Comments (28)
Okay! That worked! Thanks a bunch! 🎉
I currently don't have a mail server set up, which is why I didn't think of that. This is all on me, thanks again for helping and being quick to answer!
Just one more thing, after logging in, I can't seem to create any boards and projects. Where can I configure user permissions if I need to?
from planka.
Just made a release with OIDC: https://github.com/plankanban/planka/releases/tag/v1.13.0.
from planka.
Hi! If you are getting this error, it's likely that your IDP doesn't support the email
or profile
scopes.
Please check that they are selected in the provider settings in Authentik:
Providers -> Edit -> Advanced protocol settings -> Scopes
Make sure they're specified in the scopes_supported
when requesting https://auth.example.com/application/o/planka/.well-known/openid-configuration.
And also make sure the name
and email
fields exist in the preview:
Providers -> Select provider -> Preview
from planka.
No problem, thanks for clarifying! Yes, I do get this response:
from planka.
I've checked in the code that the exchange with Authentik is correct, otherwise there will be an Invalid code or nonce
error.
The error occurs in this place:
if (!userInfo.email || !userInfo.name) {
throw 'missingValues';
}
So Authentik responded correctly, but for some reason there is no email
or name
in the response...
Let's try to check what is in the response by adding logging.
You need to change the docker-compose.yml
and replace:
command: >
bash -c
"for i in `seq 1 30`; do
./start.sh &&
s=$$? && break || s=$$?;
echo \"Tried $$i times. Waiting 5 seconds...\";
sleep 5;
done; (exit $$s)"
to this:
command: sleep 999999999
Then start the container and connect to it (planka-planka-1
is its name):
docker-compose up -d
docker exec -ti planka-planka-1 /bin/bash
Then add logging and start the server:
sed -i "/throw 'missingValues';/c\sails.log.warn\(JSON.stringify\(userInfo\)\); throw 'missingValues';" /app/api/helpers/users/get-or-create-one-using-oidc.js
./start.sh
The console will display a response coming from Authentik when an error occurs. We can figure out what's missing from it.
from planka.
They have to be administrators just to create a project. So, any user can be assigned as a project manager (in the project settings) and then this user can create boards in it. We have plans to add the ability to create projects for non-admin users (if they are allowed to do so in the settings). Unfortunately there is no way to completely remove the creation of local users yet, but it's a good idea to add that.
from planka.
Should I create a separate issue with a feature suggestion for that, then?
from planka.
I have created a new issue here:
#532
Thanks a ton for your help and kindness, I greatly appreciate it!
from planka.
Hi! We still haven't released a version with OIDC, meaning it's only available in ghcr.io/plankanban/planka:dev.
I'm working on pre-release fixes right now, hopefully I'll be able to finalize it soon. You can also use the dev version, but after the full release you'll likely need to make some changes to the database.
from planka.
Hi there! Thanks for the quick response. I'll probably wait it out then, better safe than sorry
Do you have a rough estimate as to when the release with OIDC support can release? If it's ways away, I might also just install the dev version
from planka.
I really want to do this right today 🙂 But it should definitely be ready this week if something goes wrong today.
from planka.
Oh! That's amazing! I'll wait for the next release then :D
Thanks so much!
from planka.
Hello, thanks a lot for the quick development!
I am having issues still with configuring Authentik to be an OIDC provider. When trying to log in, I get the following message in my browser console (along with an error above the login box stating that there is an unknown error):
XHRPOST
https://plank.example.com/api/access-tokens/exchange-using-oidc
[HTTP/2 422 Unprocessable Entity 391ms]
POST
https://plank.example.com/api/access-tokens/exchange-using-oidc
Status
422
Unprocessable Entity
VersionHTTP/2
Transferred423 B (94 B size)
Referrer Policystrict-origin-when-cross-origin
alt-svc
h3=":443"; ma=2592000
content-length
94
content-type
application/json; charset=utf-8
date
Mon, 23 Oct 2023 13:09:16 GMT
etag
W/"5e-DFl1XIlfWNyVD/aVct4fB0dbggI"
server
Caddy
vary
Accept-Encoding
x-exit
missingValues
X-Firefox-Spdy
h2
x-powered-by
Sails <sailsjs.com>
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
Content-Length
328
Content-Type
multipart/form-data; boundary=---------------------------425647258595031226138208945
Host
plank.example.com
Origin
https://plank.example.com
Referer
https://plank.example.com/login
Sec-Fetch-Dest
empty
Sec-Fetch-Mode
cors
Sec-Fetch-Site
same-origin
TE
trailers
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
I tried updating my original configuration (see above) using the example provided in the docs as a template. My current config looks like this:
- OIDC_ISSUER=https://auth.example.com/application/o/planka/
- OIDC_CLIENT_ID=<client_id>
- OIDC_CLIENT_SECRET=<client_secret>
- OIDC_ADMIN_ROLES=authentik-admins
- OIDC_SCOPES=openid profile email
Am I configuring something wrong? Thanks again for your help thus far!
from planka.
