SSO Failure, Keycloak #361

New Issue

OVERLORD · 2026-02-04T18:43:19+03:00

OVERLORD commented

2026-02-04 18:43:19 +03:00

Originally created by @daanbreur on GitHub (Sep 28, 2023).

          If it is a black screen after being redirected to /OidcLogin then it's a configuration issue and you should have an error in the browser console if you open the dev tools. Usually it's the redirect url in either keycloak or the environment variable.

It is definitely working, I tested it with 3 and a half idps. Authelia, authentik and keycloak. I also done logto but stopped when it used an opaque token.
Since this pr is already merged and we're resurrecting a completed pr, If you would like to create an issue or discussion then I will see if I can help out further.

Originally posted by @jeffreytyler in https://github.com/plankanban/planka/issues/491#issuecomment-1738283877

Originally created by @daanbreur on GitHub (Sep 28, 2023). If it is a black screen after being redirected to /OidcLogin then it's a configuration issue and you should have an error in the browser console if you open the dev tools. Usually it's the redirect url in either keycloak or the environment variable. It is definitely working, I tested it with 3 and a half idps. Authelia, authentik and keycloak. I also done logto but stopped when it used an opaque token. Since this pr is already merged and we're resurrecting a completed pr, If you would like to create an issue or discussion then I will see if I can help out further. _Originally posted by @jeffreytyler in https://github.com/plankanban/planka/issues/491#issuecomment-1738283877_

OVERLORD closed this issue

2026-02-04 18:43:20 +03:00

OVERLORD commented

2026-02-04 18:43:49 +03:00

@daanbreur commented on GitHub (Sep 28, 2023):

The browserconsole is definitely empty, also the redirect shouldnt be to /OidcLogin but to /oidclogin cause thats how the path is defined inside the sourcecode. However im getting the same blackpage with no browser or server errorlogs with both paths.

@daanbreur commented on GitHub (Sep 28, 2023): The browserconsole is definitely empty, also the redirect shouldnt be to `/OidcLogin` but to `/oidclogin` cause thats how the path is defined inside the sourcecode. However im getting the same blackpage with no browser or server errorlogs with both paths.

OVERLORD commented

2026-02-04 18:43:55 +03:00

@meltyshev commented on GitHub (Sep 29, 2023):

We need to try to reproduce this. Could you show the settings of your Keyclock (of course without private data)?

@meltyshev commented on GitHub (Sep 29, 2023): We need to try to reproduce this. Could you show the settings of your Keyclock (of course without private data)?

OVERLORD commented

2026-02-04 18:44:05 +03:00

@daanbreur commented on GitHub (Sep 29, 2023):

@daanbreur commented on GitHub (Sep 29, 2023): ![image](https://github.com/plankanban/planka/assets/32175349/d893c1be-da25-42de-903f-5c50d20ca206) ![image](https://github.com/plankanban/planka/assets/32175349/c09526c0-f714-4dda-822c-fdb62d409649) ![image](https://github.com/plankanban/planka/assets/32175349/ba33d1fd-21e4-4d46-8b84-4982751851a7) ![image](https://github.com/plankanban/planka/assets/32175349/bbb47a92-c842-410b-98a8-418831b22d1d) ![image](https://github.com/plankanban/planka/assets/32175349/e350aeda-81c1-47c8-b573-89cc3eecb9a7) ![image](https://github.com/plankanban/planka/assets/32175349/fb14773f-9b5f-4fe3-a01f-bb43c06dd244)

OVERLORD commented

2026-02-04 18:44:09 +03:00

@daanbreur commented on GitHub (Sep 30, 2023):

after digging deep in network logs i found

{
    "error": "unauthorized_client",
    "error_description": "Invalid client or Invalid client credentials"
}

response coming from a request made to keycloak.
are you maybe able to share your keycloak configurations so we can compare

@daanbreur commented on GitHub (Sep 30, 2023): after digging deep in network logs i found ``` { "error": "unauthorized_client", "error_description": "Invalid client or Invalid client credentials" } ``` response coming from a request made to keycloak. are you maybe able to share your keycloak configurations so we can compare

OVERLORD commented

2026-02-04 18:44:16 +03:00

@gorrilla10101 commented on GitHub (Sep 30, 2023):

on the client in keycloak turn client authentication off. Planka uses authorization code flow with PKCE and logs in from the react app in the browser. So it doesn't use a client secret and that is what the error your getting is.

I believe, will confirm in just a moment, that you need one more mapper to add the audience.

I am working on getting it set back up so I can send you the configuration over as well in just a moment.

@gorrilla10101 commented on GitHub (Sep 30, 2023): on the client in keycloak turn client authentication off. Planka uses authorization code flow with PKCE and logs in from the react app in the browser. So it doesn't use a client secret and that is what the error your getting is. I believe, will confirm in just a moment, that you need one more mapper to add the audience. I am working on getting it set back up so I can send you the configuration over as well in just a moment.

OVERLORD commented

2026-02-04 18:44:28 +03:00

@gorrilla10101 commented on GitHub (Sep 30, 2023):

Confirmed working with keycloak.

Create a public client by turning off client authentication
create a scope and mapper that adds an audience
make sure username, email and name is filled out in keycloak.
Make sure Web Origins is set on the client in keycloak. This configures CORS.

OIDC_ISSUER="http://localhost:8080/realms/master"
OIDC_AUDIENCE="planka"
OIDC_CLIENT_ID="planka"
OIDC_ROLES_ATTRIBUTE='groups'
OIDC_ADMIN_ROLES="planka-admin"
OIDC_REDIRECT_URI="http://localhost:3000/OidcLogin"
OIDC_JWKS_URI="http://localhost:8080/realms/master/protocol/openid-connect/certs"
OIDC_SKIP_USER_INFO='false'
OIDC_SCOPES='openid profile email'

@gorrilla10101 commented on GitHub (Sep 30, 2023): Confirmed working with keycloak. 1. Create a public client by turning off client authentication 2. create a scope and mapper that adds an audience 3. make sure username, email and name is filled out in keycloak. 4. Make sure Web Origins is set on the client in keycloak. This configures CORS. ``` OIDC_ISSUER="http://localhost:8080/realms/master" OIDC_AUDIENCE="planka" OIDC_CLIENT_ID="planka" OIDC_ROLES_ATTRIBUTE='groups' OIDC_ADMIN_ROLES="planka-admin" OIDC_REDIRECT_URI="http://localhost:3000/OidcLogin" OIDC_JWKS_URI="http://localhost:8080/realms/master/protocol/openid-connect/certs" OIDC_SKIP_USER_INFO='false' OIDC_SCOPES='openid profile email' ```

OVERLORD commented

2026-02-04 18:44:43 +03:00

@daanbreur commented on GitHub (Sep 30, 2023):

Ah ofcourse. Thank you, I completely forgot client authorization isn't required on most of my services i enabled that.

@daanbreur commented on GitHub (Sep 30, 2023): Ah ofcourse. Thank you, I completely forgot client authorization isn't required on most of my services i enabled that.

OVERLORD commented

2026-02-04 18:44:55 +03:00

@daanbreur commented on GitHub (Sep 30, 2023):

I might make some additional documentation to add this stuff cause more people might forget like I did

@daanbreur commented on GitHub (Sep 30, 2023): I might make some additional documentation to add this stuff cause more people might forget like I did

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#361