OIDC User roles - Githubissues

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.

https://planka.app

GNU Affero General Public License v3.0

7.7k stars 716 forks source link

OIDC User roles #661

Open mostdcoa opened 5 months ago

mostdcoa commented 5 months ago

I have OIDC working as in I can log in with a user.

      - OIDC_ISSUER=https://accounts.google.com
      - OIDC_CLIENT_ID=REDACTED
      - OIDC_CLIENT_SECRET=REDACTED
      - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=Planka_Admin
      # - OIDC_EMAIL_ATTRIBUTE=email
      # - OIDC_NAME_ATTRIBUTE=name
      # - OIDC_USERNAME_ATTRIBUTE=preferred_username
      # - OIDC_ROLES_ATTRIBUTE=ignored
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      - OIDC_ENFORCED=false

However, when a user logs in, they can't do anything. How can I just make all users that log in an admin?

I am using Google Workspace as the OIDC provider. I have tried created planka_admin (as can be seen in the above code) roles etc but can't figure out how to pass that to planka to recognize who is an admin from google workspace?

mostdcoa commented 5 months ago

This actually looks like I am having an issue with OIDC_IGNORE_ROLES, as reading through some of these issues that's what I want. I want any user to be able to log in with SSO and have the admin ability (add boards).

  - OIDC_ISSUER=https://accounts.google.com
  - OIDC_CLIENT_ID=redacted
  - OIDC_CLIENT_SECRET=redacted
  - OIDC_SCOPES=openid email profile
  - OIDC_ADMIN_ROLES="Test Developers"

  - OIDC_EMAIL_ATTRIBUTE=email
  - OIDC_NAME_ATTRIBUTE=name
  - OIDC_USERNAME_ATTRIBUTE=preferred_username
  - OIDC_ROLES_ATTRIBUTE=groups
  - OIDC_IGNORE_USERNAME=true
  - OIDC_IGNORE_ROLES=true
  - OIDC_ENFORCED=false

meltyshev commented 5 months ago

Hi! Yep, you can use ignore roles to be able to switch isAdmin in the users modal. The only problem that a new user won't be an admin by default, so you always need to switch it. Probably we need to add one more env variable to set the default role 🤔

mostdcoa commented 5 months ago

@meltyshev

Ah, this makes much more sense, I had assumed - OIDC_IGNORE_ROLES had meant that the inherited role of OIDC was ignore and was given Admin. I was also wondering why I could enabled that account as Admin (Ignore Roles was False when I tested this).

I think this would be a useful flag to have - OIDC_DEFAULT_ROLE=admin or user if the ignore role was true.

ag-gaphp commented 3 weeks ago

I'm having this issue. How do you force the first user you sign in as to be an admin? Right now, I don't even have the ability to set myself as the admin. I can login and then nothing is available to me.

I have both OIDC_IGNORE_ROLES and OIDC_ENFORCED set to true, so I have no local users at all.

ag-gaphp commented 3 weeks ago

I had to go into the postgres database and set the is_admin column for my user in user_account to true