Difficulties setting up SSO #364

New Issue

Closed

opened 2026-02-04 18:45:58 +03:00 by OVERLORD · 28 comments

OVERLORD commented 2026-02-04 18:45:58 +03:00

Owner

Copy Link

Originally created by @SangeloDev on GitHub (Oct 16, 2023).

Hello there, I have difficulties setting up OIDC SSO with Authentik for Planka, I've tried following the example in the docs, but it's a bit hard for me to understand what I should do exactly.
Here's my current docker compose as a reference, with some infos redacted out:

version: '3'

services:
  planka:
    image: ghcr.io/plankanban/planka:latest
    command: >
      bash -c
        "for i in `seq 1 30`; do
          ./start.sh &&
          s=$$? && break || s=$$?;
          echo \"Tried $$i times. Waiting 5 seconds...\";
          sleep 5;
        done; (exit $$s)"
    restart: unless-stopped
    volumes:
      - user-avatars:/app/public/user-avatars
      - project-background-images:/app/public/project-background-images
      - attachments:/app/private/attachments
    ports:
      - 3000:1337
    environment:
      - BASE_URL=https://planka.example.com
      - TRUST_PROXY=0
      - DATABASE_URL=postgresql://postgres@postgres/planka
      - SECRET_KEY=<secret>

      - OIDC_ISSUER=https://auth.example.com/application/o/planka/
      - OIDC_AUDIENCE=<client_id>
      - OIDC_CLIENT_ID=<client_id>
      - OIDC_ROLES_ATTRIBUTE=groups
      - OIDC_ADMIN_ROLES=authentik-admins
      - OIDC_REDIRECT_URI=http://planka.example.com/OidcLogin
      - OIDC_JWKS_URI=https://auth.example.com/application/o/planka/jwks/
      - OIDC_SKIP_USER_INFO=false
      - OIDC_SCOPES=openid profile email

      # related: https://github.com/knex/knex/issues/2354
      # As knex does not pass query parameters from the connection string we
      # have to use environment variables in order to pass the desired values, e.g.
      # - PGSSLMODE=<value>

      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
    depends_on:
      - postgres

  postgres:
    image: postgres:14-alpine
    restart: unless-stopped
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=planka
      - POSTGRES_HOST_AUTH_METHOD=trust

volumes:
  user-avatars:
  project-background-images:
  attachments:
  db-data:

What I am seeing on the login page:

• Nothing, upon a container restart with docker-compose down && docker-compose up -d, normal login page
• No relevant logs

What exactly should be happening? Have I configured something wrong?
Thanks for the help in advance, cheers!

Originally created by @SangeloDev on GitHub (Oct 16, 2023). Hello there, I have difficulties setting up OIDC SSO with Authentik for Planka, I've tried following the example in the docs, but it's a bit hard for me to understand what I should do exactly. Here's my current docker compose as a reference, with some infos redacted out: ```yaml version: '3' services: planka: image: ghcr.io/plankanban/planka:latest command: > bash -c "for i in `seq 1 30`; do ./start.sh && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 seconds...\"; sleep 5; done; (exit $$s)" restart: unless-stopped volumes: - user-avatars:/app/public/user-avatars - project-background-images:/app/public/project-background-images - attachments:/app/private/attachments ports: - 3000:1337 environment: - BASE_URL=https://planka.example.com - TRUST_PROXY=0 - DATABASE_URL=postgresql://postgres@postgres/planka - SECRET_KEY=<secret> - OIDC_ISSUER=https://auth.example.com/application/o/planka/ - OIDC_AUDIENCE=<client_id> - OIDC_CLIENT_ID=<client_id> - OIDC_ROLES_ATTRIBUTE=groups - OIDC_ADMIN_ROLES=authentik-admins - OIDC_REDIRECT_URI=http://planka.example.com/OidcLogin - OIDC_JWKS_URI=https://auth.example.com/application/o/planka/jwks/ - OIDC_SKIP_USER_INFO=false - OIDC_SCOPES=openid profile email # related: https://github.com/knex/knex/issues/2354 # As knex does not pass query parameters from the connection string we # have to use environment variables in order to pass the desired values, e.g. # - PGSSLMODE=<value> # Configure knex to accept SSL certificates # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false depends_on: - postgres postgres: image: postgres:14-alpine restart: unless-stopped volumes: - db-data:/var/lib/postgresql/data environment: - POSTGRES_DB=planka - POSTGRES_HOST_AUTH_METHOD=trust volumes: user-avatars: project-background-images: attachments: db-data: ``` What I am seeing on the login page: - Nothing, upon a container restart with docker-compose down && docker-compose up -d, normal login page - No relevant logs What exactly should be happening? Have I configured something wrong? Thanks for the help in advance, cheers!

