[PR #203] [CLOSED] RFC: OIDC #953

New Issue

Closed

opened 2026-02-04 21:40:29 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-04 21:40:29 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/plankanban/planka/pull/203
Author: @lorenz
Created: 2/5/2022
Status: ❌ Closed

Base: master ← Head: oidc

---

📝 Commits (1)

• 71e7349 OIDC token exchange

📊 Changes

7 files changed (+154 additions, -9040 deletions)

View changed files

➕ server/api/controllers/access-tokens/exchange.js (+64 -0)
➕ server/api/hooks/oidc/index.js (+35 -0)
📝 server/config/custom.js (+6 -0)
📝 server/config/policies.js (+1 -0)
📝 server/config/routes.js (+1 -0)
📝 server/package-lock.json (+46 -9040)
📝 server/package.json (+1 -0)

📄 Description

This is a start at implementing a OIDC RP for Planka. It implements just the server side by exposing a token exchange endpoint where a client can exchange an OAuth2/OIDC code for a Planka access token. It auto-manages user attributes based on user info received from an OIDC-compliant IDP.

I have a client implementation working for me but it's extremely hacky so not included here.

There are a bunch of open questions left, that's why I'm posting this as a RFC:

• How does the frontend figure out if OIDC is enabled and what the config is? Probably needs another API to ask for login configuration. Theoretically oidcIssuer and oidcClientId is all it needs, but we could just pass it a full authorization URL.
• Is it a better idea to overload the POST /access-token call or keep the separate POST /access-token/exchange?
• Is making password nullable better than storing '$sso$' in there?
• username has a bunch of constraints on it which cannot be kept if we're going to store the OIDC subject (sub) in there. Alternative would be to have a dedicated field.
• For a proper implementation this should lock managed user attributes from manual editing.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/plankanban/planka/pull/203 **Author:** [@lorenz](https://github.com/lorenz) **Created:** 2/5/2022 **Status:** ❌ Closed **Base:** `master` ← **Head:** `oidc` --- ### 📝 Commits (1) - [`71e7349`](https://github.com/plankanban/planka/commit/71e73494a55541bcbfac376452eec9de00d2e2fc) OIDC token exchange ### 📊 Changes **7 files changed** (+154 additions, -9040 deletions) <details> <summary>View changed files</summary> ➕ `server/api/controllers/access-tokens/exchange.js` (+64 -0) ➕ `server/api/hooks/oidc/index.js` (+35 -0) 📝 `server/config/custom.js` (+6 -0) 📝 `server/config/policies.js` (+1 -0) 📝 `server/config/routes.js` (+1 -0) 📝 `server/package-lock.json` (+46 -9040) 📝 `server/package.json` (+1 -0) </details> ### 📄 Description This is a start at implementing a OIDC RP for Planka. It implements just the server side by exposing a token exchange endpoint where a client can exchange an OAuth2/OIDC code for a Planka access token. It auto-manages user attributes based on user info received from an OIDC-compliant IDP. I have a client implementation working for me but it's extremely hacky so not included here. There are a bunch of open questions left, that's why I'm posting this as a RFC: * How does the frontend figure out if OIDC is enabled and what the config is? Probably needs another API to ask for login configuration. Theoretically `oidcIssuer` and `oidcClientId` is all it needs, but we could just pass it a full authorization URL. * Is it a better idea to overload the `POST /access-token` call or keep the separate `POST /access-token/exchange`? * Is making password nullable better than storing '$sso$' in there? * username has a bunch of constraints on it which cannot be kept if we're going to store the OIDC subject (sub) in there. Alternative would be to have a dedicated field. * For a proper implementation this should lock managed user attributes from manual editing. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-04 21:40:29 +03:00

OVERLORD closed this issue 2026-02-04 21:40:30 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

gh-pages

dependabot/npm_and_yarn/multi-795903f3f3

dependabot/npm_and_yarn/server/multi-60f2582fdd

dependabot/npm_and_yarn/client/qs-6.14.2

dependabot/npm_and_yarn/client/markdown-it-14.1.1

v2.0.2

planka-2.0.2

v2.0.1

planka-2.0.1

v2.0.0

planka-2.0.0

planka-1.1.2

planka-1.1.1

planka-1.1.0

planka-1.0.5

planka-1.0.4

v2.0.0-rc.4

v1.26.3

planka-0.2.26

planka-1.0.3

planka-1.0.2

v2.0.0-rc.3

planka-1.0.1

planka-1.0.0

v2.0.0-rc.2

planka-0.2.25

v1.26.2

v1.26.1

planka-0.2.24

v1.26.0

planka-0.2.23

v1.25.1

planka-0.2.22

v1.25.0

planka-0.2.21

v1.24.4

planka-0.2.20

v1.24.3

planka-0.2.19

planka-0.2.18

v1.24.2

planka-0.2.17

planka-0.2.16

v1.24.1

planka-0.2.15

v1.24.0

planka-0.2.14

v1.23.5

v1.23.4

planka-0.2.13

planka-0.2.12

v1.23.3

planka-0.2.11

v1.23.2

planka-0.2.10

v1.23.1

planka-0.2.9

v1.23.0

v1.22.0

planka-0.2.8

Labels

Clear labels

bug

bug

documentation

documentation

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#953