SSO #63

New Issue

OVERLORD · 2026-02-04T16:56:08+03:00

OVERLORD commented

2026-02-04 16:56:08 +03:00

Originally created by @pkrolkgp on GitHub (Jan 12, 2021).

It would be nice if we can login to planka with sso for nextcloud/owncloud or any other app.
Also it would be nice to have groups in planka to assign instead of only users.

Originally created by @pkrolkgp on GitHub (Jan 12, 2021). It would be nice if we can login to planka with sso for nextcloud/owncloud or any other app. Also it would be nice to have groups in planka to assign instead of only users.

OVERLORD closed this issue

2026-02-04 16:56:09 +03:00

OVERLORD commented

2026-02-04 16:56:17 +03:00

@nickbe commented on GitHub (Jan 12, 2021):

PLANKA is currently getting a complete user role overhaul. External auth systems are also on the list, but other more pressing basic changes are of a higher priority right now.

@nickbe commented on GitHub (Jan 12, 2021): PLANKA is currently getting a complete user role overhaul. External auth systems are also on the list, but other more pressing basic changes are of a higher priority right now.

OVERLORD commented

2026-02-04 16:56:21 +03:00

@NeodymiumPhish commented on GitHub (Mar 6, 2021):

I use Hedgedoc for some personal note-taking and collaboration with co-workers/friends, and I'm planning on doing similar with this. I'd love to be able to connect them both to the same auth0 application so the users are synced!!

Can't wait!

@NeodymiumPhish commented on GitHub (Mar 6, 2021): I use [Hedgedoc ](https://github.com/hedgedoc/hedgedoc)for some personal note-taking and collaboration with co-workers/friends, and I'm planning on doing similar with this. I'd love to be able to connect them both to the same auth0 application so the users are synced!! Can't wait!

OVERLORD commented

2026-02-04 16:56:33 +03:00

@terribleplan commented on GitHub (Jun 30, 2021):

Just my 2 cents here: it'd be great if whenever SSO happens it is done in a generic enough way so as to support whatever OIDC-compatible server you want (like Keycloak, WSO2, Auth0, etc)

@terribleplan commented on GitHub (Jun 30, 2021): Just my 2 cents here: it'd be great if whenever SSO happens it is done in a generic enough way so as to support whatever OIDC-compatible server you want (like Keycloak, WSO2, Auth0, etc)

OVERLORD commented

2026-02-04 16:56:42 +03:00

@matbgn commented on GitHub (Aug 24, 2022):

Any news on this topic? Still a must to have as a user ans sysadmin ;-)

@matbgn commented on GitHub (Aug 24, 2022): Any news on this topic? Still a must to have as a user ans sysadmin ;-)

OVERLORD commented

2026-02-04 16:56:53 +03:00

@GlitchWitch commented on GitHub (May 5, 2023):

Would love to know about this too!

@GlitchWitch commented on GitHub (May 5, 2023): Would love to know about this too!

OVERLORD commented

2026-02-04 16:57:03 +03:00

@prologic commented on GitHub (Jul 23, 2023):

In order to solve for SSO, can we please prioritise #200 over OIDC support (#203) 🙏 The rationale here is that there are many Web servers and Authentication proxies that support this out-of-the-box, such as Authelia and supporting Proxy / HTTP Header Auth is far more trivial to do.

We should get this out first 👌

@prologic commented on GitHub (Jul 23, 2023): In order to solve for SSO, can we please prioritise #200 over OIDC support (#203) 🙏 The rationale here is that there are many Web servers and Authentication proxies that support this out-of-the-box, such as [Authelia](https://www.authelia.com/) and supporting Proxy / HTTP Header Auth is **far more trivial** to do. We should get this out first 👌

OVERLORD commented

2026-02-04 16:57:06 +03:00

@lorenz commented on GitHub (Jul 23, 2023):

supporting Proxy / HTTP Header Auth is far more trivial to do.

If you're building an application from scratch, I totally agree with you. In that case you can forego session management, login screens and such. It's also safer if your application does not need any unauthenticated access.

But generally once an application has an existing (usually password-based) login method, adding OIDC is easier as it more closely mimicks conventional password login (you start a session with an OIDC code instead of a password). Also it can be done mostly client-side. Another advantage is that mobile apps and native clients can easily implement OIDC (even with shared session support), whereas authenticating proxies are generally very hard as they lack a token format or anything the native client can manage and pass to the backend.

