mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-07-16 05:54:01 +03:00
[PR #1164] [MERGED] feat: restrict oidc clients by user groups per default #1082
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/pocket-id/pocket-id/pull/1164
Author: @stonith404
Created: 12/23/2025
Status: ✅ Merged
Merged: 12/24/2025
Merged by: @stonith404
Base:
main← Head:feat/user-groups-improvements📝 Commits (5)
f61c784feat: restrict oidc clients by user groups per defaultca40251feat: add ability to edit oidc client group restriction on groups pagec757cfaadapt testsb02dd34add missing postgres migrationsb9f28c6pr feedback📊 Changes
30 files changed (+468 additions, -101 deletions)
View changed files
📝
backend/internal/controller/user_controller.go(+2 -2)📝
backend/internal/controller/user_group_controller.go(+45 -12)📝
backend/internal/dto/oidc_dto.go(+3 -1)📝
backend/internal/dto/signup_token_dto.go(+7 -7)📝
backend/internal/dto/user_dto.go(+12 -12)📝
backend/internal/dto/user_group_dto.go(+12 -16)📝
backend/internal/model/oidc.go(+1 -0)📝
backend/internal/model/user_group.go(+6 -5)📝
backend/internal/service/e2etest_service.go(+6 -4)📝
backend/internal/service/oidc_service.go(+10 -1)📝
backend/internal/service/user_group_service.go(+52 -0)➕
backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.down.sql(+1 -0)➕
backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.up.sql(+10 -0)➕
backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.down.sql(+7 -0)➕
backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.up.sql(+13 -0)📝
frontend/messages/en.json(+12 -3)📝
frontend/src/lib/components/collapsible-card.svelte(+22 -5)📝
frontend/src/lib/components/table/advanced-table.svelte(+6 -2)📝
frontend/src/lib/components/user-group-selection.svelte(+2 -2)📝
frontend/src/lib/services/user-group-service.ts(+11 -10)...and 10 more files
📄 Description
This PR changes the default behavior for OIDC client access restrictions.
Previously an OIDC client was implicitly allowed for all user groups if no user groups were selected. This implicit logic has been removed. By default newly created OIDC clients now allow no user groups.
To preserve the previous behavior in an explicit way, an “Unrestricted” option has been added. When enabled, the OIDC client becomes accessible to all user groups, matching how earlier versions behaved when no user group was selected.
Additionally, it is now possible to configure allowed OIDC clients directly from the user group detail page. This behaves the same as configuring allowed user groups on the OIDC client side, both approaches modify the same underlying access rules.
Closes #1052 and #1037
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.