🚀 Feature: allow to set artbitrary Cliend-ID #231

New Issue

Closed

opened 2025-10-07 00:06:40 +03:00 by OVERLORD · 9 comments

OVERLORD commented 2025-10-07 00:06:40 +03:00

Owner

Copy Link

Originally created by @savely-krasovsky on GitHub.

Feature description

Currently you cannot do it, since Pocket-ID automatically generates random UUID. Unfortunately there are apps which require to create exact Client IDs to work. Excellent example is OpenCloud: their desktop and mobile app has hard-coded IDs which they list in the doc: https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp

Pitch

It will allow to support some setups I described above.

Originally created by @savely-krasovsky on GitHub. ### Feature description Currently you cannot do it, since Pocket-ID automatically generates random UUID. Unfortunately there are apps which require to create exact Client IDs to work. Excellent example is OpenCloud: their desktop and mobile app has hard-coded IDs which they list in the doc: https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp ### Pitch It will allow to support some setups I described above.

OVERLORD added the open to pull requests label 2025-10-07 00:06:40 +03:00

OVERLORD closed this issue 2025-10-07 00:06:41 +03:00

OVERLORD commented 2025-10-07 00:06:42 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Fair enough. For mobile applications this would make sense.

@stonith404 commented on GitHub: Fair enough. For mobile applications this would make sense.

OVERLORD commented 2025-10-07 00:06:43 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

Client registration will work, but it's more enterprise setup in my opinion. It's much simpler to just allow arbitrary Client-ID. In my case it works flawlessly.

@savely-krasovsky commented on GitHub: Client registration will work, but it's more enterprise setup in my opinion. It's much simpler to just allow arbitrary Client-ID. In my case it works flawlessly.

OVERLORD commented 2025-10-07 00:06:43 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

It's recommended that the client ID is random:

Even though it’s public, it’s best that it isn’t guessable by third parties, so many implementations use something like a 32-character hex string. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications. It must also be unique across all clients that the authorization server handles.

In my opinion this is a wrong implementation on Opencloud's side, client IDs shouldn't be set manually. If you really have to set a custom client ID, you have to do it manually in the database.

@stonith404 commented on GitHub: It's [recommended](https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/) that the client ID is random: > Even though it’s public, it’s best that it isn’t guessable by third parties, so many implementations use something like a 32-character hex string. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications. It must also be unique across all clients that the authorization server handles. In my opinion this is a wrong implementation on Opencloud's side, client IDs shouldn't be set manually. If you really have to set a custom client ID, you have to [do it manually in the database](https://github.com/pocket-id/pocket-id/issues/83#issuecomment-2565226796).

OVERLORD commented 2025-10-07 00:06:43 +03:00

Author

Owner

Copy Link

@savely-krasovsky commented on GitHub:

In my opinion this is a wrong implementation on Opencloud's side, client IDs shouldn't be set manually. If you really have to set a custom client ID.

@stonith404 I agree, though you usually cannot change Client-ID which is hard-coded into mobile applications. Making it configurable in app's UI? Questionable, it should rather use OAuth 2.0 Dynamic Client Registration Protocol which Pocket-ID is also doesn't support AFAIK. It seems reasonable for mobile applications at least, IMO.

Database trick is the first thing I did, hopefully Pocket-ID didn't have any strict requirements.

@savely-krasovsky commented on GitHub: > In my opinion this is a wrong implementation on Opencloud's side, client IDs shouldn't be set manually. If you really have to set a custom client ID. @stonith404 I agree, though you usually cannot change Client-ID which is hard-coded into mobile applications. Making it configurable in app's UI? Questionable, it should rather use [OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) which Pocket-ID is also doesn't support AFAIK. It seems reasonable for mobile applications at least, IMO. Database trick is the first thing I did, hopefully Pocket-ID didn't have any strict requirements.

OVERLORD commented 2025-10-07 00:06:44 +03:00

Author

Owner

Copy Link

@BEBU88 commented on GitHub:

I'm also interested in setting up Opencloud Clients. I just read that all of their clients support Dynamic Client Registration: https://github.com/opencloud-eu/desktop/issues/246#issuecomment-2857476676

@BEBU88 commented on GitHub: I'm also interested in setting up Opencloud Clients. I just read that all of their clients support Dynamic Client Registration: https://github.com/opencloud-eu/desktop/issues/246#issuecomment-2857476676

OVERLORD commented 2025-10-07 00:06:44 +03:00

Author

Owner

Copy Link

@Tarow commented on GitHub:

In addition to the client_id, itd be great if we can also set the client_secret.

This would allow declarative provisioning of OIDC clients in PocketID and configuration of the clients itself (say Traefik).
Would be very handy when using the Rest API directly or through the Terraform Provider for example.

@Tarow commented on GitHub: In addition to the client_id, itd be great if we can also set the client_secret. This would allow declarative provisioning of OIDC clients in PocketID and configuration of the clients itself (say Traefik). Would be very handy when using the Rest API directly or through the Terraform Provider for example.

OVERLORD commented 2025-10-07 00:06:44 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@MorrisMorrison Feel free to implement what you think would work, but keep in mind the goal of our UI. "To stay simple" we dont want to clutter it up that much. If you try this we can always tweak the UI to make sure it stays simple.

@kmendell commented on GitHub: @MorrisMorrison Feel free to implement what you think would work, but keep in mind the goal of our UI. "To stay simple" we dont want to clutter it up that much. If you try this we can always tweak the UI to make sure it stays simple.

OVERLORD commented 2025-10-07 00:06:45 +03:00

Author

Owner

Copy Link

@MorrisMorrison commented on GitHub:

Hi,
I would like to take a look at this feature.

How do we want to display this option in the UI?
I was thinking about adding a simple toggle "Auto-generate ClientID" to the oidc-client form in settings, which is always true by default. Once turned off, we display a text input to be able to set an arbitrary client id.
Looking at the current layout it would probably fit nicely next to the name input.
We could also move it to the advanced options, since it's primarily needed for specific integration scenarios rather than typical usage.

@MorrisMorrison commented on GitHub: Hi, I would like to take a look at this feature. How do we want to display this option in the UI? I was thinking about adding a simple toggle "Auto-generate ClientID" to the oidc-client form in settings, which is always true by default. Once turned off, we display a text input to be able to set an arbitrary client id. Looking at the current layout it would probably fit nicely next to the name input. We could also move it to the advanced options, since it's primarily needed for specific integration scenarios rather than typical usage.

OVERLORD commented 2025-10-07 00:06:45 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@MorrisMorrison Thinking more it should probably go in the advanced options, thats a good call.

@kmendell commented on GitHub: @MorrisMorrison Thinking more it should probably go in the advanced options, thats a good call.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label open to pull requests

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#231