starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-25 03:14:50 +03:00
Code Issues 396 Packages Projects Releases 16 Wiki Activity

Feature Request: Header or env variable based authentication #161

New Issue
Open
opened 2026-02-04 17:35:17 +03:00 by OVERLORD · 9 comments
OVERLORD commented 2026-02-04 17:35:17 +03:00
Owner
Copy Link

Originally created by @Forceu on GitHub (Jan 21, 2022).

It would be amazing if Planka supported either headers or env variables for authentication.

The use case would be SSO software running on the reverse proxy, in my case Authelia with Nginx. I can configure Nginx to set a header or env variable containing the username and one containing the user role. So if Planka checks the header and a user with that username exists, a new session is created.

It would be even better if a new user would automatically be created if the username cannot be found, but that use case would not be super important for me. I already looked through the code, unfortunately I was not able to implement the feature myself.

Thanks!

Originally created by @Forceu on GitHub (Jan 21, 2022). It would be amazing if Planka supported either headers or env variables for authentication. The use case would be SSO software running on the reverse proxy, in my case Authelia with Nginx. I can configure Nginx to set a header or env variable containing the username and one containing the user role. So if Planka checks the header and a user with that username exists, a new session is created. It would be even better if a new user would automatically be created if the username cannot be found, but that use case would not be super important for me. I already looked through the code, unfortunately I was not able to implement the feature myself. Thanks!
OVERLORD added the enhancement label 2026-02-04 17:35:17 +03:00
OVERLORD commented 2026-02-04 17:35:19 +03:00
Author
Owner
Copy Link

@lorenz commented on GitHub (Feb 16, 2022):

I have started working on OIDC integration in https://github.com/plankanban/planka/pull/203, would this also work for you?

@lorenz commented on GitHub (Feb 16, 2022): I have started working on OIDC integration in https://github.com/plankanban/planka/pull/203, would this also work for you?
OVERLORD commented 2026-02-04 17:35:24 +03:00
Author
Owner
Copy Link

@max-tet commented on GitHub (Feb 20, 2022):

I also would love to have a proxy auth feature and OIDC would not work for me.

I am running Planka behind a Traefik reverse proxy which handles all my authentication needs and can set headers on the requests it passes on. The perfect proxy auth feature for me would work like this:

  1. Start Plaka with additional environment variables:
  • containing the name of the initial admin user (e.g. admin=admin_user)
  • enabling proxy auth (e.g. proxy_auth=true)
  • setting the key of the http header that contains the username (e.g. auth_header=X-Authenticated-User)
  1. Configure the reverse proxy to authenticate incoming requests in any way you like.
  2. Let the reverse proxy set X-Authenticated-User to the authenticated username on every request.
  3. Planka treats the requests as if they belong to the appropriate user session.
  4. Bonus: if Planka does not know the username, it creates a new user with that name.

That way, user management could be mostly delegated to the reverse proxy which is extremely helpful if you have multiple apps behind the same proxy and want to take care of user management only once.

Edit: BTW, I am using Planka for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.

Thanks a lot!

@max-tet commented on GitHub (Feb 20, 2022): I also would love to have a proxy auth feature and OIDC would not work for me. I am running Planka behind a Traefik reverse proxy which handles all my authentication needs and can set headers on the requests it passes on. The perfect proxy auth feature for me would work like this: 1. Start Plaka with additional environment variables: * containing the name of the initial admin user (e.g. `admin=admin_user`) * enabling proxy auth (e.g. `proxy_auth=true`) * setting the key of the http header that contains the username (e.g. `auth_header=X-Authenticated-User`) 2. Configure the reverse proxy to authenticate incoming requests in any way you like. 3. Let the reverse proxy set `X-Authenticated-User` to the authenticated username on every request. 4. Planka treats the requests as if they belong to the appropriate user session. 5. Bonus: if Planka does not know the username, it creates a new user with that name. That way, user management could be mostly delegated to the reverse proxy which is extremely helpful if you have multiple apps behind the same proxy and want to take care of user management only once. Edit: BTW, I am using Planka for [this product](https://getportal.org/). Since this is a single-user platform, users really should see no login screen at all, not even for SSO. Thanks a lot!
OVERLORD commented 2026-02-04 17:35:35 +03:00
Author
Owner
Copy Link

@Forceu commented on GitHub (Feb 20, 2022):

Yes, I have a similar setup and although OIDC would already make it easier, header authentication would be even better! If I can help in any way let me know!

@Forceu commented on GitHub (Feb 20, 2022): Yes, I have a similar setup and although OIDC would already make it easier, header authentication would be even better! If I can help in any way let me know!
OVERLORD commented 2026-02-04 17:35:38 +03:00
Author
Owner
Copy Link

@prologic commented on GitHub (Jul 22, 2023):

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

@prologic commented on GitHub (Jul 22, 2023): I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put [Authelia](https://www.authelia.com/) in front of this 👌
OVERLORD commented 2026-02-04 17:35:41 +03:00
Author
Owner
Copy Link

@saadqaz1 commented on GitHub (Feb 27, 2024):

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user.

