starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-05 00:39:58 +03:00
Code Issues 396 Packages Projects Releases 10 Wiki Activity

[Bug]: Can't Access the HTTP API when using OIDC #784

New Issue
Closed
opened 2026-02-04 21:19:53 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2026-02-04 21:19:53 +03:00
Owner
Copy Link

Originally created by @Lappun0 on GitHub (Aug 12, 2025).

Where is the problem occurring?

I encountered the problem while interacting with the server (Backend)

What browsers are you seeing the problem on?

Chrome

Current behavior

API requests like https://planka.example.com/api/projects and so on return the following message even when requested with valid access tokens from the frontend:

{"code":"E_UNAUTHORIZED","message":"Access token is missing, invalid or expired"}

Desired behavior

API requests return proper data when supplied with a working token from an OIDC authenticated browser

Steps to reproduce

curl -X GET https://planka.example.com/api/projects
-H "Content-Type: application/json"
-H "Authorization: Bearer "

Other information

Im on docker running version 2.0.0-rc.3 of PLANKA. Im not sure if im missing something maybe related to PLANKA 2.0 or if this is an actual bug, any help is appreciated.

Originally created by @Lappun0 on GitHub (Aug 12, 2025). ### Where is the problem occurring? I encountered the problem while interacting with the server (Backend) ### What browsers are you seeing the problem on? Chrome ### Current behavior API requests like https://planka.example.com/api/projects and so on return the following message even when requested with valid access tokens from the frontend: {"code":"E_UNAUTHORIZED","message":"Access token is missing, invalid or expired"} ### Desired behavior API requests return proper data when supplied with a working token from an OIDC authenticated browser ### Steps to reproduce - Have a PLANKA instance with OIDC set up (authentik in my case) - Log into PLANKA using OIDC and monitor requests - Take the valid token from the Response of https://planka.example.com/api/access-tokens/exchange-with-oidc?withHttpOnlyToken=true - Try to use it in a request. I used cURL with the following command: curl -X GET https://planka.example.com/api/projects \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <my access token>" ### Other information Im on docker running version 2.0.0-rc.3 of PLANKA. Im not sure if im missing something maybe related to PLANKA 2.0 or if this is an actual bug, any help is appreciated.
OVERLORD commented 2026-02-04 21:20:08 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Aug 13, 2025):

Hey! The error occurs because we use two tokens in browsers for extra security - an accessToken which you send in the Authorization header, and an httpOnlyToken which is set as an httpOnly cookie. This combination helps prevent CSRF attacks, since you must set the Authorization header manually, and if your accessToken is stolen (for example, via an XSS attack) - it can't be used to authorize requests without the httpOnlyToken.

As a temporary workaround, if possible, try using another non-SSO user and log in via the API without the withHttpOnlyToken=true parameter. This way, you'll receive an accessToken that can be used alone to access the API. Alternatively, you could try reading the httpOnlyToken from cookies and sending it along as well.

There's already a pull request to implement per-user API keys, so in the future you won't need to use the accessToken at all.

@meltyshev commented on GitHub (Aug 13, 2025): Hey! The error occurs because we use two tokens in browsers for extra security - an `accessToken` which you send in the `Authorization` header, and an `httpOnlyToken` which is set as an `httpOnly` cookie. This combination helps prevent CSRF attacks, since you must set the `Authorization` header manually, and if your `accessToken` is stolen (for example, via an XSS attack) - it can't be used to authorize requests without the `httpOnlyToken`. As a temporary workaround, if possible, try using another non-SSO user and log in via the API without the `withHttpOnlyToken=true` parameter. This way, you'll receive an `accessToken` that can be used alone to access the API. Alternatively, you could try reading the `httpOnlyToken` from cookies and sending it along as well. There's already a [pull request](https://github.com/plankanban/planka/pull/1254) to implement per-user API keys, so in the future you won't need to use the `accessToken` at all.
OVERLORD commented 2026-02-04 21:20:14 +03:00
Author
Owner
Copy Link

@Lappun0 commented on GitHub (Aug 16, 2025):

Ah okay I understand. I tried your suggested workaround and it works perfectly fine for reading some data from my boards. Since there is already a pull request in the works for this to be reworked, I'm going to close this issue for now.

@Lappun0 commented on GitHub (Aug 16, 2025): Ah okay I understand. I tried your suggested workaround and it works perfectly fine for reading some data from my boards. Since there is already a pull request in the works for this to be reworked, I'm going to close this issue for now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#784
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?