β Generic Provider: Support for any OAuth 2.0/OIDC compliant provider
- β Testing Tools: Built-in connection testing and validation
- βοΈ Custom Branding: Configurable login button text (admin panel only, login page shows "Log in with SSO")
graph LR
A[User] -->|1. Click Login| B[CWA]
B -->|2. Redirect| C[OAuth Provider]
C -->|3. User Login| C
C -->|4. Authorization Code| B
B -->|5. Exchange Code| C
C -->|6. Access Token| B
B -->|7. Get User Info| C
C -->|8. User Profile| B
B -->|9. Create/Login User| A
CWA uses a smart priority system for OAuth configuration:
-
π₯ Metadata URL (Highest Priority)
- If provided, CWA fetches all endpoints automatically
- Overrides all manual configuration
-
π₯ Manual Endpoints (Medium Priority)
- Individual endpoint URLs when metadata URL is not used
- Gives full control over each OAuth endpoint
-
π₯ Base URL Auto-Discovery (Fallback)
- Uses base URL +
/.well-known/openid-configuration - Standard OIDC discovery fallback
- Uses base URL +
- Log in as an Admin user
- Navigate to Admin Panel β Basic Configuration
- Scroll down to the OAuth Settings section
For most OAuth providers, this is the easiest method:
-
Get Metadata URL from your OAuth provider:
-
Keycloak:
https://your-keycloak.com/realms/your-realm/.well-known/openid-configuration -
Authentik:
https://your-authentik.com/application/o/your-app/.well-known/openid-configuration -
Google:
https://accounts.google.com/.well-known/openid-configuration -
Microsoft:
https://login.microsoftonline.com/your-tenant/.well-known/openid-configuration
-
Keycloak:
-
Enter Configuration:
Metadata URL: [paste your metadata URL here] OAuth Client ID: [your client ID] OAuth Client Secret: [your client secret] -
Test Connection: Click the "Test Metadata" button to verify the configuration
-
Save: Click Submit to apply the configuration
For custom setups or when auto-discovery isn't available:
-
Check "Use Manual Endpoint URLs" checkbox
-
Configure Individual Endpoints:
OAuth Base URL: https://your-provider.com Authorization Endpoint: https://your-provider.com/auth Token Endpoint: https://your-provider.com/token UserInfo Endpoint: https://your-provider.com/userinfo -
Test Connection: Use the "Test Connection" button with your base URL
-
Save Configuration
Configure how CWA extracts user information from JWT tokens:
| Field | Purpose | Default Value | Examples |
|---|---|---|---|
| Username Field | JWT claim for username | preferred_username |
sub, username, email
|
| Email Field | JWT claim for email | email |
mail, emailAddress, user_email
|
| OAuth Scopes | Requested permissions | openid profile email |
Add groups for admin functionality |
CWA supports automatic role assignment based on OAuth provider groups:
-
Group Detection: CWA checks the
groupsclaim in JWT tokens from your OAuth provider - Admin Assignment: Users belonging to the configured admin group automatically get admin privileges
- Default Role: Users without the admin group get standard user privileges
- Automatic Updates: Role assignment happens during every login (when group management is enabled)
-
Enable Group-Based Management (Admin > Basic Configuration > Security Settings):
β Enable OAuth Group-Based Admin Role ManagementWhen enabled, admin privileges are automatically granted/revoked based on OAuth group membership. When disabled, you can manually manage admin roles in the user management panel.
-
Enable Groups in OAuth Scopes:
OAuth Scopes: openid profile email groupsNote: The
groupsscope is required for group-based role assignment -
Set Admin Group Name:
OAuth group for Admin: adminThis should match the exact group name from your OAuth provider
If you prefer to manually manage admin roles, you have two options:
Option 1: Use the Global Setting (Recommended)
- Go to Admin > Basic Configuration > Security Settings
- Uncheck "Enable OAuth Group-Based Admin Role Management"
- Manually assign admin roles in Admin > User Management
Option 2: Clear the Admin Group Field (Legacy)
- Go to Admin > Admin > Edit OAuth/OIDC Provider
- Clear the "OAuth group for Admin" field (leave it empty)
- Save the configuration
Both methods prevent OAuth logins from automatically revoking admin privileges when users aren't in the configured group. The global setting is recommended because it's more explicit and provides better logging.