Yes, the scopes are present and active
from planka.
Hm... Then that's very strange. Can you show the response of the request to https://plank.example.com/api/access-tokens/exchange-using-oidc, is there Unable to retrieve required values (email, name)
? You can check this by opening the Browser console (F12) -> Network.
from planka.
The network tab seems to look fine on this page, except for a 404 code for logo192.png, which seems irrelevant.
The console also only reports this 404 error for the logo. Everything else seems ok.
The page looks like this when I visit it:
I believe/hope this is normal behaviour for this page
from planka.
Sorry, I didn't clarify well how it has to be done. Please open Network and click "Login in with SSO" button. When the error is displayed, click the POST exchange-using-oidc
line in Network. There should be a preview of the result somewhere (probably "Preview" button) and the error text will be there.
from planka.
I don't understand why name
or email
can be missing if everything is configured correctly...
Could you please provide authorizationUrl
which is located in the GET config
line in Network (you can erase all parts you don't want to show). Or just make sure that the scope=
parameter contains openid email profile
.
from planka.
authorizationUrl: "https://auth.example.com/application/o/authorize/?client_id=<client_id>&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fplank.example.com%2Foidc-callback&response_mode=fragment"
They seem to be included, yes
from planka.
I can't understand what could be the problem 🙈 Everything seems to be configured correctly. I've tested OIDC through Authentik many times and never had a problem, also checked the code many times and it's definitely because Authentik doesn't return a name or email when requesting userinfo. Maybe there is something wrong with Authentik itself or just some setting missing. I'll try to google a similar problem...
from planka.
Could it be a more underlying problem? Anything I might've misconfigured at e.g. the reverse proxy level? Or possibly deeper?
from planka.
The line after debug:
is what I get when logging in with Authentik.
2023-10-24 18:43:59 [W] [object Object]
from planka.
Sorry, my bad 🙈 Please execute:
exit
docker-compose down
Then repeat the whole process (I fixed one command in the previous comment).
from planka.
Aha! This time there's more:
2023-10-24 19:16:36 [W] {"email":"","email_verified":true,"name":"Sangelo","given_name":"Sangelo","preferred_username":"sangelo","nickname":"sangelo","groups":["authentik-private","authentik-users"],"sub":"<idk if I should censor or not, but there's a long string here>"}
It seems like Planka gets all the required info? Tell me if you need anything else
from planka.
Hm, for some reason email
is blank, but it's required to create an account in Planka. Is it filled out in Authentik?
from planka.
That's great!
If you are using OIDC, you need to specify the correct admin group in OIDC_ADMIN_ROLES
. I see that you have 2 roles ["authentik-private", "authentik-users"]
, so most likely you need to make OIDC_ADMIN_ROLES=authentik-private
.
You can also create an administrator account without using OIDC, you can do this via DEFAULT_ADMIN_*
variables.
from planka.
Ah, so all users who need to be able to create boards need to be admins if I understand correctly?
I just don't want any users who may get access to Planka to create any users that are not authenticated using Authentik, aka local users.
from planka.
Yeah, that's a good idea, I'll add the Enhancement label to it.
from planka.
Related Issues (20)
- Auto-Logout if session has expired HOT 3
- External Postgresql (AWS RDS) does not connect properly HOT 2
- Additional Activity/Logging Types HOT 1
- Escaping characters in database url variable HOT 1
- Uploaded images periodically disappear HOT 1
- Recent update causes connection issues HOT 2
- Error: secret "planka-postgresql-svcbind-custom-user" not found HOT 5
- [Feature] Filter by keyword
- Gracefully handle errors when failing to upload an attachment HOT 1
- The icon above the rich text in the panel popup is not displayed HOT 2
- Do you provide project or overall import and export functions? HOT 1
- [Error]“You need to enable JavaScript to run this app” HOT 2
- trying to setup planka on vps HOT 7
- Security Concern: Slack Integration Sending Data Regardless of Board Permissions HOT 2
- Automate dependency updates via Dependabot HOT 3
- npm audit reports 48 vulnerabilities in total (16 high, 8 critical) HOT 3
- [Feature Request] Lock Lists HOT 4
- Can't connect to RDS database due to SSL HOT 6
- self host planka error on start HOT 5
- Feedback & Improvements (Favorite Section, Permissions, Export) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from planka.