mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-16 04:03:47 +03:00
🚀 Feature: Custom scopes #295
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @zumoshi on GitHub (May 25, 2025).
Feature description
Currently pocket-id supports custom claims which is great. I've already used the custom claims to great success both in my own custom apps and in 3rd party applications.
However, all the claims are under the profile scope. I would like to be able to define custom scopes which show separately (same way Email/Profile do atm) while signing in to verify what info an app is asking for and isolate the claims to apps that need them.
Pitch
I have two main reasons for wanting this.
My specific case:
App 1 is a panel I made myself for management of a multi-user Caddy reverse proxy setup, and a claim has the filename for the user's caddyfile.
App 2 is a K3S instance, and uses a claim for RBAC to determine which role to assign to the logged in user.
I have a lot less trust in my own code than that of kubernetes, so I would prefer that the claim needed for K3S be missing from the JWT generated for my app. This could be achieved if I could add two scopes separate from profile, lets say scope caddy an scope kuber. then have each app request the respective one and verify while clicking sign in that I'm allowing the correct one.
@ItalyPaleAle commented on GitHub (May 26, 2025):
Not the thing you asked for, but...
id_tokens are not meant to be used to maintain a session: https://oauth.net/id-tokens-vs-access-tokens/
That's what the
audclaim should be for. In Pocket ID (per OAuth specs), access tokens and ID tokens have the client ID of the app as value foraudhttps://www.rfc-editor.org/rfc/rfc7519#section-4.1.3@zumoshi commented on GitHub (May 26, 2025):
Interesting read. Thanks for sharing, I'll keep that in mind when implementing OIDC on my own code.
However, I have no control over how Kubernetes has implemented it:
They are clearly violating this phrase from your link:
Since with kubelogin the oauth happens on client side completely, only the id_token being sent their way. the config for setting up the OIDC doesn't even ask for the secret, instead you provide that to the client!
I still think there is merit for having separate scopes, even if the openId client is more compliant with the specs tho.
@ItalyPaleAle commented on GitHub (May 26, 2025):
I agree
@Impre-visible commented on GitHub (Sep 17, 2025):
I'm bumping that feature as it can be awesome, and I'm down to work on it and make it appear before the v2.0.0 👍
@kmendell commented on GitHub (Sep 17, 2025):
@Impre-visible It would have to be in 2.0.0 as it would be a breaking change, sure we could add a whol bunch of migration logic but thats just not maintainable for us now and in the future.
@MexHigh commented on GitHub (Nov 25, 2025):
Maybe it would be nice to implement this and #1106 together: It would be nice to allow users to add their own SSH keys which could then be requested using the
sshpubkeysclaim.@HeyITGuyFixIt commented on GitHub (Jan 5, 2026):
Did this get added in v2.0.0?