When a user logs in, CWA looks for groups in the JWT token:
{
"sub": "user123",
"preferred_username": "john.doe",
"email": "[email protected]",
"groups": ["admin", "users", "editors"]
}In this example, if OAuth group for Admin is set to admin, this user will get admin privileges.
| Provider | Group Claim | Configuration Notes |
|---|---|---|
| Keycloak | groups |
Configure group mappings in client scopes |
| Authelia | groups |
Configure group mappings in client scopes |
| Authentik |
ak_proxy.user.groups or groups
|
Depends on configuration |
| Azure AD | groups |
Requires group claims configuration |
groups |
Requires Google Workspace with group API |
-
Users not getting admin role:
- Verify "Enable OAuth Group-Based Admin Role Management" is checked in Security Settings
- Verify
groupsis in OAuth scopes and group name matches exactly (case-insensitive) - Check provider configuration for group claims
-
Admin role being revoked unexpectedly:
- If your OAuth provider doesn't return a
groupsclaim, disable "Enable OAuth Group-Based Admin Role Management" in Security Settings - Manually assign admin roles in User Management panel
- If your OAuth provider doesn't return a
- Group claim missing: Check provider configuration for group claims
- Wrong group format: Some providers use arrays, others use strings (CWA handles both)
-
Create Client in your Keycloak realm:
Client Type: OpenID Connect Client ID: calibre-web-automated Valid Redirect URIs: https://your-cwa-domain.com/login/generic/authorizedβ οΈ Important: Replaceyour-cwa-domain.comwith your actual CWA domain and include the port if non-standard (e.g.,:8083) -
Get Metadata URL:
https://your-keycloak.com/realms/your-realm/.well-known/openid-configuration -
CWA Configuration:
OAuth Redirect Host: https://your-cwa-domain.com Metadata URL: [metadata URL from step 2] Client ID: calibre-web-automated Client Secret: [from Keycloak client credentials] OAuth Scopes: openid profile email groups Username Field: preferred_username Email Field: email Admin Group: admin
-
Create Client in your Authelia config:
identity_providers: oidc: clients: ## Calibre-Web-Automated OIDC client - client_id: calibre client_name: Calibre-Web-Automated client_secret: "your-cwa-client-secret" public: false authorization_policy: two_factor require_pkce: false pkce_challenge_method: '' redirect_uris: - "https://your-cwa-domain.com/login/generic/authorized" scopes: - openid - profile - email - groups response_types: - code grant_types: - authorization_code access_token_signed_response_alg: none userinfo_signed_response_alg: none token_endpoint_auth_method: client_secret_basicβ οΈ Important: Replaceyour-cwa-domain.comwith your actual CWA domain and include the port if non-standard (e.g.,:8083) -
CWA Configuration:
Metadata URL: https://[auth-domain]/.well-known/openid-configuration OAuth scopes: openid profile email groups Client ID: calibre Client Secret: [from Authelia client credentials] Username Field: preferred_username Email Field: email Admin Group: admins # Make sure this is correct or else you may be locked out Login Button Text: Authelia
-
Create Application:
Name: Calibre-Web Automated Slug: calibre-web-automated Provider: OAuth2/OpenID Provider -
Create Provider:
Authorization flow: default-authorization-flow Client type: Confidential Redirect URIs: https://your-cwa-domain.com/login/generic/authorized Scopes: openid profile email ak_proxyβ οΈ Important: Replaceyour-cwa-domain.comwith your actual CWA domain and include the port if non-standard (e.g.,:8083) -
CWA Configuration:
OAuth Redirect Host: https://your-cwa-domain.com (your CWA instance URL) Metadata URL: https://your-authentik.com/application/o/calibre-web-automated/.well-known/openid-configuration Client ID: [from Authentik application] Client Secret: [from Authentik application] Username Field: preferred_username Email Field: emailβ οΈ Note:OAuth Redirect Hostshould be your CWA URL, not your Authentik URL!
-
Google Cloud Console:
- Create OAuth 2.0 credentials
- Add redirect URI:
https://your-cwa-domain.com/login/generic/authorized
β οΈ Important: Replaceyour-cwa-domain.comwith your actual CWA domain and include the port if non-standard (e.g.,:8083) -
CWA Configuration:
OAuth Redirect Host: https://your-cwa-domain.com Metadata URL: https://accounts.google.com/.well-known/openid-configuration Client ID: [your-client-id].apps.googleusercontent.com Client Secret: [your-client-secret] Username Field: email Email Field: email
-
Azure Portal:
- Register new application
- Add redirect URI:
https://your-cwa-domain.com/login/generic/authorized - Generate client secret
β οΈ Important: Replaceyour-cwa-domain.comwith your actual CWA domain and include the port if non-standard (e.g.,:8083) -
CWA Configuration:
OAuth Redirect Host: https://your-cwa-domain.com Metadata URL: https://login.microsoftonline.com/[tenant-id]/.well-known/openid-configuration Client ID: [application-id] Client Secret: [client-secret] Username Field: preferred_username Email Field: email
If you have an existing CWA account (username/password) and want to use OAuth login, you must link your account to the OAuth provider. This is especially critical if you plan to Disable Standard Login, as you will be locked out if your account is not linked!
- Log in to CWA using your standard username and password.
- Click on your Profile icon in the top right corner.
