SSO fails with DSM sso server #371

New Issue

Closed

opened 2026-02-04 18:49:52 +03:00 by OVERLORD · 7 comments

OVERLORD commented 2026-02-04 18:49:52 +03:00

Owner

Copy Link

Originally created by @halfu on GitHub (Oct 23, 2023).

Thanks for the new realse with OIDC support.
I set up a synology DSM sso server, wich has a openid-configuraraton as below:

{ "authorization_endpoint" : "https://nasip:port/webman/sso/SSOOauth.cgi", "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ], "code_challenge_methods_supported" : [ "S256", "plain" ], "grant_types_supported" : [ "authorization_code", "implicit" ], "id_token_signing_alg_values_supported" : [ "RS256" ], "issuer" : "https://nasip:port/webman/sso", "jwks_uri" : "https://nasip:port/webman/sso/openid-jwks.json", "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ], "scopes_supported" : [ "email", "groups", "openid" ], "subject_types_supported" : [ "public" ], "token_endpoint" : "https://nasip:port/webman/sso/SSOAccessToken.cgi", "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ], "userinfo_endpoint" : "https://nasip:port/webman/sso/SSOUserInfo.cgi" }

as you can see, there is no "name" in the scopes_supported section.

But planka need these scopes:

- OIDC_SCOPES=openid email profile

So, I got this error when use SSO on my planka instance.
Request URL: https://myplankaserver:port/api/access-tokens/exchange-using-oidc Request Method: POST Status Code: 422 Unprocessable Content

and the erro detail as below:
{ "code": "E_UNPROCESSABLE_ENTITY", "message": "Unable to retrieve required values (email, name)" }

I am wondering if it is possible to drop "profile" requirement.

I am quit new on OIDC, correct me if I was wrong.

Originally created by @halfu on GitHub (Oct 23, 2023). Thanks for the new realse with OIDC support. I set up a synology DSM sso server, wich has a openid-configuraraton as below: `{ "authorization_endpoint" : "https://nasip:port/webman/sso/SSOOauth.cgi", "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ], "code_challenge_methods_supported" : [ "S256", "plain" ], "grant_types_supported" : [ "authorization_code", "implicit" ], "id_token_signing_alg_values_supported" : [ "RS256" ], "issuer" : "https://nasip:port/webman/sso", "jwks_uri" : "https://nasip:port/webman/sso/openid-jwks.json", "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ], "scopes_supported" : [ "email", "groups", "openid" ], "subject_types_supported" : [ "public" ], "token_endpoint" : "https://nasip:port/webman/sso/SSOAccessToken.cgi", "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ], "userinfo_endpoint" : "https://nasip:port/webman/sso/SSOUserInfo.cgi" }` as you can see, there is no "name" in the scopes_supported section. But planka need these scopes: `- OIDC_SCOPES=openid email profile` So, I got this error when use SSO on my planka instance. `Request URL: https://myplankaserver:port/api/access-tokens/exchange-using-oidc Request Method: POST Status Code: 422 Unprocessable Content` and the erro detail as below: `{ "code": "E_UNPROCESSABLE_ENTITY", "message": "Unable to retrieve required values (email, name)" }` I am wondering if it is possible to drop "profile" requirement. I am quit new on OIDC, correct me if I was wrong.

OVERLORD closed this issue 2026-02-04 18:50:00 +03:00

OVERLORD commented 2026-02-04 18:50:11 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 23, 2023):

Hi! You are right, the problem is that your IDP doesn't support the profile scope, but Planka needs it to create an account (this scope contains a user name, which cannot be empty). Unfortunately we can't change anything on our side to solve this. I think there should be some way to add this scope to your IDP.

@meltyshev commented on GitHub (Oct 23, 2023): Hi! You are right, the problem is that your IDP doesn't support the `profile` scope, but Planka needs it to create an account (this scope contains a user name, which cannot be empty). Unfortunately we can't change anything on our side to solve this. I think there should be some way to add this scope to your IDP.

OVERLORD commented 2026-02-04 18:50:23 +03:00

Author

Owner

Copy Link

@halfu commented on GitHub (Oct 24, 2023):

Thanks for your quick reply, I will dig into dsm synology system to get a solution then.
I will report back if I successed.

@halfu commented on GitHub (Oct 24, 2023): Thanks for your quick reply, I will dig into dsm synology system to get a solution then. I will report back if I successed.

OVERLORD commented 2026-02-04 18:50:42 +03:00

Author

Owner

Copy Link

@daniel-hiller commented on GitHub (Nov 1, 2023):

Hi,
as a dirty quickfix you do do this....
in server/api/helpers/users/get-or-create-one-using-oidc.js

change the folling lines

Line 36:
from if (!userInfo.email || !userInfo.name) {
to if (!userInfo.email || !userInfo.username) {

Line 56:
from name: userInfo.name,
to name: userInfo.username,

This change will set the username as name too, because of Synology does not support friendly names for users
At the moment it's not possible to change the name in Planka when OIDC is in use.

We will post an update with more options to configure OIDC and make the name changeable, if your sso provider does not support them.

