After enabling OIDC and authenticating via Authentik I lost admin ability #627

New Issue

Closed

opened 2026-02-04 20:36:36 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2026-02-04 20:36:36 +03:00

Owner

Copy Link

Originally created by @the-bort-the on GitHub (Jan 9, 2025).

Before enabling OIDC and integrating Authentik, I used the demo user to create a new admin user. I then disabled the demo user and had been using the basic auth for this new admin user.

After configuring OIDC I am able to log into Planka, but after doing so, I noticed my admin user was overwritten by my Authentik user. While this isn't the end of the world, I did noticed I lost my admin capabilities. Looking to the database I tried to update the column is_admin to t within the user_account table.

This worked until I restarted the container. Is there something else needed to permanently provide myself admin? It also seems since I enabled OIDC, I cannot comment out the OIDC variables within docker-compose.yml. It says I need to use SSO. I wonder if I'm locked into SSO now?

  #- OIDC_ISSUER=https://auth.example.com/application/o/planka/
  #- OIDC_CLIENT_ID=$client_id
  #- OIDC_CLIENT_SECRET=$client_secret

Originally created by @the-bort-the on GitHub (Jan 9, 2025). Before enabling OIDC and integrating Authentik, I used the demo user to create a new admin user. I then disabled the demo user and had been using the basic auth for this new admin user. After configuring OIDC I am able to log into Planka, but after doing so, I noticed my admin user was overwritten by my Authentik user. While this isn't the end of the world, I did noticed I lost my admin capabilities. Looking to the database I tried to update the column `is_admin` to `t` within the `user_account` table. This worked until I restarted the container. Is there something else needed to permanently provide myself admin? It also seems since I enabled OIDC, I cannot comment out the OIDC variables within docker-compose.yml. It says I need to use SSO. I wonder if I'm `locked into` SSO now? #- OIDC_ISSUER=https://auth.example.com/application/o/planka/ #- OIDC_CLIENT_ID=$client_id #- OIDC_CLIENT_SECRET=$client_secret

OVERLORD closed this issue 2026-02-04 20:36:37 +03:00

OVERLORD commented 2026-02-04 20:36:40 +03:00

Author

Owner

Copy Link

@the-bort-the commented on GitHub (Jan 10, 2025):

Even a logout / login will change that boolean flag back to false for is_admin

@the-bort-the commented on GitHub (Jan 10, 2025): Even a logout / login will change that boolean flag back to false for is_admin

OVERLORD commented 2026-02-04 20:36:49 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Jan 17, 2025):

Hi!

To ensure you always have admin privileges, you need to either uncomment OIDC_IGNORE_ROLES=true and modify the role directly in the database, or configure OIDC groups and set OIDC_ADMIN_ROLES=admin with OIDC_ROLES_ATTRIBUTE=groups.

Regarding SSO locking, it can't currently be modified through the UI. However, you can update the is_sso field for a specific user directly in the database.

@meltyshev commented on GitHub (Jan 17, 2025): Hi! To ensure you always have admin privileges, you need to either uncomment `OIDC_IGNORE_ROLES=true` and modify the role directly in the database, or configure OIDC groups and set `OIDC_ADMIN_ROLES=admin` with `OIDC_ROLES_ATTRIBUTE=groups`. Regarding SSO locking, it can't currently be modified through the UI. However, you can update the `is_sso` field for a specific user directly in the database.

OVERLORD commented 2026-02-04 20:36:55 +03:00

Author

Owner

Copy Link

@the-bort-the commented on GitHub (Jan 20, 2025):

If I uncomment OIDC_IGNORE_ROLES=true and alter the table in the database, I see the is_admin stay enabled. However, when I comment OIDC_ADMIN_ROLES=admin with OIDC_ROLES_ATTRIBUTE=groups I am still seeing the behavior in my original comments.

