[BUG] Storage label allows '.' from oidc #1127

New Issue

OVERLORD · 2026-02-05T00:33:36+03:00

OVERLORD commented

2026-02-05 00:33:36 +03:00

Originally created by @pixil98 on GitHub (Jul 20, 2023).

The bug

When using the new functionality to set a storage label from a claim when using oauth, the claim seems to be taken without sanitation. In my setup the preferred_username is an email address so it has a . in it.

If I try to set the same storage label manually, the . is stripped out when it is saved. I assume it's stripped out for a reason, but either way it would be good to be consistent.

The OS that Immich Server is running on

Debian

Version of Immich Server

v1.68.0

Version of Immich Mobile App

N/A

Platform with the issue

Server
Web
Mobile

Your docker-compose.yml content

apiVersion: apps/v1
kind: Deployment
metadata:
  name: authentik-server
  namespace: auth
  labels:
    app.kubernetes.io/name: server
    app.kubernetes.io/instance: authentik
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/instance: authentik
  template:
    metadata:
      labels:
        app.kubernetes.io/name: server
        app.kubernetes.io/instance: authentik
    spec:
      containers:
        - name: authentik
          image: goauthentik/server:2023.6.1
          imagePullPolicy: IfNotPresent
          args: ["server"]
          env:
            - name: AUTHENTIK_AVATARS
              value: "gravatar"
            - name: AUTHENTIK_BOOTSTRAP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: bootstrap-password
                  optional: false
            - name: AUTHENTIK_BOOTSTRAP_TOKEN
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: bootstrap-token
                  optional: false
            - name: AUTHENTIK_BOOTSTRAP_EMAIL
              value: "redacted"
            - name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
              value: "false"
            - name: AUTHENTIK_EMAIL__FROM
              value: "redacted"
            - name: AUTHENTIK_EMAIL__HOST
              value: "redacted
            - name: AUTHENTIK_EMAIL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: email-password
                  optional: false
            - name: AUTHENTIK_EMAIL__PORT
              value: "587"
            - name: AUTHENTIK_EMAIL__TIMEOUT
              value: "30"
            - name: AUTHENTIK_EMAIL__USE_SSL
              value: "false"
            - name: AUTHENTIK_EMAIL__USE_TLS
              value: "true"
            - name: AUTHENTIK_EMAIL__USERNAME
              value: "authentik"
            - name: AUTHENTIK_ERROR_REPORTING__ENABLED
              value: "false"
            - name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
              value: "k8s"
            - name: AUTHENTIK_ERROR_REPORTING__SEND_PII
              value: "false"
            - name: AUTHENTIK_GEOIP
              value: "/geoip/GeoLite2-City.mmdb"
            - name: AUTHENTIK_LOG_LEVEL
              value: "info"
            - name: AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE
              value: "goauthentik/%(type)s:%(version)s"
            - name: AUTHENTIK_POSTGRESQL__HOST
              value: "authentik-postgresql"
            - name: AUTHENTIK_POSTGRESQL__NAME
              value: "authentik"
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: postgresql-user-password
                  optional: false
            - name: AUTHENTIK_POSTGRESQL__PORT
              value: "5432"
            - name: AUTHENTIK_POSTGRESQL__USER
              value: "authentik"
            - name: AUTHENTIK_REDIS__HOST
              value: "authentik-redis-master"
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: redis-password
                  optional: false
            - name: AUTHENTIK_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: secret-key
                  optional: false
          ports:
            - name: http
              containerPort: 9000
              protocol: TCP
            - name: http-metrics
              containerPort: 9300
              protocol: TCP
            - name: https
              containerPort: 9443
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /-/health/live/
              port: http
            initialDelaySeconds: 50
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /-/health/ready/
              port: http
            initialDelaySeconds: 50
            periodSeconds: 10

Your .env content

See above

Reproduction steps

1.Setup an oidc provider
2.Setup Immich to use the oidc provider
3.Create a user with a username that is an email address
4.Login to Immich with the new user.