@daniel-hiller commented on GitHub (Nov 1, 2023): Hi, as a dirty quickfix you do do this.... in server/api/helpers/users/get-or-create-one-using-oidc.js change the folling lines Line 36: from `if (!userInfo.email || !userInfo.name) {` to `if (!userInfo.email || !userInfo.username) {` Line 56: from `name: userInfo.name,` to `name: userInfo.username,` This change will set the username as name too, because of Synology does not support friendly names for users At the moment it's not possible to change the name in Planka when OIDC is in use. We will post an update with more options to configure OIDC and make the name changeable, if your sso provider does not support them.

OVERLORD commented 2026-02-04 18:50:47 +03:00

Author

Owner

Copy Link

@halfu commented on GitHub (Nov 1, 2023):

Thanks A lot for your help. I have switched my sso server to authentik , and everything works great.
And I agree that give more options to configure OIDC in planka side is a good idea.

@halfu commented on GitHub (Nov 1, 2023): Thanks A lot for your help. I have switched my sso server to authentik , and everything works great. And I agree that give more options to configure OIDC in planka side is a good idea.

OVERLORD commented 2026-02-04 18:51:00 +03:00

Author

Owner

Copy Link

@halfu commented on GitHub (Nov 1, 2023):

Since my problem sovled, I closed this issue.

@halfu commented on GitHub (Nov 1, 2023): Since my problem sovled, I closed this issue.

OVERLORD commented 2026-02-04 18:51:22 +03:00

Author

Owner

Copy Link

@john8329 commented on GitHub (Jan 18, 2024):

Hi, I'm having the same issue with DSM, and I'd like for simplicity to use it instead of other solutions. Would it be possible to let the app tolerate the absence of the profile claim and just use username if it's missing?

Thanks a lot

@john8329 commented on GitHub (Jan 18, 2024): Hi, I'm having the same issue with DSM, and I'd like for simplicity to use it instead of other solutions. Would it be possible to let the app tolerate the absence of the `profile` claim and just use `username` if it's missing? Thanks a lot

OVERLORD commented 2026-02-04 18:51:28 +03:00

Author

Owner

Copy Link

@ngthwi commented on GitHub (Dec 8, 2025):

I can't get Planka to work with Synology SSO. even with OIDC_USERNAME_ATTRIBUTE=username

I get an Unkown error. Retry later.
There's no error log in the docker console...

Is it still the missing profile?
Here's my env variables:

      - NODE_ENV=production
      - OIDC_ISSUER=https://oidc.provider/webman/sso
      - OIDC_CLIENT_ID=client_ID
      - OIDC_CLIENT_SECRET=secret
      - OIDC_USERNAME_ATTRIBUTE=username
      - SHOW_DETAILED_AUTH_ERRORS=true
      - OIDC_SCOPES=openid email groups
      - LOG_LEVEL=debug

@ngthwi commented on GitHub (Dec 8, 2025): I can't get Planka to work with Synology SSO. even with `OIDC_USERNAME_ATTRIBUTE=username` I get an `Unkown error. Retry later`. There's no error log in the docker console... Is it still the missing `profile`? Here's my env variables: ```` - NODE_ENV=production - OIDC_ISSUER=https://oidc.provider/webman/sso - OIDC_CLIENT_ID=client_ID - OIDC_CLIENT_SECRET=secret - OIDC_USERNAME_ATTRIBUTE=username - SHOW_DETAILED_AUTH_ERRORS=true - OIDC_SCOPES=openid email groups - LOG_LEVEL=debug

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

gh-pages

dependabot/npm_and_yarn/multi-795903f3f3

dependabot/npm_and_yarn/server/multi-60f2582fdd

dependabot/npm_and_yarn/client/qs-6.14.2

dependabot/npm_and_yarn/client/markdown-it-14.1.1

v2.0.2

planka-2.0.2

v2.0.1

planka-2.0.1

v2.0.0

planka-2.0.0

planka-1.1.2

planka-1.1.1

planka-1.1.0

planka-1.0.5

planka-1.0.4

v2.0.0-rc.4

v1.26.3

planka-0.2.26

planka-1.0.3

planka-1.0.2

v2.0.0-rc.3

planka-1.0.1

planka-1.0.0

v2.0.0-rc.2

planka-0.2.25

v1.26.2

v1.26.1

planka-0.2.24

v1.26.0

planka-0.2.23

v1.25.1

planka-0.2.22

v1.25.0

planka-0.2.21

v1.24.4

planka-0.2.20

v1.24.3

planka-0.2.19

planka-0.2.18

v1.24.2

planka-0.2.17

planka-0.2.16

v1.24.1

planka-0.2.15

v1.24.0

planka-0.2.14

v1.23.5

v1.23.4

planka-0.2.13

planka-0.2.12

v1.23.3

planka-0.2.11

v1.23.2

planka-0.2.10

v1.23.1

planka-0.2.9

v1.23.0

v1.22.0

planka-0.2.8

Labels

Clear labels

bug

bug

documentation

documentation

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#371