OVERLORD added the help wanted label 2026-02-04 18:45:58 +03:00

OVERLORD closed this issue 2026-02-04 18:46:04 +03:00

OVERLORD commented 2026-02-04 18:46:07 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 16, 2023):

Hi! We still haven't released a version with OIDC, meaning it's only available in ghcr.io/plankanban/planka:dev.
I'm working on pre-release fixes right now, hopefully I'll be able to finalize it soon. You can also use the dev version, but after the full release you'll likely need to make some changes to the database.

@meltyshev commented on GitHub (Oct 16, 2023): Hi! We still haven't released a version with OIDC, meaning it's only available in [ghcr.io/plankanban/planka:dev](https://github.com/plankanban/planka/pkgs/container/planka/132984043?tag=dev). I'm working on pre-release fixes right now, hopefully I'll be able to finalize it soon. You can also use the dev version, but after the full release you'll likely need to make some changes to the database.

OVERLORD commented 2026-02-04 18:46:09 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 16, 2023):

Hi there! Thanks for the quick response. I'll probably wait it out then, better safe than sorry
Do you have a rough estimate as to when the release with OIDC support can release? If it's ways away, I might also just install the dev version

@SangeloDev commented on GitHub (Oct 16, 2023): Hi there! Thanks for the quick response. I'll probably wait it out then, better safe than sorry Do you have a rough estimate as to when the release with OIDC support can release? If it's ways away, I might also just install the dev version

OVERLORD commented 2026-02-04 18:46:12 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 16, 2023):

I really want to do this right today 🙂 But it should definitely be ready this week if something goes wrong today.

@meltyshev commented on GitHub (Oct 16, 2023): I really want to do this right today 🙂 But it should definitely be ready this week if something goes wrong today.

OVERLORD commented 2026-02-04 18:46:22 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 16, 2023):

Oh! That's amazing! I'll wait for the next release then :D
Thanks so much!

@SangeloDev commented on GitHub (Oct 16, 2023): Oh! That's amazing! I'll wait for the next release then :D Thanks so much!

OVERLORD commented 2026-02-04 18:46:24 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 17, 2023):

Just made a release with OIDC: https://github.com/plankanban/planka/releases/tag/v1.13.0.

@meltyshev commented on GitHub (Oct 17, 2023): Just made a release with OIDC: https://github.com/plankanban/planka/releases/tag/v1.13.0.

OVERLORD commented 2026-02-04 18:46:28 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 23, 2023):

Hello, thanks a lot for the quick development!
I am having issues still with configuring Authentik to be an OIDC provider. When trying to log in, I get the following message in my browser console (along with an error above the login box stating that there is an unknown error):

XHRPOST
https://plank.example.com/api/access-tokens/exchange-using-oidc
[HTTP/2 422 Unprocessable Entity 391ms]

	
POST
	https://plank.example.com/api/access-tokens/exchange-using-oidc
Status
422
Unprocessable Entity
VersionHTTP/2
Transferred423 B (94 B size)
Referrer Policystrict-origin-when-cross-origin

    	
    alt-svc
    	h3=":443"; ma=2592000
    content-length
    	94
    content-type
    	application/json; charset=utf-8
    date
    	Mon, 23 Oct 2023 13:09:16 GMT
    etag
    	W/"5e-DFl1XIlfWNyVD/aVct4fB0dbggI"
    server
    	Caddy
    vary
    	Accept-Encoding
    x-exit
    	missingValues
    X-Firefox-Spdy
    	h2
    x-powered-by
    	Sails <sailsjs.com>
    	
    Accept
    	*/*
    Accept-Encoding
    	gzip, deflate, br
    Accept-Language
    	en-US,en;q=0.5
    Connection
    	keep-alive
    Content-Length
    	328
    Content-Type
    	multipart/form-data; boundary=---------------------------425647258595031226138208945
    Host
    	plank.example.com
    Origin
    	https://plank.example.com
    Referer
    	https://plank.example.com/login
    Sec-Fetch-Dest
    	empty
    Sec-Fetch-Mode
    	cors
    Sec-Fetch-Site
    	same-origin
    TE
    	trailers
    User-Agent
    	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0

I tried updating my original configuration (see above) using the example provided in the docs as a template. My current config looks like this:

      - OIDC_ISSUER=https://auth.example.com/application/o/planka/
      - OIDC_CLIENT_ID=<client_id>
      - OIDC_CLIENT_SECRET=<client_secret>
      - OIDC_ADMIN_ROLES=authentik-admins
      - OIDC_SCOPES=openid profile email

Am I configuring something wrong? Thanks again for your help thus far!

