Difficulties setting up SSO about planka HOT 28 CLOSED

Okay! That worked! Thanks a bunch! 🎉
I currently don't have a mail server set up, which is why I didn't think of that. This is all on me, thanks again for helping and being quick to answer!
Just one more thing, after logging in, I can't seem to create any boards and projects. Where can I configure user permissions if I need to?

from planka.

Just made a release with OIDC: https://github.com/plankanban/planka/releases/tag/v1.13.0.

from planka.

Hi! If you are getting this error, it's likely that your IDP doesn't support the email or profile scopes.

Please check that they are selected in the provider settings in Authentik:
Providers -> Edit -> Advanced protocol settings -> Scopes

Make sure they're specified in the scopes_supported when requesting https://auth.example.com/application/o/planka/.well-known/openid-configuration.

And also make sure the name and email fields exist in the preview:
Providers -> Select provider -> Preview

from planka.

No problem, thanks for clarifying! Yes, I do get this response:

from planka.

I've checked in the code that the exchange with Authentik is correct, otherwise there will be an Invalid code or nonce error.

The error occurs in this place:

if (!userInfo.email || !userInfo.name) {
  throw 'missingValues';
}

So Authentik responded correctly, but for some reason there is no email or name in the response...

Let's try to check what is in the response by adding logging.

You need to change the docker-compose.yml and replace:

command: >
  bash -c
    "for i in `seq 1 30`; do
      ./start.sh &&
      s=$$? && break || s=$$?;
      echo \"Tried $$i times. Waiting 5 seconds...\";
      sleep 5;
    done; (exit $$s)"

to this:

command: sleep 999999999

Then start the container and connect to it (planka-planka-1 is its name):

docker-compose up -d
docker exec -ti planka-planka-1 /bin/bash

Then add logging and start the server:

sed -i "/throw 'missingValues';/c\sails.log.warn\(JSON.stringify\(userInfo\)\); throw 'missingValues';" /app/api/helpers/users/get-or-create-one-using-oidc.js
./start.sh

The console will display a response coming from Authentik when an error occurs. We can figure out what's missing from it.

from planka.

They have to be administrators just to create a project. So, any user can be assigned as a project manager (in the project settings) and then this user can create boards in it. We have plans to add the ability to create projects for non-admin users (if they are allowed to do so in the settings). Unfortunately there is no way to completely remove the creation of local users yet, but it's a good idea to add that.

from planka.

Should I create a separate issue with a feature suggestion for that, then?

from planka.

I have created a new issue here:
#532

Thanks a ton for your help and kindness, I greatly appreciate it!

from planka.

Hi! We still haven't released a version with OIDC, meaning it's only available in ghcr.io/plankanban/planka:dev.
I'm working on pre-release fixes right now, hopefully I'll be able to finalize it soon. You can also use the dev version, but after the full release you'll likely need to make some changes to the database.

from planka.

Hi there! Thanks for the quick response. I'll probably wait it out then, better safe than sorry
Do you have a rough estimate as to when the release with OIDC support can release? If it's ways away, I might also just install the dev version

from planka.

I really want to do this right today 🙂 But it should definitely be ready this week if something goes wrong today.

from planka.

Oh! That's amazing! I'll wait for the next release then :D
Thanks so much!

from planka.

Hello, thanks a lot for the quick development!
I am having issues still with configuring Authentik to be an OIDC provider. When trying to log in, I get the following message in my browser console (along with an error above the login box stating that there is an unknown error):

XHRPOST
https://plank.example.com/api/access-tokens/exchange-using-oidc
[HTTP/2 422 Unprocessable Entity 391ms]

	
POST
	https://plank.example.com/api/access-tokens/exchange-using-oidc
Status
422
Unprocessable Entity
VersionHTTP/2
Transferred423 B (94 B size)
Referrer Policystrict-origin-when-cross-origin

    	
    alt-svc
    	h3=":443"; ma=2592000
    content-length
    	94
    content-type
    	application/json; charset=utf-8
    date
    	Mon, 23 Oct 2023 13:09:16 GMT
    etag
    	W/"5e-DFl1XIlfWNyVD/aVct4fB0dbggI"
    server
    	Caddy
    vary
    	Accept-Encoding
    x-exit
    	missingValues
    X-Firefox-Spdy
    	h2
    x-powered-by
    	Sails <sailsjs.com>
    	
