starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-12-06 09:13:16 +03:00
Code Issues 418 Packages Projects Releases 12 Wiki Activity

OIDC username validation failure #442

New Issue
Closed
opened 2025-10-09 18:48:35 +03:00 by OVERLORD · 11 comments
OVERLORD commented 2025-10-09 18:48:35 +03:00
Owner
Copy Link

Originally created by @agent-squirrel on GitHub.

Hi

I've just started using Planka for a project and it's really great, thank you for your hard work.

Our team has one issue when logging in with OIDC. We use authentik as the IDP and currently usernames have no constraints so some team members used a name and others used an email.

The users with email usernames fail to login to Planka because of a maximum username length constraint violation. Is this a configurable option or do you have any idea how to mitigate this?

I've redacted the proper email address.

lanka-planka-1    |   Could not use specified `username`.  Violated one or more validation rules:
planka-planka-1    |   • Value was -2 characters longer than the configured maximum length (16)
planka-planka-1    |   • Value ('emailaddress01@gmail.com') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/)
Originally created by @agent-squirrel on GitHub. Hi I've just started using Planka for a project and it's really great, thank you for your hard work. Our team has one issue when logging in with OIDC. We use authentik as the IDP and currently usernames have no constraints so some team members used a name and others used an email. The users with email usernames fail to login to Planka because of a maximum username length constraint violation. Is this a configurable option or do you have any idea how to mitigate this? I've redacted the proper email address. ``` lanka-planka-1 | Could not use specified `username`. Violated one or more validation rules: planka-planka-1 | • Value was -2 characters longer than the configured maximum length (16) planka-planka-1 | • Value ('emailaddress01@gmail.com') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/) ```
OVERLORD added the enhancement label 2025-10-09 18:48:35 +03:00
OVERLORD commented 2025-10-09 18:48:37 +03:00
Author
Owner
Copy Link

@AlGoCo commented on GitHub:

hi,
I have the same problem with zitadel as OIDC... just a bit more intense because zitadel uses as default the email as username...
can i change the username regex and length rule somewehre manualy or disable username for OIDC auth at all?

> 2024-01-05 14:17:10 [E] Sending 500 ("Server Error") response: 
> Cannot perform update with the provided values.
> Details:
>  Could not use specified `username`.  Violated one or more validation rules:
>   • Value was -2 characters longer than the configured maximum length (16)
>   • Value ('xxxx@xxxxxxxxx.xx') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/)

just if you know directly where i can change it otherwise I will look by my self.

lg

@AlGoCo commented on GitHub: hi, I have the same problem with zitadel as OIDC... just a bit more intense because zitadel uses as default the email as username... can i change the username regex and length rule somewehre manualy or disable username for OIDC auth at all? ``` > 2024-01-05 14:17:10 [E] Sending 500 ("Server Error") response: > Cannot perform update with the provided values. > Details: > Could not use specified `username`. Violated one or more validation rules: > • Value was -2 characters longer than the configured maximum length (16) > • Value ('xxxx@xxxxxxxxx.xx') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/) ``` just if you know directly where i can change it otherwise I will look by my self. lg
OVERLORD commented 2025-10-09 18:48:38 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub:

Hi! We recently added OIDC and there are still some issues that need to be solved. I was thinking of adding environment variables through which you can set which OIDC fields to use to create an account. For example, in this case you can skip setting a username at all, as it's optional in Planka.

@meltyshev commented on GitHub: Hi! We recently added OIDC and there are still some issues that need to be solved. I was thinking of adding environment variables through which you can set which OIDC fields to use to create an account. For example, in this case you can skip setting a username at all, as it's optional in Planka.
OVERLORD commented 2025-10-09 18:48:38 +03:00
Author
Owner
Copy Link

@IndiGP commented on GitHub:

Hi,
little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ".
Thank you!

@IndiGP commented on GitHub: Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you!
OVERLORD commented 2025-10-09 18:48:39 +03:00
Author
Owner
Copy Link

@agent-squirrel commented on GitHub:

Sounds good. For now we will just work around the issue but good to hear things are on the roadmap. Thanks.

@agent-squirrel commented on GitHub: Sounds good. For now we will just work around the issue but good to hear things are on the roadmap. Thanks.
OVERLORD commented 2025-10-09 18:48:39 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub:

hi, I have the same problem with zitadel as OIDC... just a bit more intense because zitadel uses as default the email as username... can i change the username regex and length rule somewehre manualy or disable username for OIDC auth at all?

