search

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.
https://planka.app
GNU Affero General Public License v3.0
8.09k stars 760 forks source link

SSO did not debug successfully, can anyone help me #937

Open somewhere-ai opened 1 week ago

somewhere-ai commented 1 week ago

Hi, I'm trying to get OIDC working with our Authenticator.But After entering my username and password on my authentication page, I returned to the planka login page and received a prompt ‘Unknown error, try again later’. And Console error with the following message: POST http://ip:port/api/access-tokens/exchange-using-oidc?withHttpOnlyToken=true 401 (Unauthorized) Here is my config:

version: '3'

services:
  planka:
    image: ghcr.io/plankanban/planka:latest
    restart: on-failure
    volumes:
      - user-avatars:/app/public/user-avatars
      - project-background-images:/app/public/project-background-images
      - attachments:/app/private/attachments
        #- /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime
        #- /etc/timezone:/etc/timezone
        #- /etc/localtime:/etc/localtime
    ports:
      - 3036:1337
    environment:
      - BASE_URL=http://10.1.10.50:3036
      - DATABASE_URL=postgresql://postgres@postgres/planka
      - SECRET_KEY=notsecretkey
      #- FAKETIME=@2024-11-05 12:27:00
      # - TRUST_PROXY=0
      # - TOKEN_EXPIRES_IN=365 # In days

      # related: https://github.com/knex/knex/issues/2354
      # As knex does not pass query parameters from the connection string we
      # have to use environment variables in order to pass the desired values, e.g.
      # - PGSSLMODE=<value>

      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

      - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
      - DEFAULT_ADMIN_PASSWORD=demo
      - DEFAULT_ADMIN_NAME=Demo Demo
      - DEFAULT_ADMIN_USERNAME=demo

      # - SHOW_DETAILED_AUTH_ERRORS=false # Set to true to show more detailed authentication error messages. It should not be enabled without a rate limiter for security reasons.

      # - ALLOW_ALL_TO_CREATE_PROJECTS=true
      - OIDC_ISSUER=https://***/authserver/oidc/
      - OIDC_CLIENT_ID=***
      - OIDC_CLIENT_SECRET=***
      - OIDC_SCOPES=openid email profile
      - OIDC_EMAIL_ATTRIBUTE=email
      - OIDC_NAME_ATTRIBUTE=name
      - OIDC_USERNAME_ATTRIBUTE=preferred_username
      - OIDC_ROLES_ATTRIBUTE=groups
      - OIDC_CLAIMS_SOURCE=userinfo
      #- OIDC_IGNORE_USERNAME=true
      #- OIDC_IGNORE_ROLES=true
      #- OIDC_ENFORCED=true

      # Email Notifications (https://nodemailer.com/smtp/)
      # - SMTP_HOST=
      # - SMTP_PORT=587
      # - SMTP_NAME=
      # - SMTP_SECURE=true
      # - SMTP_USER=
      # - SMTP_PASSWORD=
      # - SMTP_FROM="Demo Demo" <demo@demo.demo>
      # - SMTP_TLS_REJECT_UNAUTHORIZED=false

      # Optional fields: accessToken, events, excludedEvents
      # - |
      #   WEBHOOKS=[{
      #     "url": "http://localhost:3001",
      #     "accessToken": "notaccesstoken",
      #     "events": ["cardCreate", "cardUpdate", "cardDelete"],
      #     "excludedEvents": ["notificationCreate", "notificationUpdate"]
      #   }]

      # - SLACK_BOT_TOKEN=
      # - SLACK_CHANNEL_ID=

      # - GOOGLE_CHAT_WEBHOOK_URL=

      # - TELEGRAM_BOT_TOKEN=
      # - TELEGRAM_CHAT_ID=
      # - TELEGRAM_THREAD_ID=
    depends_on:
      postgres:
        condition: service_healthy

  postgres:
    image: postgres:16-alpine
    restart: on-failure
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=planka
      - POSTGRES_HOST_AUTH_METHOD=trust
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d planka"]
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  user-avatars:
  project-background-images:
  attachments:
  db-data:

Does someone just had the same problem or know how to solve it ? Best regards

meltyshev commented 1 week ago

Hi! What error are you getting in the server console? If it's a 401 status code, it could be the following errors: Invalid code or nonce or Invalid userinfo configuration. In the second case, you can try setting OIDC_CLAIMS_SOURCE=id_token.

somewhere-ai commented 1 week ago

Hi, I'm glad to receive your reply. The error message is: Invalid code or nonce @meltyshev

meltyshev commented 1 week ago

The server should display a more detailed error message when logging in. For example, you can see it when running docker compose without the -d flag. Additionally, you can try checking the logs at /app/logs (inside the container) or enable external logging as described here: https://docs.planka.cloud/docs/Configuration/Logging/.

somewhere-ai commented 1 week ago

hi. Could you please help me check? The detailed log information is as follows {"log":"2024-11-12 00:24:14 [W] Error while exchanging OIDC code: OPError: expected 200 OK, got: 400 Bad Request\n","stream":"stdout","time":"2024-11-12T00:24:14.596575539Z"} {"log":"2024-11-12 00:24:14 [W] Invalid code or nonce! (IP: 192.168.35.6)\n","stream":"stdout","time":"2024-11-12T00:24:14.596943628Z"} Thank you very much for your attention @meltyshev

meltyshev commented 1 week ago

No problem at all :) Which OpenID provider are you using? There might be an issue with the configuration on the provider side, as it’s returning a 400 Bad Request error for some reason. Do you have access to the provider's logs?