starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-24 19:08:59 +03:00
Code Issues 396 Packages Projects Releases 16 Wiki Activity

OIDC User roles #453

New Issue
Open
opened 2026-02-04 19:39:29 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2026-02-04 19:39:29 +03:00
Owner
Copy Link

Originally created by @mostdcoa on GitHub (Mar 31, 2024).

I have OIDC working as in I can log in with a user.

      - OIDC_ISSUER=https://accounts.google.com
      - OIDC_CLIENT_ID=REDACTED
      - OIDC_CLIENT_SECRET=REDACTED
      - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=Planka_Admin
      # - OIDC_EMAIL_ATTRIBUTE=email
      # - OIDC_NAME_ATTRIBUTE=name
      # - OIDC_USERNAME_ATTRIBUTE=preferred_username
      # - OIDC_ROLES_ATTRIBUTE=ignored
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      - OIDC_ENFORCED=false

However, when a user logs in, they can't do anything. How can I just make all users that log in an admin?

I am using Google Workspace as the OIDC provider. I have tried created planka_admin (as can be seen in the above code) roles etc but can't figure out how to pass that to planka to recognize who is an admin from google workspace?

Originally created by @mostdcoa on GitHub (Mar 31, 2024). I have OIDC working as in I can log in with a user. ``` - OIDC_ISSUER=https://accounts.google.com - OIDC_CLIENT_ID=REDACTED - OIDC_CLIENT_SECRET=REDACTED - OIDC_SCOPES=openid email profile # - OIDC_ADMIN_ROLES=Planka_Admin # - OIDC_EMAIL_ATTRIBUTE=email # - OIDC_NAME_ATTRIBUTE=name # - OIDC_USERNAME_ATTRIBUTE=preferred_username # - OIDC_ROLES_ATTRIBUTE=ignored # - OIDC_IGNORE_USERNAME=true # - OIDC_IGNORE_ROLES=true - OIDC_ENFORCED=false ``` However, when a user logs in, they can't do anything. How can I just make all users that log in an admin? I am using Google Workspace as the OIDC provider. I have tried created planka_admin (as can be seen in the above code) roles etc but can't figure out how to pass that to planka to recognize who is an admin from google workspace?
OVERLORD added the enhancement label 2026-02-04 19:39:29 +03:00
OVERLORD commented 2026-02-04 19:39:40 +03:00
Author
Owner
Copy Link

@mostdcoa commented on GitHub (Apr 2, 2024):

This actually looks like I am having an issue with OIDC_IGNORE_ROLES, as reading through some of these issues that's what I want. I want any user to be able to log in with SSO and have the admin ability (add boards).

  - OIDC_ISSUER=https://accounts.google.com
  - OIDC_CLIENT_ID=redacted
  - OIDC_CLIENT_SECRET=redacted
  - OIDC_SCOPES=openid email profile
  - OIDC_ADMIN_ROLES="Test Developers"

  - OIDC_EMAIL_ATTRIBUTE=email
  - OIDC_NAME_ATTRIBUTE=name
  - OIDC_USERNAME_ATTRIBUTE=preferred_username
  - OIDC_ROLES_ATTRIBUTE=groups
  - OIDC_IGNORE_USERNAME=true
  - OIDC_IGNORE_ROLES=true
  - OIDC_ENFORCED=false
@mostdcoa commented on GitHub (Apr 2, 2024): This actually looks like I am having an issue with OIDC_IGNORE_ROLES, as reading through some of these issues that's what I want. I want any user to be able to log in with SSO and have the admin ability (add boards). - OIDC_ISSUER=https://accounts.google.com - OIDC_CLIENT_ID=redacted - OIDC_CLIENT_SECRET=redacted - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES="Test Developers" - OIDC_EMAIL_ATTRIBUTE=email - OIDC_NAME_ATTRIBUTE=name - OIDC_USERNAME_ATTRIBUTE=preferred_username - OIDC_ROLES_ATTRIBUTE=groups - OIDC_IGNORE_USERNAME=true - OIDC_IGNORE_ROLES=true - OIDC_ENFORCED=false
OVERLORD commented 2026-02-04 19:39:45 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Apr 2, 2024):