Additional information

No response

Originally created by @pixil98 on GitHub (Jul 20, 2023). ### The bug When using the new functionality to set a storage label from a claim when using oauth, the claim seems to be taken without sanitation. In my setup the preferred_username is an email address so it has a `.` in it. ![image](https://github.com/immich-app/immich/assets/46978190/59276f1f-4ddc-4646-a36c-9304928121c2) If I try to set the same storage label manually, the `.` is stripped out when it is saved. I assume it's stripped out for a reason, but either way it would be good to be consistent. ### The OS that Immich Server is running on Debian ### Version of Immich Server v1.68.0 ### Version of Immich Mobile App N/A ### Platform with the issue - [X] Server - [X] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML apiVersion: apps/v1 kind: Deployment metadata: name: authentik-server namespace: auth labels: app.kubernetes.io/name: server app.kubernetes.io/instance: authentik spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: server app.kubernetes.io/instance: authentik template: metadata: labels: app.kubernetes.io/name: server app.kubernetes.io/instance: authentik spec: containers: - name: authentik image: goauthentik/server:2023.6.1 imagePullPolicy: IfNotPresent args: ["server"] env: - name: AUTHENTIK_AVATARS value: "gravatar" - name: AUTHENTIK_BOOTSTRAP_PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: bootstrap-password optional: false - name: AUTHENTIK_BOOTSTRAP_TOKEN valueFrom: secretKeyRef: name: authentik-secrets key: bootstrap-token optional: false - name: AUTHENTIK_BOOTSTRAP_EMAIL value: "redacted" - name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME value: "false" - name: AUTHENTIK_EMAIL__FROM value: "redacted" - name: AUTHENTIK_EMAIL__HOST value: "redacted - name: AUTHENTIK_EMAIL__PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: email-password optional: false - name: AUTHENTIK_EMAIL__PORT value: "587" - name: AUTHENTIK_EMAIL__TIMEOUT value: "30" - name: AUTHENTIK_EMAIL__USE_SSL value: "false" - name: AUTHENTIK_EMAIL__USE_TLS value: "true" - name: AUTHENTIK_EMAIL__USERNAME value: "authentik" - name: AUTHENTIK_ERROR_REPORTING__ENABLED value: "false" - name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT value: "k8s" - name: AUTHENTIK_ERROR_REPORTING__SEND_PII value: "false" - name: AUTHENTIK_GEOIP value: "/geoip/GeoLite2-City.mmdb" - name: AUTHENTIK_LOG_LEVEL value: "info" - name: AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE value: "goauthentik/%(type)s:%(version)s" - name: AUTHENTIK_POSTGRESQL__HOST value: "authentik-postgresql" - name: AUTHENTIK_POSTGRESQL__NAME value: "authentik" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: postgresql-user-password optional: false - name: AUTHENTIK_POSTGRESQL__PORT value: "5432" - name: AUTHENTIK_POSTGRESQL__USER value: "authentik" - name: AUTHENTIK_REDIS__HOST value: "authentik-redis-master" - name: AUTHENTIK_REDIS__PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: redis-password optional: false - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-secrets key: secret-key optional: false ports: - name: http containerPort: 9000 protocol: TCP - name: http-metrics containerPort: 9300 protocol: TCP - name: https containerPort: 9443 protocol: TCP livenessProbe: httpGet: path: /-/health/live/ port: http initialDelaySeconds: 50 periodSeconds: 10 readinessProbe: httpGet: path: /-/health/ready/ port: http initialDelaySeconds: 50 periodSeconds: 10 ``` ### Your .env content ```Shell See above ``` ### Reproduction steps ```bash 1.Setup an oidc provider 2.Setup Immich to use the oidc provider 3.Create a user with a username that is an email address 4.Login to Immich with the new user. ``` ### Additional information _No response_

OVERLORD added the 🗄️server good first issue labels 2026-02-05 00:33:36 +03:00

OVERLORD closed this issue

2026-02-05 00:33:38 +03:00

OVERLORD commented

2026-02-05 00:33:41 +03:00

@serfriz commented on GitHub (Nov 5, 2023):

Is there a reason why the dots . need to be stripped out of the storage labels? It would be nice to be able to have labels like firstname.lastname.

@serfriz commented on GitHub (Nov 5, 2023): Is there a reason why the dots `.` need to be stripped out of the storage labels? It would be nice to be able to have labels like `firstname.lastname`.