@SangeloDev commented on GitHub (Oct 23, 2023): Hello, thanks a lot for the quick development! I am having issues still with configuring Authentik to be an OIDC provider. When trying to log in, I get the following message in my browser console (along with an error above the login box stating that there is an unknown error): ``` XHRPOST https://plank.example.com/api/access-tokens/exchange-using-oidc [HTTP/2 422 Unprocessable Entity 391ms] POST https://plank.example.com/api/access-tokens/exchange-using-oidc Status 422 Unprocessable Entity VersionHTTP/2 Transferred423 B (94 B size) Referrer Policystrict-origin-when-cross-origin alt-svc h3=":443"; ma=2592000 content-length 94 content-type application/json; charset=utf-8 date Mon, 23 Oct 2023 13:09:16 GMT etag W/"5e-DFl1XIlfWNyVD/aVct4fB0dbggI" server Caddy vary Accept-Encoding x-exit missingValues X-Firefox-Spdy h2 x-powered-by Sails <sailsjs.com> Accept */* Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Connection keep-alive Content-Length 328 Content-Type multipart/form-data; boundary=---------------------------425647258595031226138208945 Host plank.example.com Origin https://plank.example.com Referer https://plank.example.com/login Sec-Fetch-Dest empty Sec-Fetch-Mode cors Sec-Fetch-Site same-origin TE trailers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0 ``` I tried updating my original configuration (see above) using the example provided in the docs as a template. My current config looks like this: ```yaml - OIDC_ISSUER=https://auth.example.com/application/o/planka/ - OIDC_CLIENT_ID=<client_id> - OIDC_CLIENT_SECRET=<client_secret> - OIDC_ADMIN_ROLES=authentik-admins - OIDC_SCOPES=openid profile email ``` Am I configuring something wrong? Thanks again for your help thus far!

OVERLORD commented 2026-02-04 18:46:31 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 23, 2023):

Hi! If you are getting this error, it's likely that your IDP doesn't support the email or profile scopes.

Please check that they are selected in the provider settings in Authentik:
Providers -> Edit -> Advanced protocol settings -> Scopes

Make sure they're specified in the scopes_supported when requesting https://auth.example.com/application/o/planka/.well-known/openid-configuration.

And also make sure the name and email fields exist in the preview:
Providers -> Select provider -> Preview

@meltyshev commented on GitHub (Oct 23, 2023): Hi! If you are getting this error, it's likely that your IDP doesn't support the `email` or `profile` scopes. Please check that they are selected in the provider settings in Authentik: Providers -> Edit -> Advanced protocol settings -> Scopes Make sure they're specified in the `scopes_supported` when requesting https://auth.example.com/application/o/planka/.well-known/openid-configuration. And also make sure the `name` and `email` fields exist in the preview: Providers -> Select provider -> Preview

OVERLORD commented 2026-02-04 18:46:41 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 23, 2023):

Yes, the scopes are present and active

@SangeloDev commented on GitHub (Oct 23, 2023):    Yes, the scopes are present and active

OVERLORD commented 2026-02-04 18:46:45 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 23, 2023):

Hm... Then that's very strange. Can you show the response of the request to https://plank.example.com/api/access-tokens/exchange-using-oidc, is there Unable to retrieve required values (email, name)? You can check this by opening the Browser console (F12) -> Network.

@meltyshev commented on GitHub (Oct 23, 2023): Hm... Then that's very strange. Can you show the response of the request to https://plank.example.com/api/access-tokens/exchange-using-oidc, is there `Unable to retrieve required values (email, name)`? You can check this by opening the Browser console (F12) -> Network.

OVERLORD commented 2026-02-04 18:46:49 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

The network tab seems to look fine on this page, except for a 404 code for logo192.png, which seems irrelevant.
The console also only reports this 404 error for the logo. Everything else seems ok.