- In the Profile page, look for the "Link to [Provider Name]" button (e.g., "Link to Google", "Link to Generic OAuth").
- Click the button to initiate the OAuth flow.
- Authenticate with your provider.
- Once successful, your account is linked. You can now log in using the OAuth button on the login page.
DO NOT disable "Standard Login" until you have verified that your admin account is successfully linked to an OAuth provider.
If you disable standard login without linking your account:
- You will not be able to log in with your username/password.
- You will not be able to log in with OAuth (because it's not linked).
- You will be locked out of your instance.
Recovery from Lockout: If you accidentally lock yourself out, you will need to manually re-enable standard login by editing the database directly.
CRITICAL: All OAuth providers require you to configure the exact callback URI that CWA will use. The callback URI format depends on which OAuth provider you're configuring:
| Provider Type | Callback URI Format | Example |
|---|---|---|
| Generic OAuth | https://your-cwa-domain.com/login/generic/authorized |
https://library.example.com/login/generic/authorized |
| GitHub | https://your-cwa-domain.com/login/github/authorized |
https://library.example.com/login/github/authorized |
https://your-cwa-domain.com/login/google/authorized |
https://library.example.com/login/google/authorized |
NEW: CWA now includes an OAuth Redirect Host setting to prevent "invalid redirect URI" errors that can occur when accessing CWA through different hostnames or after extended periods of inactivity.
When to use OAuth Redirect Host:
- π Accessing CWA via multiple hostnames or subdomains
- π Behind reverse proxies (nginx, Apache, Caddy, etc.)
- π Using dynamic DNS or changing IP addresses
- β Experiencing "invalid redirect URI" errors that resolve on retry
How to configure:
- Navigate to Admin Panel β Basic Configuration β OAuth Settings
- Find the OAuth Redirect Host field
- Enter your Calibre-Web Automated instance URL including protocol:
https://your-cwa-domain.com - Save and restart CWA
What this setting does:
- Forces CWA to use a consistent callback URL when redirecting from OAuth providers
- The callback URL format becomes:
{OAuth Redirect Host}/login/{provider}/authorized - Example: If you set
https://library.example.com, the callback becomeshttps://library.example.com/login/generic/authorized - This callback URL is what you configure in your OAuth provider's settings
Example configurations:
β
Correct: https://cwa.example.com (your CWA instance)
β
Correct: https://cwa.mydomain.org:8083 (your CWA instance)
β
Correct: https://192.168.1.100:8083 (your CWA instance)
β Wrong: https://auth.mydomain.com (OAuth provider domain)
β Wrong: https://keycloak.example.com (OAuth provider domain)
β Wrong: cwa.example.com (missing protocol)
β Wrong: http://cwa.example.com/path (includes path)
β οΈ HTTPS Required: Most OAuth providers require HTTPS for production deploymentsβ οΈ Exact Match: The callback URI must match exactly (including trailing slashes, if any)β οΈ Domain: Replaceyour-cwa-domain.comwith your actual CWA domainβ οΈ Port: Include port numbers if not using standard ports (e.g.,:8083)- π§ Auto-Configuration: Leave OAuth Redirect Host empty to use automatic detection
- Keycloak: Add to "Valid Redirect URIs" in client configuration
- Authentik: Add to "Redirect URIs" in provider configuration
- Google: Add to "Authorized redirect URIs" in Google Cloud Console
- Azure AD: Add to "Redirect URIs" in app registration
CWA provides two testing methods:
-
Metadata URL Test:
- Validates metadata URL accessibility
- Checks endpoint discovery
- Shows available endpoints
-
OIDC Connection Test:
- Tests base URL connectivity
- Validates
.well-known/openid-configurationendpoint - Verifies endpoint discovery
Cause: Metadata URL is incorrect or inaccessible Solution:
- Verify the metadata URL in a browser - it should return JSON
- Check network connectivity from CWA to the OAuth provider
- Ensure SSL certificates are valid
- Try the Metadata URL Test button in the admin panel
Cause: Required JWT fields are missing from the OAuth provider response Solution:
- Check Username Field and Email Field mappings match your provider's JWT claims
- Verify OAuth scopes include required claims (e.g.,
profile,email) - Use your provider's token inspector or logs to see available fields
- Common field names:
preferred_username,sub,username,email,mail
Cause: The callback URI configured in CWA doesn't match what's configured in your OAuth provider, or inconsistent redirect URIs due to changing request context Solution:
-
Check OAuth Provider Configuration: Ensure redirect URI is:
https://your-cwa-domain.com/login/generic/authorized - Verify URL Format: Check for trailing slashes and HTTP vs HTTPS
-
Include Port Numbers: Use non-standard ports (e.g.,
:8083) if applicable -
Set OAuth Redirect Host: Configure the OAuth Redirect Host setting in Admin β Basic Configuration β OAuth:
- Use your public CWA URL:
https://your-domain.com - Required for reverse proxy setups or multiple hostname access
- Prevents redirect URI changes between sessions
- Use your public CWA URL:
- Restart CWA: Changes to OAuth Redirect Host require application restart
- Update Provider: The URI must match exactly in both CWA and your OAuth provider
Why this happens: Flask-Dance generates redirect URIs dynamically based on request context. When accessing CWA through different hostnames or after extended periods, the context can change, causing redirect URI mismatches. The OAuth Redirect Host setting forces consistent URI generation.
