Planka + Keycloak #436

Closed
opened 2026-02-04 19:30:09 +03:00 by OVERLORD · 8 comments
Owner

Originally created by @DeAlexPesh on GitHub (Mar 18, 2024).

Can you write fresh instruction for Keycloak SSO with admin groups?

Originally created by @DeAlexPesh on GitHub (Mar 18, 2024). Can you write fresh instruction for Keycloak SSO with admin groups?
OVERLORD added the help wanted label 2026-02-04 19:30:09 +03:00
Author
Owner

@meltyshev commented on GitHub (Mar 19, 2024):

Hi! I'll label this as "help wanted" and hopefully someone can explain the configuration method. It's a bit complicated for me as I haven't used it.

@meltyshev commented on GitHub (Mar 19, 2024): Hi! I'll label this as "help wanted" and hopefully someone can explain the configuration method. It's a bit complicated for me as I haven't used it.
Author
Owner

@DeAlexPesh commented on GitHub (Mar 19, 2024):

how this issue is work?

@DeAlexPesh commented on GitHub (Mar 19, 2024): how this [issue](https://github.com/plankanban/planka/issues/515#issuecomment-1741591184) is work?
Author
Owner

@meltyshev commented on GitHub (Mar 19, 2024):

how this issue is work?

This is a slightly older version of the configuration. All available environment variables are listed in the documentation: https://docs.planka.cloud/docs/Configuration/OIDC.

@meltyshev commented on GitHub (Mar 19, 2024): > how this [issue](https://github.com/plankanban/planka/issues/515#issuecomment-1741591184) is work? This is a slightly older version of the configuration. All available environment variables are listed in the documentation: https://docs.planka.cloud/docs/Configuration/OIDC.
Author
Owner

@mattboll commented on GitHub (Apr 4, 2024):

@DeAlexPesh what kind of information do you need ?
The doc seems to be fine, you just have to configure :
For planka :
OIDC_ROLES_ATTRIBUTE=groups
OIDC_IGNORE_ROLES=false

For keycloak (my version is 24) :
In Client scopes, click roles to go to Client scope details, in Mappers add a mapper, I chose "from configuration", I selected "User Realm Role" set "groups" in "Token Claim Name" and check that "Add to userinfo" is on

It should be ok after that

@mattboll commented on GitHub (Apr 4, 2024): @DeAlexPesh what kind of information do you need ? The doc seems to be fine, you just have to configure : For planka : OIDC_ROLES_ATTRIBUTE=groups OIDC_IGNORE_ROLES=false For keycloak (my version is 24) : In Client scopes, click roles to go to Client scope details, in Mappers add a mapper, I chose "from configuration", I selected "User Realm Role" set "groups" in "Token Claim Name" and check that "Add to userinfo" is on It should be ok after that
Author
Owner

@serega404 commented on GitHub (Sep 25, 2024):

@mattboll It didn't work for me, do you have any other ideas?

I use keycloak 22 (upgrading to version 24 did not help)

@serega404 commented on GitHub (Sep 25, 2024): @mattboll It didn't work for me, do you have any other ideas? I use keycloak 22 (upgrading to version 24 did not help)
Author
Owner

@mattboll commented on GitHub (Sep 26, 2024):

@serega404 what is not working ? Do you have the "Log in with SSO" button ? Are you redirected to keycloak ? Are you then redirected to planka ? Any error or something ?

edit: sorry I read too fast, is it just the roles not working ?

@mattboll commented on GitHub (Sep 26, 2024): @serega404 what is not working ? Do you have the "Log in with SSO" button ? Are you redirected to keycloak ? Are you then redirected to planka ? Any error or something ? edit: sorry I read too fast, is it just the roles not working ?
Author
Owner

@serega404 commented on GitHub (Sep 26, 2024):

Yes, the roles do not work

@serega404 what is not working ? Do you have the "Log in with SSO" button ? Are you redirected to keycloak ? Are you then redirected to planka ? Any error or something ?

edit: sorry I read too fast, is it just the roles not working ?