The page looks like this when I visit it:

I believe/hope this is normal behaviour for this page

@SangeloDev commented on GitHub (Oct 24, 2023): The network tab seems to look fine on this page, except for a 404 code for logo192.png, which seems irrelevant. The console also only reports this 404 error for the logo. Everything else seems ok. <img width="791" alt="Network tab looks fine" src="https://github.com/plankanban/planka/assets/47925793/68bdb0c0-8fbc-40e2-a131-9a4257090682"> The page looks like this when I visit it: <img width="715" alt="image" src="https://github.com/plankanban/planka/assets/47925793/f9e2ad8e-d525-428f-9954-4e5b77548187"> I believe/hope this is normal behaviour for this page

OVERLORD commented 2026-02-04 18:46:55 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

Sorry, I didn't clarify well how it has to be done. Please open Network and click "Login in with SSO" button. When the error is displayed, click the POST exchange-using-oidc line in Network. There should be a preview of the result somewhere (probably "Preview" button) and the error text will be there.

@meltyshev commented on GitHub (Oct 24, 2023): Sorry, I didn't clarify well how it has to be done. Please open Network and click "Login in with SSO" button. When the error is displayed, click the `POST exchange-using-oidc` line in Network. There should be a preview of the result somewhere (probably "Preview" button) and the error text will be there.

OVERLORD commented 2026-02-04 18:47:07 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

No problem, thanks for clarifying! Yes, I do get this response:

@SangeloDev commented on GitHub (Oct 24, 2023): No problem, thanks for clarifying! Yes, I do get this response: 

OVERLORD commented 2026-02-04 18:47:13 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

I don't understand why name or email can be missing if everything is configured correctly...

Could you please provide authorizationUrl which is located in the GET config line in Network (you can erase all parts you don't want to show). Or just make sure that the scope= parameter contains openid email profile.

@meltyshev commented on GitHub (Oct 24, 2023): I don't understand why `name` or `email` can be missing if everything is configured correctly... Could you please provide `authorizationUrl` which is located in the `GET config` line in Network (you can erase all parts you don't want to show). Or just make sure that the `scope=` parameter contains `openid email profile`.

OVERLORD commented 2026-02-04 18:47:20 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

authorizationUrl:  "https://auth.example.com/application/o/authorize/?client_id=<client_id>&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fplank.example.com%2Foidc-callback&response_mode=fragment"

They seem to be included, yes

@SangeloDev commented on GitHub (Oct 24, 2023): ``` authorizationUrl: "https://auth.example.com/application/o/authorize/?client_id=<client_id>&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fplank.example.com%2Foidc-callback&response_mode=fragment" ``` They seem to be included, yes

OVERLORD commented 2026-02-04 18:47:22 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

I can't understand what could be the problem 🙈 Everything seems to be configured correctly. I've tested OIDC through Authentik many times and never had a problem, also checked the code many times and it's definitely because Authentik doesn't return a name or email when requesting userinfo. Maybe there is something wrong with Authentik itself or just some setting missing. I'll try to google a similar problem...

@meltyshev commented on GitHub (Oct 24, 2023): I can't understand what could be the problem 🙈 Everything seems to be configured correctly. I've tested OIDC through Authentik many times and never had a problem, also checked the code many times and it's definitely because Authentik doesn't return a name or email when requesting userinfo. Maybe there is something wrong with Authentik itself or just some setting missing. I'll try to google a similar problem...

OVERLORD commented 2026-02-04 18:47:28 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

Could it be a more underlying problem? Anything I might've misconfigured at e.g. the reverse proxy level? Or possibly deeper?

@SangeloDev commented on GitHub (Oct 24, 2023): Could it be a more underlying problem? Anything I might've misconfigured at e.g. the reverse proxy level? Or possibly deeper?

OVERLORD commented 2026-02-04 18:47:35 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

I've checked in the code that the exchange with Authentik is correct, otherwise there will be an Invalid code or nonce error.

The error occurs in this place:

if (!userInfo.email || !userInfo.name) {
  throw 'missingValues';
}

So Authentik responded correctly, but for some reason there is no email or name in the response...

Let's try to check what is in the response by adding logging.

You need to change the docker-compose.yml and replace:

command: >
  bash -c
    "for i in `seq 1 30`; do
      ./start.sh &&
      s=$$? && break || s=$$?;
      echo \"Tried $$i times. Waiting 5 seconds...\";
      sleep 5;
    done; (exit $$s)"

to this:

command: sleep 999999999

Then start the container and connect to it (planka-planka-1 is its name):

docker-compose up -d
docker exec -ti planka-planka-1 /bin/bash

Then add logging and start the server:

sed -i "/throw 'missingValues';/c\sails.log.warn\(JSON.stringify\(userInfo\)\); throw 'missingValues';" /app/api/helpers/users/get-or-create-one-using-oidc.js
./start.sh

The console will display a response coming from Authentik when an error occurs. We can figure out what's missing from it.

