[Bug]: Azure OIDC sign in #902

New Issue

OVERLORD · 2026-02-04T21:35:14+03:00

OVERLORD commented

2026-02-04 21:35:14 +03:00

Originally created by @kasperB2004 on GitHub (Jan 25, 2026).

Where is the problem occurring?

I encountered the problem while using the application (Frontend)

What browsers are you seeing the problem on?

Microsoft Edge

Current behavior

When logging into planka with sso i get a error "Unkown error please try again later"

Desired behavior

To be able to sign in

Steps to reproduce

I currently set up Planka with the following OIDC configuration:

# OIDC configuration for Planka
- OIDC_ISSUER=https://login.microsoftonline.com/<TENANT_ID>/v2.0
- OIDC_CLIENT_ID=<CLIENT_ID>
- OIDC_CLIENT_SECRET=<CLIENT_SECRET>  # Optional: can be stored in a secret file
# - OIDC_CLIENT_SECRET__FILE=/run/secrets/oidc_client_secret
# - OIDC_USE_OAUTH_CALLBACK=true
# - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
# - OIDC_USERINFO_SIGNED_RESPONSE_ALG=
- OIDC_SCOPES=openid email profile
# - OIDC_RESPONSE_MODE=fragment
# - OIDC_USE_DEFAULT_RESPONSE_MODE=true
# - OIDC_ADMIN_ROLES=admin
# - OIDC_PROJECT_OWNER_ROLES=project_owner
# - OIDC_BOARD_USER_ROLES=board_user
- OIDC_CLAIMS_SOURCE=id_token
# - OIDC_EMAIL_ATTRIBUTE=email
# - OIDC_NAME_ATTRIBUTE=name
# - OIDC_USERNAME_ATTRIBUTE=preferred_username
# - OIDC_ROLES_ATTRIBUTE=groups
# - OIDC_IGNORE_USERNAME=true
- OIDC_IGNORE_ROLES=true
- OIDC_ENFORCED=true

When signing in, I get a 422 Unprocessable Entity error on the following endpoint:

https://planka.xxx.be/api/access-tokens/exchange-with-oidc?withHttpOnlyToken=true

With the response:

{
    "code": "E_UNPROCESSABLE_ENTITY",
    "message": "Unable to retrieve required values (email, name)"
}

I saw that setting OIDC_CLAIMS_SOURCE to id_token could fix this issue with no luck.

My Azure API exposes the needed permissions aswell

Other information

No response

Originally created by @kasperB2004 on GitHub (Jan 25, 2026). ### Where is the problem occurring? I encountered the problem while using the application (Frontend) ### What browsers are you seeing the problem on? Microsoft Edge ### Current behavior When logging into planka with sso i get a error "Unkown error please try again later" ### Desired behavior To be able to sign in ### Steps to reproduce I currently set up Planka with the following OIDC configuration: ```env # OIDC configuration for Planka - OIDC_ISSUER=https://login.microsoftonline.com/<TENANT_ID>/v2.0 - OIDC_CLIENT_ID=<CLIENT_ID> - OIDC_CLIENT_SECRET=<CLIENT_SECRET> # Optional: can be stored in a secret file # - OIDC_CLIENT_SECRET__FILE=/run/secrets/oidc_client_secret # - OIDC_USE_OAUTH_CALLBACK=true # - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG= # - OIDC_USERINFO_SIGNED_RESPONSE_ALG= - OIDC_SCOPES=openid email profile # - OIDC_RESPONSE_MODE=fragment # - OIDC_USE_DEFAULT_RESPONSE_MODE=true # - OIDC_ADMIN_ROLES=admin # - OIDC_PROJECT_OWNER_ROLES=project_owner # - OIDC_BOARD_USER_ROLES=board_user - OIDC_CLAIMS_SOURCE=id_token # - OIDC_EMAIL_ATTRIBUTE=email # - OIDC_NAME_ATTRIBUTE=name # - OIDC_USERNAME_ATTRIBUTE=preferred_username # - OIDC_ROLES_ATTRIBUTE=groups # - OIDC_IGNORE_USERNAME=true - OIDC_IGNORE_ROLES=true - OIDC_ENFORCED=true ``` When signing in, I get a 422 Unprocessable Entity error on the following endpoint: `https://planka.xxx.be/api/access-tokens/exchange-with-oidc?withHttpOnlyToken=true` With the response: ```json { "code": "E_UNPROCESSABLE_ENTITY", "message": "Unable to retrieve required values (email, name)" } ``` I saw that setting OIDC_CLAIMS_SOURCE to id_token could fix this issue with no luck. My Azure API exposes the needed permissions aswell <img width="977" height="238" alt="Image" src="https://github.com/user-attachments/assets/9de76d5e-1313-4c3f-8245-e871e87ab299" /> ### Other information _No response_

OVERLORD commented

2026-02-04 21:35:20 +03:00

@meltyshev commented on GitHub (Jan 25, 2026):

Hi! The error you're seeing means that one (or even both) of the required fields are missing from the userinfo response or the id_token. We're planning to add more logging to help debug the entire OIDC process, since it's currently difficult to troubleshoot - we're aware of that.

I also found a discussion about Azure that mentions the same error, it might be helpful: https://github.com/plankanban/planka/discussions/591#discussioncomment-9119995.

Additionally, we just merged a PR with an example configuration for Microsoft Entra ID, which may also help: https://docs.planka.cloud/docs/configuration/oidc#microsoft-entra-id.

If none of this helps, we can try to find a way to debug it - just please let us know which installation method you're using.

