search

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.
https://planka.app
GNU Affero General Public License v3.0
7.82k stars 726 forks source link

OIDC failed to load #662

Open chrellrich opened 6 months ago

chrellrich commented 6 months ago

Hi, i am not sure if im just missing something or wether there actually is an issue here.

I am using planka with Keycloak as my IDP.

Docker compose file:

version: '3'

services:
  planka:
    image: ghcr.io/plankanban/planka:1.16.1
    restart: on-failure
    networks:
      - default
      - proxy
    volumes:
      - user-avatars:/app/public/user-avatars
      - project-background-images:/app/public/project-background-images
      - attachments:/app/private/attachments
    expose:
      - 1337
    environment:
      - BASE_URL=https://planka.my-domain.com
      - DATABASE_URL=postgresql://postgres@postgres/planka
      - SECRET_KEY=<secret-key>

      # - TRUST_PROXY=0
      # - TOKEN_EXPIRES_IN=365 # In days

      # related: https://github.com/knex/knex/issues/2354
      # As knex does not pass query parameters from the connection string we
      # have to use environment variables in order to pass the desired values, e.g.
      # - PGSSLMODE=<value>

      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

      - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
      - DEFAULT_ADMIN_PASSWORD=demo
      - DEFAULT_ADMIN_NAME=Demo Demo
      - DEFAULT_ADMIN_USERNAME=demo

      # Email Notifications (https://nodemailer.com/smtp/)
      # - SMTP_HOST=
      # - SMTP_PORT=587
      # - SMTP_SECURE=true
      # - SMTP_USER=
      # - SMTP_PASSWORD=
      # - SMTP_FROM="Demo Demo" <demo@demo.demo>

      - OIDC_ISSUER=https://auth.my-domain.com/realms/master
      - OIDC_CLIENT_ID=planka
      - OIDC_CLIENT_SECRET=<secret>
      - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=planka-admin
      # - OIDC_EMAIL_ATTRIBUTE=email
      # - OIDC_NAME_ATTRIBUTE=name
      # - OIDC_USERNAME_ATTRIBUTE=preferred_username
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      # - OIDC_ENFORCED=true
    depends_on:
      postgres:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.planka.rule=Host(`planka.my-domain.com`)"
      - "traefik.http.routers.planka.entrypoints=https"
      - "traefik.http.routers.planka.tls.certresolver=cloudflare"

  postgres:
    image: postgres:14-alpine
    restart: on-failure
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=planka
      - POSTGRES_HOST_AUTH_METHOD=trust
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d planka"]
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  user-avatars:
  project-background-images:
  attachments:
  db-data:

networks:
  proxy:
    external: true

In Keycloak I created a Client called planka with Client Authentication enabled and copied the client secret into my compose file. When I start the container I get the following error. 

planka-1    | 2024-04-01 03:29:44 [E] A hook (`oidc`) failed to load!
planka-1    | 2024-04-01 03:29:44 [E] Failed to lift app: outgoing request timed out after 3500ms
planka-1 exited with code 0

Is there any other place where logs are written to? I haven't had the chance to test with a diffrent IDP yet, but i did verify that https://auth.my-domain.com/realms/master/.well-known/openid-configuration is accessible from within the container. I also tried some older releases but 1.15.5 and 1.15.0 gave the same error.

Any help in figuring this out is very much appreciated.

mostdcoa commented 6 months ago

@chrellrich FWIW, I've had a similar issue and it was because I misconfigured my docker network. I would ensure that you're Planka container can communicate with your Keycloak container.

chrellrich commented 6 months ago

Thanks for the response. They can communicate, i tested using wget. But it might be an issue when using multiple docker networks. I will try with a diffrent networks setup and report back for anyone else having similar problems.

marttasch commented 5 months ago

I have basically the same docker compose setup, but using Authentik as IDP. Worked flawlessly, until i restarted the Host machine. Since then i get the same error. Planka can ping Authentik and can use wget to get oidc-config from Authentik. I tried changing the docker network setup, with no luck.

Edit: No Idea what I did, change things back and force. Now its working with the same settings as before.

zloveless commented 3 months ago

I just noticed this happen in my setup and the VM running my idp was locked up (cause undetermined atm). Rebooted it and everything came back online.