OIDC : Configuration for Keycloak #393

New Issue

OVERLORD · 2026-02-04T18:59:22+03:00

OVERLORD commented

2026-02-04 18:59:22 +03:00

Originally created by @pca-homsi on GitHub (Dec 8, 2023).

I have configured planka with keycloak as OIDC provider. but it give and error when calling the
/api/access-tokens/exchange-using-oidc : {"code":"E_UNAUTHORIZED","message":"Invalid code or nonce"}

Is there any specific keycloak config needed to make it work correctly ?

I'm using a docker based installation of planka 1.15.0 and keycloak 23.0.1
with the following configuration

  - OIDC_ISSUER=https://<dns>/realms/<realm>
  - OIDC_CLIENT_ID=planka
  - OIDC_CLIENT_SECRET=ZWqn*********W8wan1olLq
  - OIDC_SCOPES=openid email profile
  # - OIDC_ADMIN_ROLES=admin
  # - OIDC_ROLES_ATTRIBUTE=groups
  # - OIDC_IGNORE_ROLES=true

on the container log i get the following :

[W] Error while exchanging OIDC code: RPError: iss missing from the response
[W] Invalid code or nonce! (IP: 172.30.0.2)

Help please !

Originally created by @pca-homsi on GitHub (Dec 8, 2023). I have configured planka with keycloak as OIDC provider. but it give and error when calling the /api/access-tokens/exchange-using-oidc : {"code":"E_UNAUTHORIZED","message":"Invalid code or nonce"} Is there any specific keycloak config needed to make it work correctly ? I'm using a docker based installation of planka 1.15.0 and keycloak 23.0.1 with the following configuration - OIDC_ISSUER=https://<dns>/realms/<realm> - OIDC_CLIENT_ID=planka - OIDC_CLIENT_SECRET=ZWqn*********W8wan1olLq - OIDC_SCOPES=openid email profile # - OIDC_ADMIN_ROLES=admin # - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_ROLES=true on the container log i get the following : [W] Error while exchanging OIDC code: RPError: iss missing from the response [W] Invalid code or nonce! (IP: 172.30.0.2) Help please !

OVERLORD added the help wanted label 2026-02-04 18:59:22 +03:00

OVERLORD closed this issue

2026-02-04 18:59:24 +03:00

OVERLORD commented

2026-02-04 18:59:49 +03:00

@webzit commented on GitHub (Dec 8, 2023):

+1

@webzit commented on GitHub (Dec 8, 2023): +1

OVERLORD commented

2026-02-04 18:59:59 +03:00

@meltyshev commented on GitHub (Dec 9, 2023):

Hi! Thanks for reporting this. I'll try to test OIDC with Keycloak this weekend.

@meltyshev commented on GitHub (Dec 9, 2023): Hi! Thanks for reporting this. I'll try to test OIDC with Keycloak this weekend.

OVERLORD commented

2026-02-04 19:00:09 +03:00

@pca-homsi commented on GitHub (Dec 9, 2023):

i just made it work by patching the file \server\api\helpers\usersget-or-create-one-using-oidc.js

const tokenSet = await client.callback(
sails.config.custom.oidcRedirectUri,
{
code: inputs.code,
iss: sails.config.custom.oidcIssuer // Added this
},
{ nonce: inputs.nonce },
);

@pca-homsi commented on GitHub (Dec 9, 2023): i just made it work by patching the file \server\api\helpers\usersget-or-create-one-using-oidc.js const tokenSet = await client.callback( sails.config.custom.oidcRedirectUri, { code: inputs.code, iss: sails.config.custom.oidcIssuer // Added this }, { nonce: inputs.nonce }, );

OVERLORD commented

2026-02-04 19:00:16 +03:00

@meltyshev commented on GitHub (Dec 9, 2023):

Thanks for the information about the fix! I'll add this parameter to Planka's code.

@meltyshev commented on GitHub (Dec 9, 2023): Thanks for the information about the fix! I'll add this parameter to Planka's code.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#393