Hi! Yep, you can use ignore roles to be able to switch isAdmin in the users modal. The only problem that a new user won't be an admin by default, so you always need to switch it. Probably we need to add one more env variable to set the default role 🤔

@meltyshev commented on GitHub (Apr 2, 2024): Hi! Yep, you can use ignore roles to be able to switch `isAdmin` in the users modal. The only problem that a new user won't be an admin by default, so you always need to switch it. Probably we need to add one more env variable to set the default role 🤔
OVERLORD commented 2026-02-04 19:39:58 +03:00
Author
Owner
Copy Link

@mostdcoa commented on GitHub (Apr 2, 2024):

@meltyshev

Ah, this makes much more sense, I had assumed - OIDC_IGNORE_ROLES had meant that the inherited role of OIDC was ignore and was given Admin. I was also wondering why I could enabled that account as Admin (Ignore Roles was False when I tested this).

I think this would be a useful flag to have - OIDC_DEFAULT_ROLE=admin or user if the ignore role was true.

@mostdcoa commented on GitHub (Apr 2, 2024): @meltyshev Ah, this makes much more sense, I had assumed `- OIDC_IGNORE_ROLES` had meant that the inherited role of OIDC was ignore and was given Admin. I was also wondering why I could enabled that account as Admin (Ignore Roles was False when I tested this). I think this would be a useful flag to have `- OIDC_DEFAULT_ROLE=admin or user` if the ignore role was true.
OVERLORD commented 2026-02-04 19:40:09 +03:00
Author
Owner
Copy Link

@ag-gaphp commented on GitHub (Aug 22, 2024):

I'm having this issue. How do you force the first user you sign in as to be an admin? Right now, I don't even have the ability to set myself as the admin. I can login and then nothing is available to me.

I have both OIDC_IGNORE_ROLES and OIDC_ENFORCED set to true, so I have no local users at all.

@ag-gaphp commented on GitHub (Aug 22, 2024): I'm having this issue. How do you force the first user you sign in as to be an admin? Right now, I don't even have the ability to set myself as the admin. I can login and then nothing is available to me. I have both `OIDC_IGNORE_ROLES` and `OIDC_ENFORCED` set to `true`, so I have no local users at all.
OVERLORD commented 2026-02-04 19:40:20 +03:00
Author
Owner
Copy Link

@ag-gaphp commented on GitHub (Aug 22, 2024):

I had to go into the postgres database and set the is_admin column for my user in user_account to true

@ag-gaphp commented on GitHub (Aug 22, 2024): I had to go into the postgres database and set the `is_admin` column for my user in `user_account` to `true`
OVERLORD commented 2026-02-04 19:40:35 +03:00
Author
Owner
Copy Link

@Aeyk commented on GitHub (May 20, 2025):

Being able to set the other roles via environment variable in the same way as OIDC_ADMIN_ROLES would be very useful to me.

edit: of course I missed them: OIDC_PROJECT_OWNER_ROLES, OIDC_BOARD_USER_ROLES. Added to extraEnv as I am using helm chart.

@Aeyk commented on GitHub (May 20, 2025): Being able to set the other roles via environment variable in the same way as OIDC_ADMIN_ROLES would be very useful to me. edit: of course I missed them: OIDC_PROJECT_OWNER_ROLES, OIDC_BOARD_USER_ROLES. Added to extraEnv as I am using helm chart.
OVERLORD commented 2026-02-04 19:40:45 +03:00
Author
Owner
Copy Link

@DaMa-IT commented on GitHub (Jul 1, 2025):

Im having the same issue. Have you been able to fix yours ?

@DaMa-IT commented on GitHub (Jul 1, 2025): Im having the same issue. Have you been able to fix yours ?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#453
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?