starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-25 03:14:50 +03:00
Code Issues 396 Packages Projects Releases 16 Wiki Activity

OIDC with FortiAuthenticator #467

New Issue
Closed
opened 2026-02-04 19:45:24 +03:00 by OVERLORD · 9 comments
OVERLORD commented 2026-02-04 19:45:24 +03:00
Owner
Copy Link

Originally created by @nicedevil007 on GitHub (Apr 8, 2024).

Hey guys, I'm trying to get OIDC working with our FortiAuthenticator.
Unfortunately I can't get anything up and running.

My planka systemd service stops with the following message:

Apr 08 12:00:56 planka npm[2627]: > start
Apr 08 12:00:56 planka npm[2627]: > nodemon
Apr 08 12:00:56 planka npm[2639]: [nodemon] 3.0.1
Apr 08 12:00:56 planka npm[2639]: [nodemon] to restart at any time, enter `rs`
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching path(s): *.*
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching extensions: js,mjs,cjs,json
Apr 08 12:00:56 planka npm[2639]: [nodemon] starting `node app.js`
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] A hook (`oidc`) failed to load!
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently
Apr 08 12:00:57 planka npm[2639]: [nodemon] clean exit - waiting for changes before restart

Here is my config:

## Required

BASE_URL=https://planka.mydomain.org
DATABASE_URL=postgresql://planka:<SECRET>@localhost/planka
SECRET_KEY=<SECRET>

## Optional

TRUST_PROXY=1
#TOKEN_EXPIRES_IN=14 # In days

# related: https://github.com/knex/knex/issues/2354
# As knex does not pass query parameters from the connection string we
# have to use environment variables in order to pass the desired values, e.g.
# PGSSLMODE=<value>

# Configure knex to accept SSL certificates
# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

#DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
#DEFAULT_ADMIN_PASSWORD=demo
#DEFAULT_ADMIN_NAME=Demo Demo
#DEFAULT_ADMIN_USERNAME=demo

# Email Notifications (https://nodemailer.com/smtp/)
SMTP_HOST=my.mydomain.org
SMTP_PORT=465
SMTP_SECURE=true
#SMTP_USER=
#SMTP_PASSWORD=
SMTP_FROM="Planka" <noreply@email.server>

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth
OIDC_CLIENT_ID=<SECRET>
OIDC_CLIENT_SECRET=<SECRET>
OIDC_SCOPES=openid email profile
# OIDC_ADMIN_ROLES=admin
#OIDC_EMAIL_ATTRIBUTE=email
#OIDC_NAME_ATTRIBUTE=name
#OIDC_USERNAME_ATTRIBUTE=preferred_username
#OIDC_ROLES_ATTRIBUTE=groups
# OIDC_IGNORE_USERNAME=true
# OIDC_IGNORE_ROLES=true
# OIDC_ENFORCED=true

## Do not edit this

TZ=UTC

So here a quick overview of the network that is all this in:

Network A: planka is hosted on seperate Ubuntu VM (it is installed with manual install method)
Network B: Nginx Proxy Manager that forwards traffic going to https://planka.email.server to the Network A VM with Planka running on it
Network C: FortiAuthenticator

Ofc: All firewall rules to reach the one or other Network are up and running and nothing is blocked so far (at least this is what my logs tell me ;D)

If I disable all OIDC env variables it is working with local logins.