@meltyshev commented on GitHub (Oct 24, 2023): I've checked in the code that the exchange with Authentik is correct, otherwise there will be an `Invalid code or nonce` error. The error occurs in this place: ``` if (!userInfo.email || !userInfo.name) { throw 'missingValues'; } ``` So Authentik responded correctly, but for some reason there is no `email` or `name` in the response... Let's try to check what is in the response by adding logging. You need to change the `docker-compose.yml` and replace: ``` command: > bash -c "for i in `seq 1 30`; do ./start.sh && s=$$? && break || s=$$?; echo \"Tried $$i times. Waiting 5 seconds...\"; sleep 5; done; (exit $$s)" ``` to this: ``` command: sleep 999999999 ``` Then start the container and connect to it (`planka-planka-1` is its name): ``` docker-compose up -d docker exec -ti planka-planka-1 /bin/bash ``` Then add logging and start the server: ``` sed -i "/throw 'missingValues';/c\sails.log.warn\(JSON.stringify\(userInfo\)\); throw 'missingValues';" /app/api/helpers/users/get-or-create-one-using-oidc.js ./start.sh ``` The console will display a response coming from Authentik when an error occurs. We can figure out what's missing from it.

OVERLORD commented 2026-02-04 18:47:43 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

The line after debug: is what I get when logging in with Authentik.

2023-10-24 18:43:59 [W] [object Object]

@SangeloDev commented on GitHub (Oct 24, 2023):  The line after `debug:` is what I get when logging in with Authentik. ``` 2023-10-24 18:43:59 [W] [object Object] ```

OVERLORD commented 2026-02-04 18:47:49 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

Sorry, my bad 🙈 Please execute:

exit
docker-compose down

Then repeat the whole process (I fixed one command in the previous comment).

@meltyshev commented on GitHub (Oct 24, 2023): Sorry, my bad 🙈 Please execute: ``` exit docker-compose down ``` Then repeat the whole process (I fixed one command in the previous comment).

OVERLORD commented 2026-02-04 18:47:58 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

Aha! This time there's more:

2023-10-24 19:16:36 [W] {"email":"","email_verified":true,"name":"Sangelo","given_name":"Sangelo","preferred_username":"sangelo","nickname":"sangelo","groups":["authentik-private","authentik-users"],"sub":"<idk if I should censor or not, but there's a long string here>"}

It seems like Planka gets all the required info? Tell me if you need anything else

@SangeloDev commented on GitHub (Oct 24, 2023): Aha! This time there's more: ``` 2023-10-24 19:16:36 [W] {"email":"","email_verified":true,"name":"Sangelo","given_name":"Sangelo","preferred_username":"sangelo","nickname":"sangelo","groups":["authentik-private","authentik-users"],"sub":"<idk if I should censor or not, but there's a long string here>"} ``` It seems like Planka gets all the required info? Tell me if you need anything else

OVERLORD commented 2026-02-04 18:48:04 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

Hm, for some reason email is blank, but it's required to create an account in Planka. Is it filled out in Authentik?

@meltyshev commented on GitHub (Oct 24, 2023): Hm, for some reason `email` is blank, but it's required to create an account in Planka. Is it filled out in Authentik?

OVERLORD commented 2026-02-04 18:48:09 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

Okay! That worked! Thanks a bunch! 🎉
I currently don't have a mail server set up, which is why I didn't think of that. This is all on me, thanks again for helping and being quick to answer!
Just one more thing, after logging in, I can't seem to create any boards and projects. Where can I configure user permissions if I need to?

@SangeloDev commented on GitHub (Oct 24, 2023): Okay! That worked! Thanks a bunch! 🎉 I currently don't have a mail server set up, which is why I didn't think of that. This is all on me, thanks again for helping and being quick to answer! Just one more thing, after logging in, I can't seem to create any boards and projects. Where can I configure user permissions if I need to? 

OVERLORD commented 2026-02-04 18:48:15 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 24, 2023):

That's great!