@meltyshev commented on GitHub (Jan 25, 2026): Hi! The error you're seeing means that one (or even both) of the required fields are missing from the `userinfo` response or the `id_token`. We're planning to add more logging to help debug the entire OIDC process, since it's currently difficult to troubleshoot - we're aware of that. I also found a discussion about Azure that mentions the same error, it might be helpful: https://github.com/plankanban/planka/discussions/591#discussioncomment-9119995. Additionally, we just merged a PR with an example configuration for Microsoft Entra ID, which may also help: https://docs.planka.cloud/docs/configuration/oidc#microsoft-entra-id. If none of this helps, we can try to find a way to debug it - just please let us know which installation method you're using.

OVERLORD commented

2026-02-04 21:35:25 +03:00

@kasperB2004 commented on GitHub (Jan 25, 2026):

Hi i installed it using docker and then followed along with said example configuration. I tried the solution listed in #591 by adding the email address in contact information but then i get a 500 instead of the 422. Looking at the logs it because of the following error

2026-01-25 20:50:41 [E] Sending 500 ("Server Error") response:
 Invalid new record.
Details:
  Could not use specified `username`.  Violated one or more validation rules:
  • Value was -10 characters longer than the configured maximum length (16)
  • Value ('name@xxx.be') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/)

changing it to OIDC_USERNAME_ATTRIBUTE=oid as listed in the documentation under the group part of the entra sso documentation gave me the following error

2026-01-25 20:54:09 [E] Sending 500 ("Server Error") response:
 Invalid new record.
Details:
  Could not use specified `username`.  Violated one or more validation rules:
  • Value was -20 characters longer than the configured maximum length (16)
  • Value ('083473db-aba4-45b0-bed7-f979eac20a10') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/)

@kasperB2004 commented on GitHub (Jan 25, 2026): Hi i installed it using docker and then followed along with said example configuration. I tried the solution listed in #591 by adding the email address in contact information but then i get a 500 instead of the 422. Looking at the logs it because of the following error ``` 2026-01-25 20:50:41 [E] Sending 500 ("Server Error") response: Invalid new record. Details: Could not use specified `username`. Violated one or more validation rules: • Value was -10 characters longer than the configured maximum length (16) • Value ('name@xxx.be') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/) ``` changing it to OIDC_USERNAME_ATTRIBUTE=oid as listed in the documentation under the group part of the entra sso documentation gave me the following error ``` 2026-01-25 20:54:09 [E] Sending 500 ("Server Error") response: Invalid new record. Details: Could not use specified `username`. Violated one or more validation rules: • Value was -20 characters longer than the configured maximum length (16) • Value ('083473db-aba4-45b0-bed7-f979eac20a10') did not match the configured regular expression (/^[a-zA-Z0-9]+((_|\.)?[a-zA-Z0-9])*$/) ```

OVERLORD commented

2026-02-04 21:35:31 +03:00

@meltyshev commented on GitHub (Jan 26, 2026):

Ah, thanks for the logs! There are two ways to fix this:

Use the nightly version until we release the final v2. In the current rc.4 the username length is limited to 16 characters, but we've already fixed that and made it less strict. Just keep in mind - it's better to switch back to the latest tag after the final release, since relying on nightly long-term isn't recommended (we're planning to release the final version very very soon).
Or set OIDC_IGNORE_USERNAME=true, so no username will be synced from the OIDC provider. You can then set or configure it directly inside PLANKA.

@meltyshev commented on GitHub (Jan 26, 2026): Ah, thanks for the logs! There are two ways to fix this: - Use the `nightly` version until we release the final v2. In the current `rc.4` the username length is limited to 16 characters, but we've already fixed that and made it less strict. Just keep in mind - it's better to switch back to the `latest` tag after the final release, since relying on `nightly` long-term isn't recommended (we're planning to release the final version very very soon). - Or set `OIDC_IGNORE_USERNAME=true`, so no username will be synced from the OIDC provider. You can then set or configure it directly inside PLANKA.

OVERLORD commented

2026-02-04 21:35:36 +03:00

@kasperB2004 commented on GitHub (Jan 26, 2026):

Hey, thanks for the quick response!

I got the nightly build working, but now I’m running into a 403 error: “Admin login required to initialize instance.”

I suspect I need to create a non-OIDC user first to set it up. However, it seems logical that using Azure groups and an admin group should achieve the same effect.

@kasperB2004 commented on GitHub (Jan 26, 2026): Hey, thanks for the quick response! I got the nightly build working, but now I’m running into a 403 error: “Admin login required to initialize instance.” I suspect I need to create a non-OIDC user first to set it up. However, it seems logical that using Azure groups and an admin group should achieve the same effect.

OVERLORD commented

2026-02-04 21:35:46 +03:00

@meltyshev commented on GitHub (Jan 26, 2026):

It should have the same effect via OIDC. It looks like the role mapping isn't working properly because the required claim isn't coming from the provider, or a different value is being used - as a result, a simple boardUser was created. Maybe I can try building a command to run the container with a modified OIDC controller that just logs the incoming data...

@meltyshev commented on GitHub (Jan 26, 2026): It should have the same effect via OIDC. It looks like the role mapping isn't working properly because the required claim isn't coming from the provider, or a different value is being used - as a result, a simple `boardUser` was created. Maybe I can try building a command to run the container with a modified OIDC controller that just logs the incoming data...

OVERLORD commented

2026-02-04 21:35:56 +03:00

@kasperB2004 commented on GitHub (Jan 26, 2026):

Got it working. Seems i must have mis copied the group id. Thanks for the Help!

@kasperB2004 commented on GitHub (Jan 26, 2026): Got it working. Seems i must have mis copied the group id. Thanks for the Help!

OVERLORD commented

2026-02-04 21:35:58 +03:00

@meltyshev commented on GitHub (Jan 26, 2026):

You're welcome! Glad to hear it's working!

@meltyshev commented on GitHub (Jan 26, 2026): You're welcome! Glad to hear it's working!

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#902