🐛 Bug Report: New OIDC clients by default are accessible by everyone with Pocket-ID access #566

New Issue

Closed

opened 2026-02-05 18:36:19 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 18:36:19 +03:00

Owner

Copy Link

Originally created by @peterforeman on GitHub (Dec 12, 2025).

Reproduction steps

When I create a new OIDC client you don't get the option to select the Usergroups who should have access to this resource. This is only shown after you've saved the new OIDC client.

If you don't then add a usergroup for access to this resource, by default everyone that has OIDC access also has access to this resource.

Expected behavior

Security-wise I would assume users by default won't get access to anything unless specifically stated (by adding them to a group and adding that group to the resource). I know it's stated in the text ("if you don't add any groups everybody has access") but it easily overlooked.

I want to propose that by default nobody has access, unless they're in an added group.

Actual Behavior

By default, everyone has access to a newly created OIDC client.

Pocket ID Version

1.16.0

Database

SQLite

OS and Environment

Kubernetes

Log Output

Not relevant.

Originally created by @peterforeman on GitHub (Dec 12, 2025). ### Reproduction steps When I create a new OIDC client you don't get the option to select the Usergroups who should have access to this resource. This is only shown after you've saved the new OIDC client. If you don't then add a usergroup for access to this resource, by default everyone that has OIDC access also has access to this resource. ### Expected behavior Security-wise I would assume users by default won't get access to anything unless specifically stated (by adding them to a group and adding that group to the resource). I know it's stated in the text ("if you don't add any groups everybody has access") but it easily overlooked. I want to propose that by default nobody has access, unless they're in an added group. ### Actual Behavior By default, everyone has access to a newly created OIDC client. ### Pocket ID Version 1.16.0 ### Database SQLite ### OS and Environment Kubernetes ### Log Output Not relevant.

OVERLORD closed this issue 2026-02-05 18:36:20 +03:00

OVERLORD commented 2026-02-05 18:36:23 +03:00

Author

Owner

Copy Link

@MarkusThielker commented on GitHub (Dec 12, 2025):

Since I believe this is the intended behavior right now, I am not sure if this actually qualifies as a bug.
Changing this behavior has already been proposed in #1052.

@MarkusThielker commented on GitHub (Dec 12, 2025): Since I believe this is the intended behavior right now, I am not sure if this actually qualifies as a bug. Changing this behavior has already been proposed in #1052.

OVERLORD commented 2026-02-05 18:36:25 +03:00

Author

Owner

Copy Link

@peterforeman commented on GitHub (Dec 12, 2025):

You're right, I must have overlooked #1052 but do fully agree with it. This then can be closed, and I support #1052 to change this. I'm convinced it's bad practice to use a default allow strategy and in my case, we've already encountered misconfiguration because of this. Also because the top "save" button doesn't save changes to the group assignment (you must use the lower "save" button for this).

@peterforeman commented on GitHub (Dec 12, 2025): You're right, I must have overlooked #1052 but do fully agree with it. This then can be closed, and I support #1052 to change this. I'm convinced it's bad practice to use a default allow strategy and in my case, we've already encountered misconfiguration because of this. Also because the top "save" button doesn't save changes to the group assignment (you must use the lower "save" button for this).

OVERLORD referenced this issue 2026-02-05 18:45:03 +03:00

[PR #566] [MERGED] feat: JWT bearer assertions for client authentication #833

OVERLORD referenced this issue 2026-02-05 18:45:46 +03:00

[PR #636] [MERGED] chore: Add docs link and rename to Federated Client Credentials #861

OVERLORD referenced this issue 2026-02-05 18:45:46 +03:00

[PR #640] [MERGED] feat: allow introspection and device code endpoints to use Federated Client Credentials #862

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

snyk-fix-50ff40c16748c54b690144d7c9ae9de1

feat/add_form_post

snyk-fix-dfc42526d795e0124d36ad0226184a0e

copilot/sub-pr-1362

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.0

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id#566