🐛 Bug Report: custom claims key may be overly restrictive #304

New Issue

Closed

opened 2025-10-09 16:38:23 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2025-10-09 16:38:23 +03:00

Owner

Copy Link

Originally created by @jfroy on GitHub.

Reproduction steps

custom-claims-input uses auto-complete-input, which has a very restrictive regular expression for input validation. There are many examples of custom claims using URLs or domains for namespacing, or just using _ or - characters, that are rejected by Pocket ID's UI.

Expected behavior

Custom claims keys should only be restricted by the relevant specifications. This likely means allowing any valid JSON key values, since custom claims are part of the ID Token, which is a JWT.

Actual Behavior

"Only alphanumeric characters are allowed"

Version and Environment

v0.39.0

Running on a Kubernetes cluster behind a Cilium gateway API proxy.

Log Output

No response

Originally created by @jfroy on GitHub. ### Reproduction steps `custom-claims-input` uses `auto-complete-input`, which has a very restrictive regular expression for input validation. There are many examples of custom claims using URLs or domains for namespacing, or just using `_` or `-` characters, that are rejected by Pocket ID's UI. ### Expected behavior Custom claims keys should only be restricted by the relevant specifications. This likely means allowing any valid JSON key values, since custom claims are part of the [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken), which is a [JWT](https://www.rfc-editor.org/rfc/rfc7519.html). ### Actual Behavior "Only alphanumeric characters are allowed"  ### Version and Environment v0.39.0 Running on a Kubernetes cluster behind a Cilium gateway API proxy. ### Log Output _No response_

OVERLORD added the bug label 2025-10-09 16:38:23 +03:00

OVERLORD closed this issue 2025-10-09 16:38:24 +03:00

OVERLORD commented 2025-10-09 16:38:26 +03:00

Author

Owner

Copy Link

@jfroy commented on GitHub:

At least according to https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims, full URLs should be allowed. Possibly also URNs. So I'd say at least anything valid in percent-encoded URLs should be allowed.

But strictly reading the OpenID, JWT, and JSON specifications (which I did not in full, only sections pertaining to claims), any valid JSON key should be allowed, which is basically any valid Unicode string. So strictly based on the specs, there should be no restrictions¹ on the key or the value for custom claims.

---

1. I think there are payload size limits. ↩︎

@jfroy commented on GitHub: At least according to https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims, full URLs should be allowed. Possibly also URNs. So I'd say at least anything valid in percent-encoded URLs should be allowed. But strictly reading the OpenID, JWT, and [JSON](https://www.rfc-editor.org/rfc/rfc7159) specifications (which I did not in full, only sections pertaining to claims), _any valid JSON key_ should be allowed, which is basically any valid Unicode string. So strictly based on the specs, there should be no restrictions[^1] on the key or the value for custom claims. [^1]: I think there are payload size limits.

OVERLORD commented 2025-10-09 16:38:26 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@jfroy would this filter fit better? (value.length > 0 && !/^[A-Za-z0-9_\-.:]*$/.test(value))

This would allow alphanumeric characters, underscores, hyphens, dots, and colons, or did i miss some?

@kmendell commented on GitHub: @jfroy would this filter fit better? `(value.length > 0 && !/^[A-Za-z0-9_\-.:]*$/.test(value))` This would allow alphanumeric characters, underscores, hyphens, dots, and colons, or did i miss some?

OVERLORD commented 2025-10-09 16:38:28 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

ill have to defer to @stonith404 on this one, as he was the one who created the initial custom claims input.

@kmendell commented on GitHub: ill have to defer to @stonith404 on this one, as he was the one who created the initial custom claims input.

OVERLORD commented 2025-10-09 16:38:30 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Fixed in v0.40.1.

@stonith404 commented on GitHub: Fixed in `v0.40.1`.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#304