Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC User roles #661

Open
mostdcoa opened this issue Mar 31, 2024 · 3 comments
Open

OIDC User roles #661

mostdcoa opened this issue Mar 31, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@mostdcoa
Copy link

I have OIDC working as in I can log in with a user.

      - OIDC_ISSUER=https://accounts.google.com
      - OIDC_CLIENT_ID=REDACTED
      - OIDC_CLIENT_SECRET=REDACTED
      - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=Planka_Admin
      # - OIDC_EMAIL_ATTRIBUTE=email
      # - OIDC_NAME_ATTRIBUTE=name
      # - OIDC_USERNAME_ATTRIBUTE=preferred_username
      # - OIDC_ROLES_ATTRIBUTE=ignored
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      - OIDC_ENFORCED=false

However, when a user logs in, they can't do anything. How can I just make all users that log in an admin?

I am using Google Workspace as the OIDC provider. I have tried created planka_admin (as can be seen in the above code) roles etc but can't figure out how to pass that to planka to recognize who is an admin from google workspace?
@mostdcoa
Copy link
Author

mostdcoa commented Apr 2, 2024

This actually looks like I am having an issue with OIDC_IGNORE_ROLES, as reading through some of these issues that's what I want. I want any user to be able to log in with SSO and have the admin ability (add boards).

  - OIDC_ISSUER=https://accounts.google.com
  - OIDC_CLIENT_ID=redacted
  - OIDC_CLIENT_SECRET=redacted
  - OIDC_SCOPES=openid email profile
  - OIDC_ADMIN_ROLES="Test Developers"

  - OIDC_EMAIL_ATTRIBUTE=email
  - OIDC_NAME_ATTRIBUTE=name
  - OIDC_USERNAME_ATTRIBUTE=preferred_username
  - OIDC_ROLES_ATTRIBUTE=groups
  - OIDC_IGNORE_USERNAME=true
  - OIDC_IGNORE_ROLES=true
  - OIDC_ENFORCED=false

@meltyshev
Copy link
Member

Hi! Yep, you can use ignore roles to be able to switch isAdmin in the users modal. The only problem that a new user won't be an admin by default, so you always need to switch it. Probably we need to add one more env variable to set the default role 🤔

@meltyshev meltyshev added the enhancement New feature or request label Apr 2, 2024
@mostdcoa
Copy link
Author

mostdcoa commented Apr 2, 2024

@meltyshev

Ah, this makes much more sense, I had assumed - OIDC_IGNORE_ROLES had meant that the inherited role of OIDC was ignore and was given Admin. I was also wondering why I could enabled that account as Admin (Ignore Roles was False when I tested this).

I think this would be a useful flag to have - OIDC_DEFAULT_ROLE=admin or user if the ignore role was true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@meltyshev @mostdcoa