[PR #1164] [MERGED] feat: restrict oidc clients by user groups per default #1082

Closed
opened 2026-02-04 21:15:28 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/1164
Author: @stonith404
Created: 12/23/2025
Status: Merged
Merged: 12/24/2025
Merged by: @stonith404

Base: mainHead: feat/user-groups-improvements


📝 Commits (5)

  • f61c784 feat: restrict oidc clients by user groups per default
  • ca40251 feat: add ability to edit oidc client group restriction on groups page
  • c757cfa adapt tests
  • b02dd34 add missing postgres migrations
  • b9f28c6 pr feedback

📊 Changes

30 files changed (+468 additions, -101 deletions)

View changed files

📝 backend/internal/controller/user_controller.go (+2 -2)
📝 backend/internal/controller/user_group_controller.go (+45 -12)
📝 backend/internal/dto/oidc_dto.go (+3 -1)
📝 backend/internal/dto/signup_token_dto.go (+7 -7)
📝 backend/internal/dto/user_dto.go (+12 -12)
📝 backend/internal/dto/user_group_dto.go (+12 -16)
📝 backend/internal/model/oidc.go (+1 -0)
📝 backend/internal/model/user_group.go (+6 -5)
📝 backend/internal/service/e2etest_service.go (+6 -4)
📝 backend/internal/service/oidc_service.go (+10 -1)
📝 backend/internal/service/user_group_service.go (+52 -0)
backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.down.sql (+1 -0)
backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.up.sql (+10 -0)
backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.down.sql (+7 -0)
backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.up.sql (+13 -0)
📝 frontend/messages/en.json (+12 -3)
📝 frontend/src/lib/components/collapsible-card.svelte (+22 -5)
📝 frontend/src/lib/components/table/advanced-table.svelte (+6 -2)
📝 frontend/src/lib/components/user-group-selection.svelte (+2 -2)
📝 frontend/src/lib/services/user-group-service.ts (+11 -10)

...and 10 more files

📄 Description

This PR changes the default behavior for OIDC client access restrictions.

Previously an OIDC client was implicitly allowed for all user groups if no user groups were selected. This implicit logic has been removed. By default newly created OIDC clients now allow no user groups.

To preserve the previous behavior in an explicit way, an “Unrestricted” option has been added. When enabled, the OIDC client becomes accessible to all user groups, matching how earlier versions behaved when no user group was selected.

Screenshot 2025-12-23 at 16 59 07

Additionally, it is now possible to configure allowed OIDC clients directly from the user group detail page. This behaves the same as configuring allowed user groups on the OIDC client side, both approaches modify the same underlying access rules.

Screenshot 2025-12-23 at 17 04 26

Closes #1052 and #1037


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/1164 **Author:** [@stonith404](https://github.com/stonith404) **Created:** 12/23/2025 **Status:** ✅ Merged **Merged:** 12/24/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `feat/user-groups-improvements` --- ### 📝 Commits (5) - [`f61c784`](https://github.com/pocket-id/pocket-id/commit/f61c784988186e943e27ebdc2ad7150bc78241c6) feat: restrict oidc clients by user groups per default - [`ca40251`](https://github.com/pocket-id/pocket-id/commit/ca4025177693d4ba703c24f63268f343337a0905) feat: add ability to edit oidc client group restriction on groups page - [`c757cfa`](https://github.com/pocket-id/pocket-id/commit/c757cfa8c88473b4aeb9603b206cf6dcddfb3a9b) adapt tests - [`b02dd34`](https://github.com/pocket-id/pocket-id/commit/b02dd34c36802e67f6d0a2b8d530db9ed647c859) add missing postgres migrations - [`b9f28c6`](https://github.com/pocket-id/pocket-id/commit/b9f28c6364569f9a54e20afb36da822b5d9bdfc0) pr feedback ### 📊 Changes **30 files changed** (+468 additions, -101 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/controller/user_controller.go` (+2 -2) 📝 `backend/internal/controller/user_group_controller.go` (+45 -12) 📝 `backend/internal/dto/oidc_dto.go` (+3 -1) 📝 `backend/internal/dto/signup_token_dto.go` (+7 -7) 📝 `backend/internal/dto/user_dto.go` (+12 -12) 📝 `backend/internal/dto/user_group_dto.go` (+12 -16) 📝 `backend/internal/model/oidc.go` (+1 -0) 📝 `backend/internal/model/user_group.go` (+6 -5) 📝 `backend/internal/service/e2etest_service.go` (+6 -4) 📝 `backend/internal/service/oidc_service.go` (+10 -1) 📝 `backend/internal/service/user_group_service.go` (+52 -0) ➕ `backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.down.sql` (+1 -0) ➕ `backend/resources/migrations/postgres/20251219000000_oidc_client_group_restriction.up.sql` (+10 -0) ➕ `backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.down.sql` (+7 -0) ➕ `backend/resources/migrations/sqlite/20251219000000_oidc_client_group_restriction.up.sql` (+13 -0) 📝 `frontend/messages/en.json` (+12 -3) 📝 `frontend/src/lib/components/collapsible-card.svelte` (+22 -5) 📝 `frontend/src/lib/components/table/advanced-table.svelte` (+6 -2) 📝 `frontend/src/lib/components/user-group-selection.svelte` (+2 -2) 📝 `frontend/src/lib/services/user-group-service.ts` (+11 -10) _...and 10 more files_ </details> ### 📄 Description This PR changes the default behavior for OIDC client access restrictions. Previously an OIDC client was implicitly allowed for all user groups if no user groups were selected. This implicit logic has been removed. By default newly created OIDC clients now allow no user groups. To preserve the previous behavior in an explicit way, an “Unrestricted” option has been added. When enabled, the OIDC client becomes accessible to all user groups, matching how earlier versions behaved when no user group was selected. <img width="1346" height="825" alt="Screenshot 2025-12-23 at 16 59 07" src="https://github.com/user-attachments/assets/3c9023b1-d51a-473e-8797-b4f5b4723150" /> Additionally, it is now possible to configure allowed OIDC clients directly from the user group detail page. This behaves the same as configuring allowed user groups on the OIDC client side, both approaches modify the same underlying access rules. <img width="1356" height="596" alt="Screenshot 2025-12-23 at 17 04 26" src="https://github.com/user-attachments/assets/498a4e09-081f-4015-814e-661adbbfee8b" /> Closes #1052 and #1037 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-04 21:15:28 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#1082