Also OIDC IDPs are more common than authenticating proxies and there is still no standardized way to pass information from the authenticating proxy to a backend application.

I'm not against doing authenticating proxy-style auth (and my IDP can do that as well), but I'm just presenting some arguments why authenticating proxy-style auth is not necessarily easier and/or better .

@lorenz commented on GitHub (Jul 23, 2023): > supporting Proxy / HTTP Header Auth is **far more trivial** to do. If you're building an application from scratch, I totally agree with you. In that case you can forego session management, login screens and such. It's also safer if your application does not need any unauthenticated access. But generally once an application has an existing (usually password-based) login method, adding OIDC is easier as it more closely mimicks conventional password login (you start a session with an OIDC code instead of a password). Also it can be done mostly client-side. Another advantage is that mobile apps and native clients can easily implement OIDC (even with shared session support), whereas authenticating proxies are generally very hard as they lack a token format or anything the native client can manage and pass to the backend. Also OIDC IDPs are more common than authenticating proxies and there is still no standardized way to pass information from the authenticating proxy to a backend application. I'm not against doing authenticating proxy-style auth (and my IDP can do that as well), but I'm just presenting some arguments why authenticating proxy-style auth is not necessarily easier and/or better .

OVERLORD commented

2026-02-04 16:57:10 +03:00

@prologic commented on GitHub (Jul 23, 2023):

I'm not against doing authenticating proxy-style auth (and my IDP can do that as well), but I'm just presenting some arguments why authenticating proxy-style auth is not necessarily easier and/or better

I'm also not arguing that OIDC is better, but Proxy Auth is far easier to get going both operationally and code-wide (if you have the right interfaces in place)

Obviously I think OIDC/OAuth should continue to go ahead, I'm just saying, for the sake of "low hanging fruit with big impact", getting Proxy Auth going would solve SSO for me 👌

@prologic commented on GitHub (Jul 23, 2023): > I'm not against doing authenticating proxy-style auth (and my IDP can do that as well), but I'm just presenting some arguments why authenticating proxy-style auth is not necessarily easier and/or better I'm also not arguing that OIDC is better, but Proxy Auth is far easier to get going both operationally and code-wide (_if you have the right interfaces in place_) Obviously I think OIDC/OAuth should continue to go ahead, I'm just saying, for the sake of "low hanging fruit with big impact", getting Proxy Auth going would solve SSO for me 👌

OVERLORD commented

2026-02-04 16:57:17 +03:00

@jimz011 commented on GitHub (Sep 7, 2023):

I have been holding back on using planka for this very reason, I use Authentik to secure my applications, but I don't want to do a double auth (and I don't want to use the login provider provided by the application as those lack the security features that I want).

I honestly wouldn't really care how that it was done OIDC, oauth2, SAML, proxy header auth. Or even disable the password login entirely on the application would be a great start (since I would be the only user anyways). If this is already possible now I hope somebody can tell me how.

I think Planka is great otherwise and is probably the best KanBan board that I have tried over the past few years. It's just the user management that I really would love to see in one form or another (as mentioned above).

Personally I'd prefer SAML over proxy header auth (as headers can be intercepted), but hey at this point any form would do!
Thank you for this amazing project

@jimz011 commented on GitHub (Sep 7, 2023): I have been holding back on using planka for this very reason, I use Authentik to secure my applications, but I don't want to do a double auth (and I don't want to use the login provider provided by the application as those lack the security features that I want). I honestly wouldn't really care how that it was done OIDC, oauth2, SAML, proxy header auth. Or even disable the password login entirely on the application would be a great start (since I would be the only user anyways). If this is already possible now I hope somebody can tell me how. I think Planka is great otherwise and is probably the best KanBan board that I have tried over the past few years. It's just the user management that I really would love to see in one form or another (as mentioned above). Personally I'd prefer SAML over proxy header auth (as headers can be intercepted), but hey at this point any form would do! Thank you for this amazing project

OVERLORD commented

2026-02-04 16:57:28 +03:00

@meltyshev commented on GitHub (Oct 17, 2023):

Released: v1.13.0 (release)

@meltyshev commented on GitHub (Oct 17, 2023): Released: [v1.13.0 (release)](https://github.com/plankanban/planka/releases/tag/v1.13.0)

OVERLORD referenced this issue

2026-02-04 21:38:28 +03:00

[PR #63] [CLOSED] Bump ini from 1.3.5 to 1.3.7 in /server #924

Sign in to join this conversation.