planka icon indicating copy to clipboard operation
planka copied to clipboard
verified publisher icon plankanban

Feature Request: Header or env variable based authentication

Open Forceu opened this issue 4 years ago • 7 comments

It would be amazing if Planka supported either headers or env variables for authentication.

The use case would be SSO software running on the reverse proxy, in my case Authelia with Nginx. I can configure Nginx to set a header or env variable containing the username and one containing the user role. So if Planka checks the header and a user with that username exists, a new session is created.

It would be even better if a new user would automatically be created if the username cannot be found, but that use case would not be super important for me. I already looked through the code, unfortunately I was not able to implement the feature myself.

Thanks!

Forceu avatar Jan 21 '22 10:01 Forceu

I have started working on OIDC integration in https://github.com/plankanban/planka/pull/203, would this also work for you?

lorenz avatar Feb 15 '22 22:02 lorenz

I also would love to have a proxy auth feature and OIDC would not work for me.

I am running Planka behind a Traefik reverse proxy which handles all my authentication needs and can set headers on the requests it passes on. The perfect proxy auth feature for me would work like this:

  1. Start Plaka with additional environment variables:
  • containing the name of the initial admin user (e.g. admin=admin_user)
  • enabling proxy auth (e.g. proxy_auth=true)
  • setting the key of the http header that contains the username (e.g. auth_header=X-Authenticated-User)
  1. Configure the reverse proxy to authenticate incoming requests in any way you like.
  2. Let the reverse proxy set X-Authenticated-User to the authenticated username on every request.
  3. Planka treats the requests as if they belong to the appropriate user session.
  4. Bonus: if Planka does not know the username, it creates a new user with that name.

That way, user management could be mostly delegated to the reverse proxy which is extremely helpful if you have multiple apps behind the same proxy and want to take care of user management only once.

Edit: BTW, I am using Planka for this product. Since this is a single-user platform, users really should see no login screen at all, not even for SSO.

Thanks a lot!

max-tet avatar Feb 20 '22 08:02 max-tet

Yes, I have a similar setup and although OIDC would already make it easier, header authentication would be even better! If I can help in any way let me know!

Forceu avatar Feb 20 '22 16:02 Forceu

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

prologic avatar Jul 22 '23 00:07 prologic

I'd also like proxy auth via HTTP trusted header/proxies as well. I'd love to put Authelia in front of this 👌

I'm using Traefik and Authelia as a OIDC provider for Planka and SSO works great but for some reason the 'OIDC_ROLES_ATTRIBUTE' config doesn't seem to work for me when I try setting it to '=admin' then creating a LLDAP group called 'admin' and adding the user.

The user just has read only access so I have to add that user to each project/board via the default admin.

saadqaz1 avatar Feb 27 '24 07:02 saadqaz1