    Accept
    	*/*
    Accept-Encoding
    	gzip, deflate, br
    Accept-Language
    	en-US,en;q=0.5
    Connection
    	keep-alive
    Content-Length
    	328
    Content-Type
    	multipart/form-data; boundary=---------------------------425647258595031226138208945
    Host
    	plank.example.com
    Origin
    	https://plank.example.com
    Referer
    	https://plank.example.com/login
    Sec-Fetch-Dest
    	empty
    Sec-Fetch-Mode
    	cors
    Sec-Fetch-Site
    	same-origin
    TE
    	trailers
    User-Agent
    	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0

I tried updating my original configuration (see above) using the example provided in the docs as a template. My current config looks like this:

      - OIDC_ISSUER=https://auth.example.com/application/o/planka/
      - OIDC_CLIENT_ID=<client_id>
      - OIDC_CLIENT_SECRET=<client_secret>
      - OIDC_ADMIN_ROLES=authentik-admins
      - OIDC_SCOPES=openid profile email

Am I configuring something wrong? Thanks again for your help thus far!

from planka.

Yes, the scopes are present and active

from planka.

Hm... Then that's very strange. Can you show the response of the request to https://plank.example.com/api/access-tokens/exchange-using-oidc, is there Unable to retrieve required values (email, name)? You can check this by opening the Browser console (F12) -> Network.

from planka.

The network tab seems to look fine on this page, except for a 404 code for logo192.png, which seems irrelevant.
The console also only reports this 404 error for the logo. Everything else seems ok.

The page looks like this when I visit it:

I believe/hope this is normal behaviour for this page

from planka.

Sorry, I didn't clarify well how it has to be done. Please open Network and click "Login in with SSO" button. When the error is displayed, click the POST exchange-using-oidc line in Network. There should be a preview of the result somewhere (probably "Preview" button) and the error text will be there.

from planka.

I don't understand why name or email can be missing if everything is configured correctly...

Could you please provide authorizationUrl which is located in the GET config line in Network (you can erase all parts you don't want to show). Or just make sure that the scope= parameter contains openid email profile.

from planka.

authorizationUrl:  "https://auth.example.com/application/o/authorize/?client_id=<client_id>&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fplank.example.com%2Foidc-callback&response_mode=fragment"

They seem to be included, yes

from planka.

I can't understand what could be the problem 🙈 Everything seems to be configured correctly. I've tested OIDC through Authentik many times and never had a problem, also checked the code many times and it's definitely because Authentik doesn't return a name or email when requesting userinfo. Maybe there is something wrong with Authentik itself or just some setting missing. I'll try to google a similar problem...

from planka.

Could it be a more underlying problem? Anything I might've misconfigured at e.g. the reverse proxy level? Or possibly deeper?

from planka.

The line after debug: is what I get when logging in with Authentik.

2023-10-24 18:43:59 [W] [object Object]

from planka.

Sorry, my bad 🙈 Please execute:

exit
docker-compose down

Then repeat the whole process (I fixed one command in the previous comment).

from planka.

Aha! This time there's more:

2023-10-24 19:16:36 [W] {"email":"","email_verified":true,"name":"Sangelo","given_name":"Sangelo","preferred_username":"sangelo","nickname":"sangelo","groups":["authentik-private","authentik-users"],"sub":"<idk if I should censor or not, but there's a long string here>"}

It seems like Planka gets all the required info? Tell me if you need anything else

from planka.

Hm, for some reason email is blank, but it's required to create an account in Planka. Is it filled out in Authentik?

from planka.

That's great!

If you are using OIDC, you need to specify the correct admin group in OIDC_ADMIN_ROLES. I see that you have 2 roles ["authentik-private", "authentik-users"], so most likely you need to make OIDC_ADMIN_ROLES=authentik-private.
You can also create an administrator account without using OIDC, you can do this via DEFAULT_ADMIN_* variables.

from planka.

Ah, so all users who need to be able to create boards need to be admins if I understand correctly?
I just don't want any users who may get access to Planka to create any users that are not authenticated using Authentik, aka local users.

from planka.

Yeah, that's a good idea, I'll add the Enhancement label to it.

from planka.