Vikunja's built-in OAuth server (Vikunja 2.3+) does not require client registration and accepts arbitrary client_ids — it just enforces PKCE (S256) and constrains redirect URIs to the vikunja- scheme. Earlier I deferred OAuth on the assumption it needed a registered client; that was wrong, and the docs make the path much smoother than POST /login. The custom-scheme constraint (no http:// loopback) is side-stepped by manual paste-back: veans prints the authorize URL, the user signs in, their browser fails to open vikunja-veans-cli://callback?code=... and shows an error, the user copies the URL from the address bar and pastes it back. CLI extracts code + state, verifies state for CSRF, exchanges via POST /api/v1/oauth/token (JSON body — Vikunja rejects form-encoded), and returns the access token. Resolution order in AcquireHumanToken: 1. --token (paste-in JWT or personal API token; SSO/OIDC users) 2. --use-password / --username + --password (POST /login) 3. OAuth flow (interactive default) login command supports the same --use-password / --token escape hatches for token rotation on instances with OAuth disabled. Includes unit tests for the PKCE generator (verifier shape per RFC 7636, challenge = SHA256(verifier) base64url-no-pad), authorize-URL construction, and the lenient callback parser (full URL / query-only / bare code). |
||
|---|---|---|
| .claude | ||
| .github | ||
| .vscode | ||
| .zed | ||
| build | ||
| contrib | ||
| desktop | ||
| examples/plugins/example | ||
| frontend | ||
| pkg | ||
| rest | ||
| veans | ||
| .devcontainer.json | ||
| .dockerignore | ||
| .editorconfig | ||
| .envrc | ||
| .gitignore | ||
| .golangci.yml | ||
| .opensourcefinder-verify | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| CONTRIBUTING.md | ||
| CRUSH.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| code-header-template.txt | ||
| conductor.json | ||
| config-raw.json | ||
| crowdin.yml | ||
| devenv.lock | ||
| devenv.nix | ||
| devenv.yaml | ||
| go.mod | ||
| go.sum | ||
| magefile.go | ||
| main.go | ||
| mise.toml | ||
| nfpm.yaml | ||
| publiccode.yml | ||
| renovate.json | ||
| tsconfig.json | ||
| vikunja.initd | ||
| vikunja.service | ||
README.md
Vikunja
The Todo-app to organize your life.
If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.
Table of contents
Security Reports
If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.
Features
See the features page on our website for a more exhaustive list or try it on try.vikunja.io!
Docs
All docs can be found on the Vikunja home page.
Roadmap
See the roadmap (hosted on Vikunja!) for more!
Contributing
Please check out the contribution guidelines on the website.
License
Most of this repository is licensed under AGPL‑3.0‑or‑later.
The contents of desktop/ are licensed under
GPL‑3.0‑or‑later.
Unsplash Images
Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplash’s terms for more information.