> 2024-01-05 14:17:10 [E] Sending 500 ("Server Error") response: 
> Cannot perform update with the provided values.
> Details:
>  Could not use specified `username`.  Violated one or more validation rules:
>   • Value was -2 characters longer than the configured maximum length (16)
>   • Value ('xxxx@xxxxxxxxx.xx') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/)

just if you know directly where i can change it otherwise I will look by my self.

lg

Hi! Sorry for the late reply.
To not use username during OIDC auth you need to comment line 62 in server/api/helpers/users/get-or-create-one-using-oidc.js:

const values = {
  isAdmin,
  email: userInfo.email,
  isSso: true,
  name: userInfo.name,
  // username: userInfo.preferred_username,
  subscribeToOwnCards: false,
};

We are planning to add the ability to specify which fields to use, so you can easily change this without changing the code.

@meltyshev commented on GitHub: > hi, I have the same problem with zitadel as OIDC... just a bit more intense because zitadel uses as default the email as username... can i change the username regex and length rule somewehre manualy or disable username for OIDC auth at all? > > ``` > > 2024-01-05 14:17:10 [E] Sending 500 ("Server Error") response: > > Cannot perform update with the provided values. > > Details: > > Could not use specified `username`. Violated one or more validation rules: > > • Value was -2 characters longer than the configured maximum length (16) > > • Value ('xxxx@xxxxxxxxx.xx') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/) > ``` > > just if you know directly where i can change it otherwise I will look by my self. > > lg Hi! Sorry for the late reply. To not use username during OIDC auth you need to comment line 62 in `server/api/helpers/users/get-or-create-one-using-oidc.js`: ``` const values = { isAdmin, email: userInfo.email, isSso: true, name: userInfo.name, // username: userInfo.preferred_username, subscribeToOwnCards: false, }; ``` We are planning to add the ability to specify which fields to use, so you can easily change this without changing the code.
OVERLORD commented 2025-10-09 18:48:40 +03:00
Author
Owner
Copy Link

@IndiGP commented on GitHub:

Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you!

Hi! The Login with SSO button should appear as soon as you specify the OIDC_* environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem.

Hi, thank you for reply! Server ist running in docker container with docker compose file and postgres. Restarting it via docker compose down and up.
Currently OICD in compose file looks like this: - OIDC_ISSUER=auth.domain.de/application/o/planka - OIDC_CLIENT_ID= #short key - OIDC_CLIENT_SECRET= #long key - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=docker - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_ROLES=true
If you need different information, please mention :)

Hmm, it looks just as it should... Are you sure you are using the latest Planka image (where OIDC was added)? Please try to check /api/config endpoint (for example: https://planka.url/api/config where https://planka.url is your BASE_URL). The response should be something like this:

{
  "item": {
    "oidc": {
      "authorizationUrl": "...",
      "endSessionUrl": "..."
    }
  }
}

I am getting Json Response like:
{
"item": {
OIDC: 0
}
}
..

@IndiGP commented on GitHub: > > > > Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you! > > > > > > > > > Hi! The `Login with SSO` button should appear as soon as you specify the `OIDC_*` environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem. > > > > > > Hi, thank you for reply! Server ist running in docker container with docker compose file and postgres. Restarting it via docker compose down and up. > > Currently OICD in compose file looks like this: - OIDC_ISSUER=[auth.domain.de/application/o/planka](https://auth.domain.de/application/o/planka/) - OIDC_CLIENT_ID= #short key - OIDC_CLIENT_SECRET= #long key - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=docker - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_ROLES=true > > If you need different information, please mention :) > > Hmm, it looks just as it should... Are you sure you are using the latest Planka image (where OIDC was added)? Please try to check `/api/config` endpoint (for example: https://planka.url/api/config where https://planka.url is your BASE_URL). The response should be something like this: > > ``` > { > "item": { > "oidc": { > "authorizationUrl": "...", > "endSessionUrl": "..." > } > } > } > ``` I am getting Json Response like: { "item": { OIDC: 0 } } ..
OVERLORD commented 2025-10-09 18:48:40 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub:

It looks like Planka doesn't see your environment variables with OIDC settings and that's weird. Please try to connect to the container and print the OIDC_ISSUER variable via docker exec -t planka-planka-1 echo $OIDC_ISSUER (the container name may be different). You can also try deleting the container completely and creating it again (don't forget to save all the data before doing it).

@meltyshev commented on GitHub: It looks like Planka doesn't see your environment variables with OIDC settings and that's weird. Please try to connect to the container and print the `OIDC_ISSUER` variable via `docker exec -t planka-planka-1 echo $OIDC_ISSUER` (the container name may be different). You can also try deleting the container completely and creating it again (don't forget to save all the data before doing it).
OVERLORD commented 2025-10-09 18:48:41 +03:00
Author
Owner
Copy Link

@IndiGP commented on GitHub:

Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you!

Hi! The Login with SSO button should appear as soon as you specify the OIDC_* environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem.

