Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Update OIDC.md #12

Merged
merged 1 commit into from
Apr 4, 2024
Merged

Update OIDC.md #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions docs/Configuration/OIDC.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# OIDC
#### Single Sign on with OIDC
## Single Sign on with OIDC

Planka can be configured to use an OIDC provider for logging in. If a user doesn't exist it will be automatically created. If a user exists and the email claim matches the email stored in Planka the accounts will be linked.

#### Required Configuration Values
### Required Configuration Values
* **OIDC_ISSUER**: URL pointing to the identity provider. This is used to pull the `.well-known/openid-configuration` endpoint that is used to identify the necessary endpoints.
* **OIDC_CLIENT_ID**: The OAUTH client id you created in the identity provider.
* **OIDC_CLIENT_SECRET**: The OAUTH client secret you created in the identity provider.

#### Optional Configuration Values
### Optional Configuration Values
* **OIDC_SCOPES**: Scopes to request from the identity provider. This controls what values the OAuth client has access to. Planka needs the email and name claims. By default it requests `openid profile email`.
* **OIDC_ADMIN_ROLES**: Looks in the claim declared by `OIDC_ROLES_ATTRIBUTE` to see if the user is an admin. By default the `admin` role is used.
* **OIDC_EMAIL_ATTRIBUTE**: The claim containing the email. By default `email` is used.
Expand All @@ -19,7 +19,8 @@ Planka can be configured to use an OIDC provider for logging in. If a user doesn
* **OIDC_IGNORE_ROLES**: If set to `true` the `OIDC_ADMIN_ROLES` and `OIDC_ROLES_ATTRIBUTE` will be ignored. This is useful if you want to use OIDC for authentication but not for authorization. Like that the user roles will be managed by Planka. By default they're not ignored.
* **OIDC_ENFORCED**: If set to `true` all built-in authentication/authorization will be deactivated. By default it's not enforced.

#### Example configuration
## Examples
### Authentik
This is an example of the environment variables used to configure Planka to use [Authentik](https://goauthentik.io/ "Homepage for authentik"). It will work with any OIDC provider.

```
Expand All @@ -42,3 +43,21 @@ At least these values will need to be modified:
* `sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d` is the client id generated by authentik.
* `om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI` is the client secret generated by authentik.
* `planka-admin` is the group in authentik, this is used to create admin accounts (or alternatively you can set `OIDC_IGNORE_ROLES` to `true`)

### Google

* Go to [console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials)
* Select a existing project at the top or create a new one
* Select “create credentials”
* Pick oAuth Client ID
* Application type: Web application
* Name: Planka
* Add Redirect URI: `https://your-domain.com/oidc-callback`
* Set the displayed ClientID and Client Secret as environment variables

```
OIDC_ISSUER=https://accounts.google.com
OIDC_CLIENT_ID=xxx-xxx.apps.googleusercontent.com
OIDC_CLIENT_SECRET=xxxx-xxxx-xx
OIDC_SCOPES=openid profile email
```