If you are using OIDC, you need to specify the correct admin group in OIDC_ADMIN_ROLES. I see that you have 2 roles ["authentik-private", "authentik-users"], so most likely you need to make OIDC_ADMIN_ROLES=authentik-private.
You can also create an administrator account without using OIDC, you can do this via DEFAULT_ADMIN_* variables.

@meltyshev commented on GitHub (Oct 24, 2023): That's great! If you are using OIDC, you need to specify the correct admin group in `OIDC_ADMIN_ROLES`. I see that you have 2 roles `["authentik-private", "authentik-users"]`, so most likely you need to make `OIDC_ADMIN_ROLES=authentik-private`. You can also create an administrator account without using OIDC, you can do this via `DEFAULT_ADMIN_*` variables.

OVERLORD commented 2026-02-04 18:48:26 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 24, 2023):

Ah, so all users who need to be able to create boards need to be admins if I understand correctly?
I just don't want any users who may get access to Planka to create any users that are not authenticated using Authentik, aka local users.

@SangeloDev commented on GitHub (Oct 24, 2023): Ah, so all users who need to be able to create boards need to be admins if I understand correctly? I just don't want any users who may get access to Planka to create any users that are not authenticated using Authentik, aka local users.

OVERLORD commented 2026-02-04 18:48:31 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 25, 2023):

They have to be administrators just to create a project. So, any user can be assigned as a project manager (in the project settings) and then this user can create boards in it. We have plans to add the ability to create projects for non-admin users (if they are allowed to do so in the settings). Unfortunately there is no way to completely remove the creation of local users yet, but it's a good idea to add that.

@meltyshev commented on GitHub (Oct 25, 2023): They have to be administrators just to create a project. So, any user can be assigned as a project manager (in the project settings) and then this user can create boards in it. We have plans to add the ability to create projects for non-admin users (if they are allowed to do so in the settings). Unfortunately there is no way to completely remove the creation of local users yet, but it's a good idea to add that.

OVERLORD commented 2026-02-04 18:48:38 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 25, 2023):

Should I create a separate issue with a feature suggestion for that, then?

@SangeloDev commented on GitHub (Oct 25, 2023): Should I create a separate issue with a feature suggestion for that, then?

OVERLORD commented 2026-02-04 18:48:43 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 25, 2023):

Yeah, that's a good idea, I'll add the Enhancement label to it.

@meltyshev commented on GitHub (Oct 25, 2023): Yeah, that's a good idea, I'll add the Enhancement label to it.

OVERLORD commented 2026-02-04 18:48:48 +03:00

Author

Owner

Copy Link

@SangeloDev commented on GitHub (Oct 25, 2023):

I have created a new issue here:
https://github.com/plankanban/planka/issues/532

Thanks a ton for your help and kindness, I greatly appreciate it!

@SangeloDev commented on GitHub (Oct 25, 2023): I have created a new issue here: https://github.com/plankanban/planka/issues/532 Thanks a ton for your help and kindness, I greatly appreciate it!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

dependabot/npm_and_yarn/client/multi-5543462fab

gh-pages

dependabot/npm_and_yarn/multi-795903f3f3

dependabot/npm_and_yarn/server/multi-60f2582fdd

dependabot/npm_and_yarn/client/qs-6.14.2

dependabot/npm_and_yarn/client/markdown-it-14.1.1

v2.0.2

planka-2.0.2

v2.0.1

planka-2.0.1

v2.0.0

planka-2.0.0

planka-1.1.2

planka-1.1.1

planka-1.1.0

planka-1.0.5

planka-1.0.4

v2.0.0-rc.4

v1.26.3

planka-0.2.26

planka-1.0.3

planka-1.0.2

v2.0.0-rc.3

planka-1.0.1

planka-1.0.0

v2.0.0-rc.2

planka-0.2.25

v1.26.2

v1.26.1

planka-0.2.24

v1.26.0

planka-0.2.23

v1.25.1

planka-0.2.22

v1.25.0

planka-0.2.21

v1.24.4

planka-0.2.20

v1.24.3

planka-0.2.19

planka-0.2.18

v1.24.2

planka-0.2.17

planka-0.2.16

v1.24.1

planka-0.2.15

v1.24.0

planka-0.2.14

v1.23.5

v1.23.4

planka-0.2.13

planka-0.2.12

v1.23.3

planka-0.2.11

v1.23.2

planka-0.2.10

v1.23.1

planka-0.2.9

v1.23.0

v1.22.0

planka-0.2.8

Labels

Clear labels

bug

bug

documentation

documentation

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label help wanted

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#364