Skip to content

Commit

Permalink
Update OIDC.md
Browse files Browse the repository at this point in the history
  • Loading branch information
HannesOberreiter authored Apr 4, 2024
1 parent fca4a1c commit f0f788f
Showing 1 changed file with 23 additions and 4 deletions.
27 changes: 23 additions & 4 deletions docs/Configuration/OIDC.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# OIDC
#### Single Sign on with OIDC
## Single Sign on with OIDC

Planka can be configured to use an OIDC provider for logging in. If a user doesn't exist it will be automatically created. If a user exists and the email claim matches the email stored in Planka the accounts will be linked.

#### Required Configuration Values
### Required Configuration Values
* **OIDC_ISSUER**: URL pointing to the identity provider. This is used to pull the `.well-known/openid-configuration` endpoint that is used to identify the necessary endpoints.
* **OIDC_CLIENT_ID**: The OAUTH client id you created in the identity provider.
* **OIDC_CLIENT_SECRET**: The OAUTH client secret you created in the identity provider.

#### Optional Configuration Values
### Optional Configuration Values
* **OIDC_SCOPES**: Scopes to request from the identity provider. This controls what values the OAuth client has access to. Planka needs the email and name claims. By default it requests `openid profile email`.
* **OIDC_ADMIN_ROLES**: Looks in the claim declared by `OIDC_ROLES_ATTRIBUTE` to see if the user is an admin. By default the `admin` role is used.
* **OIDC_EMAIL_ATTRIBUTE**: The claim containing the email. By default `email` is used.
Expand All @@ -19,7 +19,8 @@ Planka can be configured to use an OIDC provider for logging in. If a user doesn
* **OIDC_IGNORE_ROLES**: If set to `true` the `OIDC_ADMIN_ROLES` and `OIDC_ROLES_ATTRIBUTE` will be ignored. This is useful if you want to use OIDC for authentication but not for authorization. Like that the user roles will be managed by Planka. By default they're not ignored.
* **OIDC_ENFORCED**: If set to `true` all built-in authentication/authorization will be deactivated. By default it's not enforced.

#### Example configuration
## Examples
### Authentik
This is an example of the environment variables used to configure Planka to use [Authentik](https://goauthentik.io/ "Homepage for authentik"). It will work with any OIDC provider.

```
Expand All @@ -42,3 +43,21 @@ At least these values will need to be modified:
* `sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d` is the client id generated by authentik.
* `om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI` is the client secret generated by authentik.
* `planka-admin` is the group in authentik, this is used to create admin accounts (or alternatively you can set `OIDC_IGNORE_ROLES` to `true`)

### Google

* Go to [console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)
* Select a existing project at the top or create a new one
* Select “create credentials”
* Pick oAuth Client ID
* Application type: Web application
* Name: Planka
* Add Redirect URI: `https://your-domain.com/oidc-callback`
* Set the displayed ClientID and Client Secret as environment variables

```
OIDC_ISSUER=https://accounts.google.com
OIDC_CLIENT_ID=xxx-xxx.apps.googleusercontent.com
OIDC_CLIENT_SECRET=xxxx-xxxx-xx
OIDC_SCOPES=openid profile email
```

0 comments on commit f0f788f

Please # to comment.