Originally created by @nicedevil007 on GitHub (Apr 8, 2024). Hey guys, I'm trying to get OIDC working with our FortiAuthenticator. Unfortunately I can't get anything up and running. My planka systemd service stops with the following message: ```python Apr 08 12:00:56 planka npm[2627]: > start Apr 08 12:00:56 planka npm[2627]: > nodemon Apr 08 12:00:56 planka npm[2639]: [nodemon] 3.0.1 Apr 08 12:00:56 planka npm[2639]: [nodemon] to restart at any time, enter `rs` Apr 08 12:00:56 planka npm[2639]: [nodemon] watching path(s): *.* Apr 08 12:00:56 planka npm[2639]: [nodemon] watching extensions: js,mjs,cjs,json Apr 08 12:00:56 planka npm[2639]: [nodemon] starting `node app.js` Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] A hook (`oidc`) failed to load! Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently Apr 08 12:00:57 planka npm[2639]: [nodemon] clean exit - waiting for changes before restart ``` Here is my config: ```python ## Required BASE_URL=https://planka.mydomain.org DATABASE_URL=postgresql://planka:<SECRET>@localhost/planka SECRET_KEY=<SECRET> ## Optional TRUST_PROXY=1 #TOKEN_EXPIRES_IN=14 # In days # related: https://github.com/knex/knex/issues/2354 # As knex does not pass query parameters from the connection string we # have to use environment variables in order to pass the desired values, e.g. # PGSSLMODE=<value> # Configure knex to accept SSL certificates # KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false #DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted #DEFAULT_ADMIN_PASSWORD=demo #DEFAULT_ADMIN_NAME=Demo Demo #DEFAULT_ADMIN_USERNAME=demo # Email Notifications (https://nodemailer.com/smtp/) SMTP_HOST=my.mydomain.org SMTP_PORT=465 SMTP_SECURE=true #SMTP_USER= #SMTP_PASSWORD= SMTP_FROM="Planka" <noreply@email.server> OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth OIDC_CLIENT_ID=<SECRET> OIDC_CLIENT_SECRET=<SECRET> OIDC_SCOPES=openid email profile # OIDC_ADMIN_ROLES=admin #OIDC_EMAIL_ATTRIBUTE=email #OIDC_NAME_ATTRIBUTE=name #OIDC_USERNAME_ATTRIBUTE=preferred_username #OIDC_ROLES_ATTRIBUTE=groups # OIDC_IGNORE_USERNAME=true # OIDC_IGNORE_ROLES=true # OIDC_ENFORCED=true ## Do not edit this TZ=UTC ``` So here a quick overview of the network that is all this in: **Network A**: planka is hosted on seperate Ubuntu VM (it is installed with manual install method) **Network B**: Nginx Proxy Manager that forwards traffic going to https://planka.email.server to the Network A VM with Planka running on it **Network C**: FortiAuthenticator Ofc: All firewall rules to reach the one or other Network are up and running and nothing is blocked so far (at least this is what my logs tell me ;D) If I disable all OIDC env variables it is working with local logins.
OVERLORD added the help wanted label 2026-02-04 19:45:24 +03:00
OVERLORD commented 2026-02-04 19:45:46 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Apr 8, 2024):

Hi! It looks like openid-client can't discover the issuer by the provided URL:

const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);

Please try to navigate to the address of your issuer https://auth.mydomain.org/api/v1/oauth in a browser and see where you will be redirected to and specify the final address. It's also possible that you need to put a slash at the end of https://auth.mydomain.org/api/v1/oauth/ (but it's just a guess why redirection is done).

@meltyshev commented on GitHub (Apr 8, 2024): Hi! It looks like `openid-client` can't discover the issuer by the provided URL: ```js const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer); ``` Please try to navigate to the address of your issuer `https://auth.mydomain.org/api/v1/oauth` in a browser and see where you will be redirected to and specify the final address. It's also possible that you need to put a slash at the end of `https://auth.mydomain.org/api/v1/oauth/` (but it's just a guess why redirection is done).
OVERLORD commented 2026-02-04 19:45:57 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Apr 9, 2024):

Ok I tested this with / and without.
Not working at all.

This is what I have available as URL on my FortiAuthenticator.

{
    "issuer": "https://auth.mydomain.org/api/v1/oauth",
    "authorization_endpoint": "https://auth.mydomain.org/api/v1/oauth/authorize/",
    "token_endpoint": "https://auth.mydomain.org/api/v1/oauth/token/",
    "userinfo_endpoint": "https://auth.mydomain.org/api/v1/oauth/userinfo/",
    "jwks_uri": "https://auth.mydomain.org/api/v1/oauth/.well-known/keys/",
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code token",
        "code id_token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "client_secret_basic"
    ]
}

So what should I take from these ones?