I would like to clarify when using OIDC_ADMIN_ROLES=admin with OIDC_ROLES_ATTRIBUTE=groups am I also supposed to use an account within Authentik with both a name and username of "admin"? I see in the user_account table, there are two columns; one for name and another for username. The values for those are currently authentik Default Admin and akadmin respectively.

@the-bort-the commented on GitHub (Jan 20, 2025): If I uncomment `OIDC_IGNORE_ROLES=true` and alter the table in the database, I see the `is_admin` stay enabled. However, when I comment `OIDC_ADMIN_ROLES=admin` with `OIDC_ROLES_ATTRIBUTE=groups` I am still seeing the behavior in my original comments. I would like to clarify when using `OIDC_ADMIN_ROLES=admin` with `OIDC_ROLES_ATTRIBUTE=groups` am I also supposed to use an account within Authentik with both a name and username of "admin"? I see in the `user_account` table, there are two columns; one for name and another for username. The values for those are currently `authentik Default Admin` and `akadmin` respectively.

OVERLORD commented 2026-02-04 20:36:57 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Jan 20, 2025):

I would like to clarify when using OIDC_ADMIN_ROLES=admin with OIDC_ROLES_ATTRIBUTE=groups am I also supposed to use an account within Authentik with both a name and username of "admin"? I see in the user_account table, there are two columns; one for name and another for username. The values for those are currently authentik Default Admin and akadmin respectively.

I just checked on my test Authentik instance, and the default admin group name is authentik Admins (Directory -> Users -> Groups). If I set OIDC_ADMIN_ROLES=authentik Admins, the user will become an admin upon logging in. Alternatively, you can create a new group under Directory -> Groups, assign it to a user, and then specify it in OIDC_ADMIN_ROLES.

@meltyshev commented on GitHub (Jan 20, 2025): > I would like to clarify when using `OIDC_ADMIN_ROLES=admin` with `OIDC_ROLES_ATTRIBUTE=groups` am I also supposed to use an account within Authentik with both a name and username of "admin"? I see in the `user_account` table, there are two columns; one for name and another for username. The values for those are currently `authentik Default Admin` and `akadmin` respectively. I just checked on my test Authentik instance, and the default admin group name is `authentik Admins` (Directory -> Users -> Groups). If I set `OIDC_ADMIN_ROLES=authentik Admins`, the user will become an admin upon logging in. Alternatively, you can create a new group under Directory -> Groups, assign it to a user, and then specify it in `OIDC_ADMIN_ROLES`.

OVERLORD commented 2026-02-04 20:37:00 +03:00

Author

Owner

Copy Link

@the-bort-the commented on GitHub (Jan 20, 2025):

That was the fix, thank you! I set OIDC_ADMIN_ROLES=authentik Admins and it persisted the admin role when logging in.

@the-bort-the commented on GitHub (Jan 20, 2025): That was the fix, thank you! I set `OIDC_ADMIN_ROLES=authentik Admins` and it persisted the admin role when logging in.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

gh-pages

planka-1.1.2

planka-1.1.1

planka-1.1.0

planka-1.0.5

planka-1.0.4

v2.0.0-rc.4

v1.26.3

planka-0.2.26

planka-1.0.3

planka-1.0.2

v2.0.0-rc.3

planka-1.0.1

planka-1.0.0

v2.0.0-rc.2

planka-0.2.25

v1.26.2

v1.26.1

planka-0.2.24

v1.26.0

planka-0.2.23

v1.25.1

planka-0.2.22

v1.25.0

planka-0.2.21

v1.24.4

planka-0.2.20

v1.24.3

planka-0.2.19

planka-0.2.18

v1.24.2

planka-0.2.17

planka-0.2.16

v1.24.1

planka-0.2.15

v1.24.0

planka-0.2.14

v1.23.5

v1.23.4

planka-0.2.13

planka-0.2.12

v1.23.3

planka-0.2.11

v1.23.2

planka-0.2.10

v1.23.1

planka-0.2.9

v1.23.0

v1.22.0

planka-0.2.8

Labels

Clear labels

bug

bug

documentation

documentation

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#627