starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: initial id token contains groups claim but subsequent tokens generated using refresh token don't #11

New Issue
Closed
opened 2025-10-06 23:58:09 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2025-10-06 23:58:09 +03:00
Owner
Copy Link

Originally created by @michaelbeaumont on GitHub.

Reproduction steps

NOTE: this started happening with v1.11

When I use kube oidc-login with --oidc-extra-scope=groups against pocket-id and don't yet have a token, it calls /authorize?access_type=offline... and gets an id token that contains my groups, along with a refresh token. The k8s API server authorizes me using the groups claim. When that id_token expires and kubectl oidc-login tries to get a new one, the new id token doesn't contain my groups and authorization fails.

NOTE: this has nothing to do with Kubernetes. I can verify locally that the id token does not contain the groups.

Expected behavior

Later id tokens generated with a refresh token also contain the groups claim.

Actual Behavior

Later id tokens generated with a refresh token don't contain the groups claim.

Pocket ID Version

v1.11.2

Database

SQLite

OS and Environment

On GCP using v1.12.2-distroless

Log Output

No response

Originally created by @michaelbeaumont on GitHub. ### Reproduction steps NOTE: this started happening with v1.11 When I use `kube oidc-login` with `--oidc-extra-scope=groups` against pocket-id and don't yet have a token, it calls `/authorize?access_type=offline...` and gets an id token that contains my groups, along with a refresh token. The k8s API server authorizes me using the `groups` claim. When that id_token expires and `kubectl oidc-login` tries to get a new one, the new id token doesn't contain my groups and authorization fails. NOTE: this has nothing to do with Kubernetes. I can verify locally that the id token does not contain the groups. ### Expected behavior Later id tokens generated with a refresh token also contain the `groups` claim. ### Actual Behavior Later id tokens generated with a refresh token don't contain the `groups` claim. ### Pocket ID Version v1.11.2 ### Database SQLite ### OS and Environment On GCP using v1.12.2-distroless ### Log Output _No response_
OVERLORD commented 2025-10-06 23:58:11 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

Fixed in #989 thanks for the report

@ItalyPaleAle commented on GitHub: Fixed in #989 thanks for the report
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#11
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?