@nicedevil007 commented on GitHub (Apr 9, 2024): Ok I tested this with `/` and without. Not working at all. This is what I have available as URL on my FortiAuthenticator. ```java { "issuer": "https://auth.mydomain.org/api/v1/oauth", "authorization_endpoint": "https://auth.mydomain.org/api/v1/oauth/authorize/", "token_endpoint": "https://auth.mydomain.org/api/v1/oauth/token/", "userinfo_endpoint": "https://auth.mydomain.org/api/v1/oauth/userinfo/", "jwks_uri": "https://auth.mydomain.org/api/v1/oauth/.well-known/keys/", "response_types_supported": [ "code", "token", "id_token", "id_token token", "code token", "code id_token", "code id_token token" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ] } ``` So what should I take from these ones?
OVERLORD commented 2026-02-04 19:46:08 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Apr 10, 2024):

The response looks correct. It's very hard to say why this might be happening. We'll try to test with FortiAuthenticator sometime or maybe someone has already encountered this and can tell us how to solve it.

@meltyshev commented on GitHub (Apr 10, 2024): The response looks correct. It's very hard to say why this might be happening. We'll try to test with FortiAuthenticator sometime or maybe someone has already encountered this and can tell us how to solve it.
OVERLORD commented 2026-02-04 19:46:15 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Jun 10, 2024):

Ok got a bit further but without succesfull login. I just changed the OIDC_ISSUER URL to this here:

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth/.well-known/openid-configuration

Now our fortiauthenticator tells me (after succesfull login to the FAC)
image

Is it even possible to not use the auto config method but use the method where we have to add all URI's by ourselfes?

@nicedevil007 commented on GitHub (Jun 10, 2024): Ok got a bit further but without succesfull login. I just changed the OIDC_ISSUER URL to this here: ```python OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth/.well-known/openid-configuration ``` Now our fortiauthenticator tells me (after succesfull login to the FAC) ![image](https://github.com/plankanban/planka/assets/17103076/971e184d-dee5-43e2-a3b8-5ec13c8054ac) Is it even possible to not use the auto config method but use the method where we have to add all URI's by ourselfes?
OVERLORD commented 2026-02-04 19:46:18 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Jun 24, 2024):

Got a bit further, now Planka tells me that an unknown error appeared, where can I find those logs to get a bit more information about the error?

image

@nicedevil007 commented on GitHub (Jun 24, 2024): Got a bit further, now Planka tells me that an unknown error appeared, where can I find those logs to get a bit more information about the error? ![image](https://github.com/plankanban/planka/assets/17103076/d0cc0df1-7955-4044-8e11-0f980c9136b1)
OVERLORD commented 2026-02-04 19:46:20 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Jun 24, 2024):

Found this in the docker logs:

2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******)
2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******)
@nicedevil007 commented on GitHub (Jun 24, 2024): Found this in the docker logs: ```bash 2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/ 2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******) 2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/ 2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******) ```
OVERLORD commented 2026-02-04 19:46:29 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Jun 24, 2024):

Found this in the docker logs:

2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******)
2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******)

If I do what is telling me the error message (removing /.well-known/openid-configuration/ from the expected URI) it leads to this error in the docker logs:

2024-06-24 20:10:30 [E] A hook (`oidc`) failed to load!
2024-06-24 20:10:30 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently

Now I would assume this is an error because planka is behind a reverseproxy?

@nicedevil007 commented on GitHub (Jun 24, 2024): > Found this in the docker logs: > > ```shell > 2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/ > 2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******) > 2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/ > 2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******) > ``` If I do what is telling me the error message (removing `/.well-known/openid-configuration/` from the expected URI) it leads to this error in the docker logs: ```bash 2024-06-24 20:10:30 [E] A hook (`oidc`) failed to load! 2024-06-24 20:10:30 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently ``` Now I would assume this is an error because planka is behind a reverseproxy?
OVERLORD commented 2026-02-04 19:46:40 +03:00
Author
Owner
Copy Link

@nicedevil007 commented on GitHub (Sep 9, 2024):

Is there anything new here?

@nicedevil007 commented on GitHub (Sep 9, 2024): Is there anything new here?
OVERLORD commented 2026-02-04 19:46:51 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Aug 9, 2025):

This issue may have been resolved by https://github.com/plankanban/planka/pull/1290. Please feel free to reopen if it's still not fixed or if anyone else encounters it.

@meltyshev commented on GitHub (Aug 9, 2025): This issue may have been resolved by https://github.com/plankanban/planka/pull/1290. Please feel free to reopen if it's still not fixed or if anyone else encounters it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label help wanted
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#467
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?