The user just has read only access so I have to add that user to each project/board via the default admin.

@saadqaz1 commented on GitHub (Feb 27, 2024): > I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put [Authelia](https://www.authelia.com/) in front of this 👌 I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user. The user just has read only access so I have to add that user to each project/board via the default admin.
OVERLORD commented 2026-02-04 17:35:46 +03:00
Author
Owner
Copy Link

@oomenit commented on GitHub (May 24, 2024):

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user.

The user just has read only access so I have to add that user to each project/board via the default admin.

Could you comment how you got Authelia working? I have followed the OIDC guide but Planka keeps giving me an 'unknown' error with no logging at all when trying to login with SSO.

My Authelia config:

  • client_id: authelia-planka
    client_name: Planka
    client_secret: {KEY}
    authorization_policy: two_factor
    public: false
    consent_mode: implicit
    audience: []
    scopes:
    - openid
    - profile
    - email
    userinfo_signed_response_alg: none
    redirect_uris:
    - https://DOMAIN/oidc-callback

and my docker-compose for Planka:

  - OIDC_ISSUER=URL AUTHEILIA
  - OIDC_CLIENT_ID=authelia-planka
  - OIDC_CLIENT_SECRET={KEY}
  - OIDC_SCOPES=openid email profile
  - OIDC_EMAIL_ATTRIBUTE=email
  - OIDC_NAME_ATTRIBUTE=name
  - OIDC_USERNAME_ATTRIBUTE=preferred_username
  - OIDC_ROLES_ATTRIBUTE=groups
  - OIDC_ENFORCED=false

But I keep getting:

image

@oomenit commented on GitHub (May 24, 2024): > > I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put [Authelia](https://www.authelia.com/) in front of this 👌 > > I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user. > > The user just has read only access so I have to add that user to each project/board via the default admin. Could you comment how you got Authelia working? I have followed the OIDC guide but Planka keeps giving me an 'unknown' error with no logging at all when trying to login with SSO. My Authelia config: - client_id: authelia-planka client_name: Planka client_secret: {KEY} authorization_policy: two_factor public: false consent_mode: implicit audience: [] scopes: - openid - profile - email userinfo_signed_response_alg: none redirect_uris: - https://DOMAIN/oidc-callback and my docker-compose for Planka: - OIDC_ISSUER=URL AUTHEILIA - OIDC_CLIENT_ID=authelia-planka - OIDC_CLIENT_SECRET={KEY} - OIDC_SCOPES=openid email profile - OIDC_EMAIL_ATTRIBUTE=email - OIDC_NAME_ATTRIBUTE=name - OIDC_USERNAME_ATTRIBUTE=preferred_username - OIDC_ROLES_ATTRIBUTE=groups - OIDC_ENFORCED=false But I keep getting: ![image](https://github.com/plankanban/planka/assets/51238122/1b3b94e3-d325-4742-bd1b-933d0ea3d406)
OVERLORD commented 2026-02-04 17:36:01 +03:00
Author
Owner
Copy Link

@saadqaz1 commented on GitHub (Jul 7, 2024):

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user.

The user just has read only access so I have to add that user to each project/board via the default admin.

Could you comment how you got Authelia working? I have followed the OIDC guide but Planka keeps giving me an 'unknown' error with no logging at all when trying to login with SSO.

My Authelia config:

  • client_id: authelia-planka

      client_name: Planka

  client_secret: {KEY}

  authorization_policy: two_factor

  public: false

  consent_mode: implicit

  audience: []

  scopes:

    - openid

    - profile

    - email

  userinfo_signed_response_alg: none

  redirect_uris:

    - https://DOMAIN/oidc-callback

and my docker-compose for Planka:

  - OIDC_ISSUER=URL AUTHEILIA

  - OIDC_CLIENT_ID=authelia-planka

  - OIDC_CLIENT_SECRET={KEY}

  - OIDC_SCOPES=openid email profile

  - OIDC_EMAIL_ATTRIBUTE=email

  - OIDC_NAME_ATTRIBUTE=name

  - OIDC_USERNAME_ATTRIBUTE=preferred_username

  - OIDC_ROLES_ATTRIBUTE=groups

  - OIDC_ENFORCED=false

But I keep getting:

image

This is my authelia config:

'''

clients:
- id: planka
description: Planka
secret: my_secret
#sector_identifier: ''
#public: false

  authorization_policy: one_factor
    pre_configured_consent_duration: 1w
    #audience: []
    #scopes:
    #  - uid
    #  - groups
     # - email
     # - profile
    redirect_uris:
      - https://planka.local/oidc-callback

'''

And my planka config:

'''
- OIDC_ISSUER=https://authelia.local
- OIDC_CLIENT_ID=planka
- OIDC_CLIENT_SECRET=my_secret
- OIDC_SCOPES=openid email profile
- OIDC_ADMIN_ROLES=admin
# - OIDC_EMAIL_ATTRIBUTE=email
# - OIDC_NAME_ATTRIBUTE=name
# - OIDC_USERNAME_ATTRIBUTE=preferred_username
- OIDC_ROLES_ATTRIBUTE=groups
# - OIDC_IGNORE_USERNAME=true
- OIDC_IGNORE_ROLES=true
# - OIDC_ENFORCED=true
'''

@saadqaz1 commented on GitHub (Jul 7, 2024): > > > I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put [Authelia](https://www.authelia.com/) in front of this 👌 > > > > > > I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user. > > > > > > The user just has read only access so I have to add that user to each project/board via the default admin. > > > > Could you comment how you got Authelia working? I have followed the OIDC guide but Planka keeps giving me an 'unknown' error with no logging at all when trying to login with SSO. > > > > My Authelia config: > > > > - client_id: authelia-planka > > client_name: Planka > > client_secret: {KEY} > > authorization_policy: two_factor > > public: false > > consent_mode: implicit > > audience: [] > > scopes: > > - openid > > - profile > > - email > > userinfo_signed_response_alg: none > > redirect_uris: > > - https://DOMAIN/oidc-callback > > > > and my docker-compose for Planka: > > > > - OIDC_ISSUER=URL AUTHEILIA > > - OIDC_CLIENT_ID=authelia-planka > > - OIDC_CLIENT_SECRET={KEY} > > - OIDC_SCOPES=openid email profile > > - OIDC_EMAIL_ATTRIBUTE=email > > - OIDC_NAME_ATTRIBUTE=name > > - OIDC_USERNAME_ATTRIBUTE=preferred_username > > - OIDC_ROLES_ATTRIBUTE=groups > > - OIDC_ENFORCED=false > > > > But I keep getting: > > > > ![image](https://github.com/plankanban/planka/assets/51238122/1b3b94e3-d325-4742-bd1b-933d0ea3d406) > > This is my authelia config: ''' clients: - id: planka description: Planka secret: my_secret #sector_identifier: '' #public: false authorization_policy: one_factor pre_configured_consent_duration: 1w #audience: [] #scopes: # - uid # - groups # - email # - profile redirect_uris: - https://planka.local/oidc-callback ''' And my planka config: ''' - OIDC_ISSUER=https://authelia.local - OIDC_CLIENT_ID=planka - OIDC_CLIENT_SECRET=my_secret - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=admin # - OIDC_EMAIL_ATTRIBUTE=email # - OIDC_NAME_ATTRIBUTE=name # - OIDC_USERNAME_ATTRIBUTE=preferred_username - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_USERNAME=true - OIDC_IGNORE_ROLES=true # - OIDC_ENFORCED=true '''
OVERLORD commented 2026-02-04 17:36:06 +03:00
Author
Owner
Copy Link

@rcosta-uk commented on GitHub (Nov 22, 2024):

Old post but hey, here is it:
Hi, I got myself the same error. After looking into the authelia logs I found that was needed to specify the response type config on authelia side:
https://www.authelia.com/configuration/identity-providers/openid-connect/clients/#response_types

        response_modes:   
          - 'fragment'

Worked after that!

Regards

@rcosta-uk commented on GitHub (Nov 22, 2024): Old post but hey, here is it: Hi, I got myself the same error. After looking into the authelia logs I found that was needed to specify the response type config on authelia side: https://www.authelia.com/configuration/identity-providers/openid-connect/clients/#response_types ``` response_modes: - 'fragment' ``` Worked after that! Regards
OVERLORD commented 2026-02-04 17:36:12 +03:00
Author
Owner
Copy Link

@dakky commented on GitHub (Aug 5, 2025):

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user.

The user just has read only access so I have to add that user to each project/board via the default admin.

did you manage to fix this issue? Login works but the user still only has read permissions

authelia database:

users:
  XXX: ## Username
    displayname: 'XXX'
    password: 'XXX
    email: 'XXX'
    preferred_username: 'XXX'
    groups:
      - 'admin'

autheliia OIDC client config:

        scopes:
          - openid
          - profile
          - email
          - groups

and in planka:

OIDC_ADMIN_ROLES=admin
@dakky commented on GitHub (Aug 5, 2025): > > I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put [Authelia](https://www.authelia.com/) in front of this 👌 > > I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user. > > The user just has read only access so I have to add that user to each project/board via the default admin. did you manage to fix this issue? Login works but the user still only has read permissions authelia database: ``` users: XXX: ## Username displayname: 'XXX' password: 'XXX email: 'XXX' preferred_username: 'XXX' groups: - 'admin' ``` autheliia OIDC client config: ``` scopes: - openid - profile - email - groups ``` and in planka: ``` OIDC_ADMIN_ROLES=admin ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#161
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?