🚀 Feature: Add ability to require re-authentication for specific clients #219

New Issue

Closed

opened 2025-10-09 16:33:24 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2025-10-09 16:33:24 +03:00

Owner

Copy Link

Originally created by @RealOrangeOne on GitHub.

Feature description

When authenticating with a service, a user should need to explicitly click "sign in", rather than automatically being authenticated and redirected. This can be sort of implemented by setting a very small $SESSION_DURATION, however that has other UX downsides, notably when managing a Pocket-ID account itself.

Explicit consent gives the user more control over the services they log in with, but can also increase security for their accounts.

Pitch

With an active session, users logging in to a service are automatically authenticated and redirected back to the service. This could cause unintended logins, potentially used as part of tricking a user into authentication a session for someone else.

Authentik has the ability to set a given OIDC client as requiring explicit or implicit consent, which would work nicely here. I think for compatibility the "explicit" variant should be opt-in (implicit by default).

Additionally, given the relative ease of authenticating with a passkey, perhaps the "explicit" variant should not only require user interaction, but also re-authentication with the passkey (perhaps 3rd state of "explicit-with-auth").

Originally created by @RealOrangeOne on GitHub. ### Feature description When authenticating with a service, a user should need to explicitly click "sign in", rather than automatically being authenticated and redirected. This can be sort of implemented by setting a very small `$SESSION_DURATION`, however that has other UX downsides, notably when managing a Pocket-ID account itself. Explicit consent gives the user more control over the services they log in with, but can also increase security for their accounts. ### Pitch With an active session, users logging in to a service are automatically authenticated and redirected back to the service. This could cause unintended logins, potentially used as part of tricking a user into authentication a session for someone else. Authentik has the ability to set a given OIDC client as requiring explicit or implicit consent, which would work nicely here. I think for compatibility the "explicit" variant should be opt-in (implicit by default). Additionally, given the relative ease of authenticating with a passkey, perhaps the "explicit" variant should not only require user interaction, but also re-authentication with the passkey (perhaps 3rd state of "explicit-with-auth").

OVERLORD added the open to pull requests label 2025-10-09 16:33:24 +03:00

OVERLORD closed this issue 2025-10-09 16:33:24 +03:00

OVERLORD commented 2025-10-09 16:33:26 +03:00

Author

Owner

Copy Link

@barryp commented on GitHub:

I wonder if Pocket-ID's own web UI should have the option to require re-authentication - so that if a user logs into some other website (setup as an OIDC Client) using Pocket-ID, their browser can't then be used to get into the Pocket-ID management interface without some consent or interaction.

@barryp commented on GitHub: I wonder if Pocket-ID's own web UI should have the option to require re-authentication - so that if a user logs into some other website (setup as an OIDC Client) using Pocket-ID, their browser can't then be used to get into the Pocket-ID management interface without some consent or interaction.

OVERLORD commented 2025-10-09 16:33:26 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Yes, I think we can combine this with re-authentication.

I suggest adding a checkbox to the OIDC client called "Requires re-authentication." If enabled, users must authenticate with their passkey before being redirected, regardless of whether they are currently signed in to Pocket ID.

@stonith404 commented on GitHub: Yes, I think we can combine this with re-authentication. I suggest adding a checkbox to the OIDC client called "Requires re-authentication." If enabled, users must authenticate with their passkey before being redirected, regardless of whether they are currently signed in to Pocket ID.

OVERLORD referenced this issue 2025-10-09 16:37:56 +03:00

🚀 Feature: Support SameSite cookie attribute #293

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/restrict-email-one-time-access

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label open to pull requests

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#219