Cause: Group mapping issues or missing group claims Solution:
- Add
groupsto OAuth scopes:openid profile email groups - Verify Admin Group field matches provider group name exactly (case-sensitive)
- Check JWT token contains groups claim using your provider's token inspector
- Ensure users belong to the configured admin group in your OAuth provider
Cause: OAuth user exists but isn't linked to a CWA user account Solution:
- This typically happens when public registration is disabled
- For existing users: Log in with standard auth, go to Profile, and click "Link to [Provider]" (see Linking Existing Accounts)
- For new users: Admin users need to manually create accounts for OAuth users first, or enable public registration temporarily
- Emergency: If you are locked out, you may need to re-enable standard login or public registration via database edits
Cause: General OAuth authentication failure Solution:
- Check CWA logs for detailed error messages
- Verify OAuth provider is accessible from CWA
- Test OAuth configuration using the built-in test tools
- Ensure OAuth client is properly configured in your provider
Cause: OAuth users don't have passwords set in CWA Solution:
- This is expected behavior - OAuth users authenticate via OAuth only
- If switching to standard authentication, admin must set passwords manually
- See Authentication Mode Switching section
Enable debug logging to troubleshoot OAuth issues:
- Set log level to Debug in CWA admin panel
- Check container logs for detailed OAuth flow information
- Look for JWT token contents and endpoint responses
- Always use HTTPS for production OAuth deployments
- OAuth providers typically require HTTPS redirect URIs
- Self-signed certificates may cause issues with some providers
- Store client secrets securely
- Rotate credentials regularly
- Use different credentials for development/production
- Request only necessary OAuth scopes
- Be cautious with administrative scopes
- Review provider documentation for available scopes
- Restrict OAuth provider access to necessary networks
- Use firewall rules to control access
- Monitor OAuth-related logs for suspicious activity
- Check Logs: Enable debug logging and check container logs
- Test Configuration: Use built-in test tools to validate setup
- Community Support: Join our Discord for help
- GitHub Issues: Report bugs or request features on GitHub
- Keycloak Documentation
- Authentik Documentation
- Google OAuth Documentation
- Microsoft Azure AD Documentation
Before switching from OAuth to standard authentication:
- Identify OAuth-only users: Users created through OAuth will not have passwords
- Set passwords for OAuth users: Admin users must manually set passwords for these accounts
- Notify affected users: Inform users about the authentication method change
As an admin, you can set passwords for OAuth-created users:
- Navigate to Admin Panel β Edit/Add Users
- Select the OAuth-created user
- Set a new password in the password field
- Save the changes
This transition is generally smoother:
- Existing users with passwords can still use them (if not OAuth-only mode)
- Users can link their OAuth accounts to existing accounts
- No password data is lost
- Plan transitions carefully: Switching authentication methods affects all users
- Communicate changes: Inform users before making authentication changes
- Test with a small group: Test OAuth configuration with admin users first
-
Backup user data: Always backup the
app.dbbefore making major configuration changes - Document process: Keep records of which users were created via which authentication method
- β OAuth Redirect Host Setting: Prevents "invalid redirect URI" errors by ensuring consistent callback URLs across sessions and deployment scenarios
- β OAuth Default Permissions: OAuth users now inherit all default configuration settings (sidebar visibility, locale, language, tags, restrictions) same as manually created users
- β Auto-Discovery: OIDC metadata URL support for automatic configuration
- β Manual Override: Checkbox toggle for manual endpoint configuration
- β Field Mapping: Configurable JWT field extraction
- β Enhanced Testing: Improved connection testing with detailed feedback
- β Better UX: Organized UI with collapsible sections
- β Custom Scopes: Full OAuth scope customization
- β Group-based Admin Assignment: Automatic admin role based on OAuth groups
- β Login Branding: Configurable login button text
- π Multiple Providers: Support for configuring multiple OAuth providers simultaneously
- π Dynamic Login Branding: Login page integration for custom button text
- π Advanced Group Mapping: Multiple role assignments beyond admin/user (e.g., editor, viewer roles)
- π Session Management: Enhanced session timeout and refresh token handling
- π Audit Logging: Detailed OAuth authentication logging
This documentation covers CWA's enhanced OAuth implementation. For additional help, please visit our Discord community or check the GitHub repository.