OVERLORD commented

2026-02-05 00:33:45 +03:00

@alextran1502 commented on GitHub (Nov 5, 2023):

It is stripped out to prevent path traversal attack I believe

@alextran1502 commented on GitHub (Nov 5, 2023): It is stripped out to prevent path traversal attack I believe

Sign in to join this conversation.

Branches Tags

main

feat/asset-file-apis

chore/translations

fix/web-switch-label-clickable

fix/web-people-hidden-state

renovate/typescript-projects

release/next

fix/timezones

fix/time-zone-upserts

midzelis/wip

push-zpwsovysllvn

push-nwxlpmyzkyrl

push-nvnkszuqwppm

renovate/github-actions

push-smstsuupsowp

refactor/adaptive_image

push-olwpzvrxnomt

push-lmxsupnmxspl

renovate/machine-learning

feat/web-chromecast-video-looping

feat/use-native-clients

renovate/flutter

fix/create-face-edited

fix/mobile-ios-mtls

docs/contributing

docs/mise-mobile

renovate/grafana-monorepo

feature/bottom-buttons-order

feat/immich-mobile-ui-showcase

refactor/consolidate-image-requests

renovate/connectivity_plus-7.x

renovate/major-vitest-monorepo

renovate/pypi-python-multipart-vulnerability

fix/mobile-people-query

sqlite_thumbs

feat/html-text

chore/no-macro-validation

refactor/purchase-store

uhthomas/mobile-fix-app-bar-fade

uhthomas/mobile-fix-asset-jump

feat/pano-ocr

feat/shared-link-login

fix/database-backup-db-names

fix-keep-correct-ios-shared-album-asset

fix-memory-generation-and-display

feat/verify-permissions

refactor/album-service-small-tests

fix/ml-rocm-build

fix/flipped-dimensions-mobile

push-vpxwmwwxwnvw

fix-migration-width-height

refactor/more-queries

revert/prettier-translations

refactor/asset-service-queries

fix/locale-settings-desc

chore/add-debug-log

feat/edit-filters

shared-deep-link-handler

feat/mobile-editing

feat/thumbnail-native-clients

feat/platform-clients

feat/integrity-checks-izzy

fix/foreground-cloud-sync

feat/dynamic-layout

filter-by-person

feat/csp

refactor/sidebar

fix/disable-editing

fix/view-timeline-deeplink

image-zoom-on-slow-connection

fix-consider-dar-for-video-dimension

fix/merged-edited-assets

perf/optimize-album-sort

open-api-fix

feat/create-job-with-dto

use-toast-primary

feat/vitest-4

feat/ios-fastlane-match

match-signing

fix-update-time-update-timeline

chore/translation-keys

feat/modal-routes

feat/panorama-tiles

feature/mobile-view-asset-owner

feat/system-settings

feature/show-activity-count

better-info-in-asset-viewer

fix/all-people-count

feat/location-favorites

feature/rearrange-buttons-2

fix/download-storage-template

feat/kb-shortcuts-mobile

fix/people-count

push-qolzzzzxrvvn

chore/originals-in-asset-files

feat/asset-size-columns

ben/tree-a11y

new-search-filter-ui

refactor/expectSelectedReadonly

refactor/mobile-grdb

push-qvuktpxmkknu

feat/mobile-native-local-sync

refactor/timeline_ops

fix/scrubber_end

feat/version.txt

feat/context-menus

feat/server-chunked-uploads

refactor/virtualsegment

refactor/rename_daymonth_groups

fix/restrict-android-bg-worker

feat/android-periodic-worker

fix-remote-sync-clean-up

refactor/timeline_move_ops

renovate/mapbox-mapbox-gl-rtl-text-0.x

fix/timeline_split_selectable

feat/keyboard_actions_help_modal

feat/static_frontend

feat/notification-warnign-android

feat/plugins2

feat/plugins

test/create-workflow-token-action

fix/docs-force

debug/search-result-similarity

debug/cf-chunked-uploads

feat/eslint_rule

feat/search-filter-album/web

refactor/timeline_photostream

refactor/timelineasset_asset

feat/session-permissions