Hi, thank you for reply!
Server ist running in docker container with docker compose file and postgres. Restarting it via docker compose down and up.

Currently OICD in compose file looks like this:
- OIDC_ISSUER=https://auth.domain.de/application/o/planka/
- OIDC_CLIENT_ID= #short key
- OIDC_CLIENT_SECRET= #long key
- OIDC_SCOPES=openid email profile
- OIDC_ADMIN_ROLES=docker
- OIDC_ROLES_ATTRIBUTE=groups
# - OIDC_IGNORE_ROLES=true

If you need different information, please mention :)

@IndiGP commented on GitHub: > > Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you! > > Hi! The `Login with SSO` button should appear as soon as you specify the `OIDC_*` environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem. Hi, thank you for reply! Server ist running in docker container with docker compose file and postgres. Restarting it via docker compose down and up. Currently OICD in compose file looks like this: - OIDC_ISSUER=https://auth.domain.de/application/o/planka/ - OIDC_CLIENT_ID= #short key - OIDC_CLIENT_SECRET= #long key - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=docker - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_ROLES=true If you need different information, please mention :)
OVERLORD commented 2025-10-09 18:48:41 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub:

Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you!

Hi! The Login with SSO button should appear as soon as you specify the OIDC_* environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem.

Hi, thank you for reply! Server ist running in docker container with docker compose file and postgres. Restarting it via docker compose down and up.

Currently OICD in compose file looks like this: - OIDC_ISSUER=auth.domain.de/application/o/planka - OIDC_CLIENT_ID= #short key - OIDC_CLIENT_SECRET= #long key - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=docker - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_ROLES=true

If you need different information, please mention :)

Hmm, it looks just as it should...
Are you sure you are using the latest Planka image (where OIDC was added)?
Please try to check /api/config endpoint (for example: https://planka.url/api/config where https://planka.url is your BASE_URL). The response should be something like this:

{
  "item": {
    "oidc": {
      "authorizationUrl": "...",
      "endSessionUrl": "..."
    }
  }
}
@meltyshev commented on GitHub: > > > Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you! > > > > > > Hi! The `Login with SSO` button should appear as soon as you specify the `OIDC_*` environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem. > > Hi, thank you for reply! Server ist running in docker container with docker compose file and postgres. Restarting it via docker compose down and up. > > Currently OICD in compose file looks like this: - OIDC_ISSUER=[auth.domain.de/application/o/planka](https://auth.domain.de/application/o/planka/) - OIDC_CLIENT_ID= #short key - OIDC_CLIENT_SECRET= #long key - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=docker - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_ROLES=true > > If you need different information, please mention :) Hmm, it looks just as it should... Are you sure you are using the latest Planka image (where OIDC was added)? Please try to check `/api/config` endpoint (for example: https://planka.url/api/config where https://planka.url is your BASE_URL). The response should be something like this: ``` { "item": { "oidc": { "authorizationUrl": "...", "endSessionUrl": "..." } } } ```
OVERLORD commented 2025-10-09 18:48:41 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub:

Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you!

Hi! The Login with SSO button should appear as soon as you specify the OIDC_* environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem.

@meltyshev commented on GitHub: > Hi, little bit offtopic, but I configured OIDC, but where can I login? I only get the normal Userform for login, but no button for Authentik authentication. Running in docker. Trying to login with credentials from Authentik will end up in "Invalid email or username: ". Thank you! Hi! The `Login with SSO` button should appear as soon as you specify the `OIDC_*` environment variables and restart the server. It seems like you changed variables in the wrong place or forgot to restart the server. We need more information about your way of running Planka to help find the problem.
OVERLORD commented 2025-10-09 18:48:42 +03:00
Author
Owner
Copy Link

@IndiGP commented on GitHub:

It looks like Planka doesn't see your environment variables with OIDC settings and that's weird. Please try to connect to the container and print the OIDC_ISSUER variable via docker exec -t planka-planka-1 echo $OIDC_ISSUER (the container name may be different). You can also try deleting the container completely and creating it again (don't forget to save all the data before doing it).

Oh my gosh... you are totaly right, there was an space to much in docker yaml, why the variables were not read.. Thank you for helping so fast!

@IndiGP commented on GitHub: > It looks like Planka doesn't see your environment variables with OIDC settings and that's weird. Please try to connect to the container and print the `OIDC_ISSUER` variable via `docker exec -t planka-planka-1 echo $OIDC_ISSUER` (the container name may be different). You can also try deleting the container completely and creating it again (don't forget to save all the data before doing it). Oh my gosh... you are totaly right, there was an space to much in docker yaml, why the variables were not read.. Thank you for helping so fast!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#442
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?