Enabling OIDC login post-implementation

[harryburr]

Hi there,

I run a not-for-profit who has implemented Planka through Docker - however, we are now at the scale that we require login authentication through Azure AD, and I was happy to see that Planka supports this. However, I'm quite confused as to the process of implementing this OIDC? Will we need to add environment variables, and if so, where? How would we modify the Docker container after we have implemented the container?

Very conscious of breaking something so any help would be much appreciated!

Thank you!

[meltyshev]

Hi!

After adding an application to Azure AD, you'll have Issuer, Client ID, Client Secret which you need to add to Planka environment variables. If you are using docker-compose.yml to run the container, you need to uncomment these environment variables (by removing # ):

- OIDC_ISSUER=
- OIDC_CLIENT_ID=
- OIDC_CLIENT_SECRET=

Then fill them with the values you have after adding the application in Azure AD. It should be something like:

- OIDC_ISSUER=https://login.microsoftonline.com/{tenant}/v2.0
- OIDC_CLIENT_ID=client-id-value
- OIDC_CLIENT_SECRET=client-secret-value

After that you need to restart the container which can be done by: docker-compose restart planka (has to be executed in the folder with docker-compose.yml). It shouldn't affect your data, but we still recommend doing a data dump before any changes.

If more details are needed or you aren't using docker-compose.yml, please don't hesitate to ask.

[harryburr]

We have colleagues who would probably make the mistake of entering their Microsoft 365 credentials knowing the Planka login screen without clicking Log in with SSO but obviously that wouldn't authenticate them!

[meltyshev]

I've just added the ability to enforce SSO. If enabled, there will be no login form, just a "Login with SSO" button. The new version 1.15.6 is already being built, should be available in about an hour and you can update.

To enable it, you have to add the OIDC_ENFORCED=true environment variable and restart the container.

[harryburr]

Oh amazing, very quick! Thank you so much for all your help!

[harryburr]

I updated Planka and emailed OIDC enforcement this morning, as shown below:

I then restarted Planka.

However, going to my base Planka URL, it still shows me the login screen - have I configured something wrong?

[meltyshev]

Your configuration looks right. Please check your current version in User -> Settings -> About Planka, it should be 1.15.6. If it's the latest, try restarting docker with: docker-compose up -d --force-recreate.

[simeoncode]

Hi, I'm also working on getting OIDC up and running for Azure Entra ID (formerly known as Azure AD).

I'm getting past the login step, but then see the following error:

Unable to retrieve required values (email, name)

Which probably either means that something is wrong with my app/token configuration, or that I need to modify some of the three environment variables for selecting OIDC attributes: OIDC_EMAIL_ATTRIBUTE, OIDC_NAME_ATTRIBUTE and OIDC_USERNAME_ATTRIBUTE.

By reading the source code I can see that the userInfo object is not logged when this fails, which would have really helped me figure out why it fails. The three attribute selectors (username, email, name) are also not logged, one of which could be the source of error.

I'm currently running the container in an Azure Web App, which gives me very limited options to actually debug this. But my plan is to set everything up locally, point the OIDC app to localhost and get it logging some useful information (maybe by modifying the image with docker exec or something).

[simeoncode]

Okay, I got it working! The issue was that the OIDC scope email points to an email field in the user's "Contact information" that I didn't know existed. It's not related to the user's principal name (upn), preferred username or any other field.

To edit the OIDC email field for a user:

1. Open the user in Azure Entra ID
2. Click on "Edit properties"
3. Switch tab to "Contact information"
4. Go down to to the bottom of the properties
5. You'll find a field "Email" next to "Fax number"

Before adding a value to this particular contact information field, no email field was returned (at all) in the OIDC user info.