feat/timeline_photostream_assetnav

feat/timeline_minor_optimize

feat/timeline_perf_nocomp

feat/timeline_search_results_actions

feat/timeline_search_results_page

fix/timeline_padding

fix/timeline_search_reactivity_warnings

feat/timeline_scrollbar

feat/timeline_stream_withviewer

fix/timeline_back_forth_nav

refactor/timeline_photostream_component

fix/generated-files-checks

fix/locate-button-local

chore/base-image-mimalloc

refactor/timeline_assetlayout

refactor/timeline_selectable

refactor/timeline_aware_actions

refactor/timeline_monthsegment

feat/remove-old-pages

chore/deps-gradle

tmp_photostream

tmp/lcms

feat/mobile-dynamic-thumbnails

fix/mobile-finer-thumbnail-concurrency

refactor/timeline1

refactor/extract_photostream

refactor/rename_load_api

refactor/timeline2

refactor/timeline3

feat/multi-select-asset-viewer

feat-no-thumbhash-cache

refactor/asset_grid

feat/faster-access-checks

fix/18991

fix/19543

chore/temp-remove

fix/21419

feat/mobile-hdr-images

chore/update-mise-lockfile

feat/mise-server-checks

feat/mise-ci

feat/windows-2025

feat/dev_cli

refactor/mobile-migrate-clients

fix/map-theme

fix/require-checkbox

chore/use_swc

feat/efficient-thumbnail-decoding

refactor/mobile-thumbhash

refactor/mobile-thumbhash-new

fix/mobile-uncached-zoom

feat/beta-background-upload

fix/beta-timeline-memories-setting

fix/failed-uploads-not-removed

feat/mobile-shared-album

feat/groups

drift-map-page

drift-auth-user-sync

fix/disable-memory

feat/add-to-album-action

edit-date-time-action

drift-people-page

sqlite-remove-isIn

feat/inline-storage-columns

chore/required-reviewers

refact/asset-manager

fix/folder-sort

pnpm

feat/widget-multiple-server-urls

chore/medium-tests-dbname

fix/web-no-iterator-find

fix/map-pan-interruption

track-livephotos

timeline_events

chore/oxlint-migration

feat/maintenance-worker

feat/dav

chore/demo-snapshot

refactor/server-side-dedupe

feat/integrity-checks

dev/recognition-eval

lighter_buckets_test

perf/postgres-queue

postgres-queue

focus_rings

refactor/web-stores-1

refactor/add-to-taken

feat/sort-places

feat/sidecar-asset-file

vet

tmp/demo-snapshot-preview

fix/server-migration-file-extension

refactor/mobile-v2

fix/asset-update-race-condition

rknn-toolkit-lite2

refactor/mobile-split-up-search-page

feature/Add-rocm-support-for-machine-learning

feat/rocm

chore/async-hash-file

feat/shared-link-view-count

feat/rotation

feat/graphql

feat/job-ids

feat/ignore-library-permission-error

feat/docker-compose-builder

feat/kysely-typeorm

mobile/onboarding

no-video-player

fix/server-qsv-output-format

chore/server-geodata-tweaks

mobile/native-video-player-no-hero

feat/xxhash

fix/docs-concurrency

feat/preload-ml-textual-model

feat/local-tileserver

refactor/exif-orientation

original-path-infix

refactor/mobile/login-form-1

feat/server-editor-endpoints

fix/server-qsv-vbr

fix-mobile-db-problems

feat/ml-armnn-conversion

feat/mobile/backup-with-album-info

feat/fast-initial-sync-1

chore/handle-output_dims

feat/server-more-robust-generation

feat/unassign-faces

feat/shortcuts-on-asset-grid

feat/background-upload

feat/capacitor-mobile-app-poc

feat/server-nvenc-hw-decoding

release/v1.105

fix/mobile-fetch-non-archive

feat/fine-grained-access-controls

web/automation-ui

feat/mobile-server-endpoint-save-dropdown

feat/blurhash-thumbnail

object-storage

feat/memories-animations

dev/metrics

ml/tflite

feat/ml-export-cli

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: immich-app/immich#1127