From f0f788f786ff6ebada6926c8ea913a27880c4f07 Mon Sep 17 00:00:00 2001 From: HannesOberreiter Date: Thu, 4 Apr 2024 09:10:08 +0200 Subject: [PATCH] Update OIDC.md --- docs/Configuration/OIDC.md | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/docs/Configuration/OIDC.md b/docs/Configuration/OIDC.md index bed89a3..be11e33 100644 --- a/docs/Configuration/OIDC.md +++ b/docs/Configuration/OIDC.md @@ -1,14 +1,14 @@ # OIDC -#### Single Sign on with OIDC +## Single Sign on with OIDC Planka can be configured to use an OIDC provider for logging in. If a user doesn't exist it will be automatically created. If a user exists and the email claim matches the email stored in Planka the accounts will be linked. -#### Required Configuration Values +### Required Configuration Values * **OIDC_ISSUER**: URL pointing to the identity provider. This is used to pull the `.well-known/openid-configuration` endpoint that is used to identify the necessary endpoints. * **OIDC_CLIENT_ID**: The OAUTH client id you created in the identity provider. * **OIDC_CLIENT_SECRET**: The OAUTH client secret you created in the identity provider. -#### Optional Configuration Values +### Optional Configuration Values * **OIDC_SCOPES**: Scopes to request from the identity provider. This controls what values the OAuth client has access to. Planka needs the email and name claims. By default it requests `openid profile email`. * **OIDC_ADMIN_ROLES**: Looks in the claim declared by `OIDC_ROLES_ATTRIBUTE` to see if the user is an admin. By default the `admin` role is used. * **OIDC_EMAIL_ATTRIBUTE**: The claim containing the email. By default `email` is used. @@ -19,7 +19,8 @@ Planka can be configured to use an OIDC provider for logging in. If a user doesn * **OIDC_IGNORE_ROLES**: If set to `true` the `OIDC_ADMIN_ROLES` and `OIDC_ROLES_ATTRIBUTE` will be ignored. This is useful if you want to use OIDC for authentication but not for authorization. Like that the user roles will be managed by Planka. By default they're not ignored. * **OIDC_ENFORCED**: If set to `true` all built-in authentication/authorization will be deactivated. By default it's not enforced. -#### Example configuration +## Examples +### Authentik This is an example of the environment variables used to configure Planka to use [Authentik](https://goauthentik.io/ "Homepage for authentik"). It will work with any OIDC provider. ``` @@ -42,3 +43,21 @@ At least these values will need to be modified: * `sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d` is the client id generated by authentik. * `om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI` is the client secret generated by authentik. * `planka-admin` is the group in authentik, this is used to create admin accounts (or alternatively you can set `OIDC_IGNORE_ROLES` to `true`) + +### Google + +* Go to [console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials) +* Select a existing project at the top or create a new one +* Select “create credentials” +* Pick oAuth Client ID +* Application type: Web application +* Name: Planka +* Add Redirect URI: `https://your-domain.com/oidc-callback` +* Set the displayed ClientID and Client Secret as environment variables + +``` +OIDC_ISSUER=https://accounts.google.com +OIDC_CLIENT_ID=xxx-xxx.apps.googleusercontent.com +OIDC_CLIENT_SECRET=xxxx-xxxx-xx +OIDC_SCOPES=openid profile email +```