@serega404 commented on GitHub (Sep 26, 2024): Yes, the roles do not work > @serega404 what is not working ? Do you have the "Log in with SSO" button ? Are you redirected to keycloak ? Are you then redirected to planka ? Any error or something ? > > edit: sorry I read too fast, is it just the roles not working ?
Author
Owner

@YUNoMakeGoodMap commented on GitHub (Dec 12, 2024):

Okay, I know I am a nobody, but I got this working recently and I wanted to help you guys out :)

I use "planka_admin" for my admin role, and "groups" for the claim name in OpenID
Here is my OIDC settings in my .env file:

OIDC_ISSUER=https://keycloak-domain/realms/<yourrealmnamehere>
OIDC_CLIENT_ID=planka
OIDC_CLIENT_SECRET=**redacted**
# OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
# OIDC_USERINFO_SIGNED_RESPONSE_ALG=
OIDC_SCOPES=openid email profile
# OIDC_RESPONSE_MODE=fragment
# OIDC_USE_DEFAULT_RESPONSE_MODE=true
OIDC_ADMIN_ROLES=planka_admin
OIDC_CLAIMS_SOURCE=userinfo
OIDC_EMAIL_ATTRIBUTE=email
OIDC_NAME_ATTRIBUTE=name
OIDC_USERNAME_ATTRIBUTE=preferred_username
OIDC_ROLES_ATTRIBUTE=groups
# OIDC_IGNORE_USERNAME=true
# OIDC_IGNORE_ROLES=true
OIDC_ENFORCED=true

In Keycloak, do the following:

  1. Open your desired realm
  2. Click on Clients in the left-hand menu.
  3. Open your Planka client app
  4. Ensure the following are enabled: authentication -> Standard Flow (nothing else is needed for http redirect auth)
  5. Click on Client Scopes (horizontal row of menu buttons at top of client details page)
  6. Click on $application_name-dedicated
  7. Add a mapper, by configuration, of type Group Membership
  8. Use the options below

image

  1. Success!
  2. go to your Planka URL, and click "Login with SSO", youll be redirected to Keycloak, sign in, and youll be redirected back to Planka, and any user with planka_admin in their group claim in their access token will be allowed to administer the planka stack. Normal users after login, will show up in board membership menus and you can add them to boards as you wish.
@YUNoMakeGoodMap commented on GitHub (Dec 12, 2024): Okay, I know I am a nobody, but I got this working recently and I wanted to help you guys out :) I use "planka_admin" for my admin role, and "groups" for the claim name in OpenID Here is my OIDC settings in my .env file: ``` OIDC_ISSUER=https://keycloak-domain/realms/<yourrealmnamehere> OIDC_CLIENT_ID=planka OIDC_CLIENT_SECRET=**redacted** # OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG= # OIDC_USERINFO_SIGNED_RESPONSE_ALG= OIDC_SCOPES=openid email profile # OIDC_RESPONSE_MODE=fragment # OIDC_USE_DEFAULT_RESPONSE_MODE=true OIDC_ADMIN_ROLES=planka_admin OIDC_CLAIMS_SOURCE=userinfo OIDC_EMAIL_ATTRIBUTE=email OIDC_NAME_ATTRIBUTE=name OIDC_USERNAME_ATTRIBUTE=preferred_username OIDC_ROLES_ATTRIBUTE=groups # OIDC_IGNORE_USERNAME=true # OIDC_IGNORE_ROLES=true OIDC_ENFORCED=true ``` In Keycloak, do the following: 1) Open your desired realm 2) Click on Clients in the left-hand menu. 3) Open your Planka client app 4) Ensure the following are enabled: authentication -> Standard Flow (nothing else is needed for http redirect auth) 5) Click on Client Scopes (horizontal row of menu buttons at top of client details page) 6) Click on $application_name-dedicated 7) Add a mapper, by configuration, of type Group Membership 8) Use the options below ![image](https://github.com/user-attachments/assets/c152c332-a17c-429e-81a5-72587db1d9b8) 9) Success! 10) go to your Planka URL, and click "Login with SSO", youll be redirected to Keycloak, sign in, and youll be redirected back to Planka, and any user with planka_admin in their group claim in their access token will be allowed to administer the planka stack. Normal users after login, will show up in board membership menus and you can add them to boards as you wish.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#436