🚀 Feature: isolated client authentication #33

New Issue

Open

opened 2025-10-06 23:58:52 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2025-10-06 23:58:52 +03:00

Owner

Copy Link

Originally created by @James18232 on GitHub.

Feature description

Feature Request to add an option to the create login code page and/or authentication prompt page when using the authorization code flow to use a ‘isolated login’. This login should not set any cookies on the device upon authentication by the user or include any refresh token to the client.

This could be achieved by a seperate button for the user to select when authenticating.

This is distinct from requiring reauthentication on each authorization per client, which is already supported.

Pitch

When logging into a client service on a ‘less trusted’ device you dont have full control of (eg shared public library computer, friend or family devices) - for example to show photos from an immich album - the user may forget to close a browser or have sign outs incorrectly implemented.

This may lead to unwanted/accidental access to other services and the pocket id instance itself via sso (assuming no requires reauthentication is set).

Having a ‘isolated authentication’ would not stop continued access to the intended service in this scenario, as I believe this is up to the client to invalidate/sign out, but it would prohibit access to any other services or the pocket id instance itself.

The user could use this isolated login in these instances to access a specific service only.

Originally created by @James18232 on GitHub. ### Feature description Feature Request to add an option to the create login code page and/or authentication prompt page when using the authorization code flow to use a ‘isolated login’. This login should not set any cookies on the device upon authentication by the user or include any refresh token to the client. This could be achieved by a seperate button for the user to select when authenticating. This is distinct from requiring reauthentication on each authorization per client, which is already supported. ### Pitch When logging into a client service on a ‘less trusted’ device you dont have full control of (eg shared public library computer, friend or family devices) - for example to show photos from an immich album - the user may forget to close a browser or have sign outs incorrectly implemented. This may lead to unwanted/accidental access to other services and the pocket id instance itself via sso (assuming no requires reauthentication is set). Having a ‘isolated authentication’ would not stop continued access to the intended service in this scenario, as I believe this is up to the client to invalidate/sign out, but it would prohibit access to any other services or the pocket id instance itself. The user could use this isolated login in these instances to access a specific service only.

OVERLORD added the needs more upvotes label 2025-10-06 23:58:52 +03:00

OVERLORD commented 2025-10-06 23:58:53 +03:00

Author

Owner

Copy Link

@kleinweby commented on GitHub:

To suggest another naming for this feature: "Remember Me". Under the "Authenticate" Button there would be a "Remember Me" Checkbox, if checked (the default) the current behaviour is used. If unchecked the new behaviour described here is used.

@kleinweby commented on GitHub: To suggest another naming for this feature: "Remember Me". Under the "Authenticate" Button there would be a "Remember Me" Checkbox, if checked (the default) the current behaviour is used. If unchecked the new behaviour described here is used.

OVERLORD commented 2025-10-06 23:58:53 +03:00

Author

Owner

Copy Link

@James18232 commented on GitHub:

Thanks. The feature is more akin to ‘incognito login’ to borrow from browsers. People probably get the concept with that name.

I would not start with adding to the current basic auth flow. Its simplicity remains a feature of its own.

I think to start an incognito button under the login code button in my account is the best way to go.

For most use cases you would be logging in from your own device anyway and get punted straight to this page, so its still a seamless code login. This incogntio code is just treated differently on the backend.

@James18232 commented on GitHub: Thanks. The feature is more akin to ‘incognito login’ to borrow from browsers. People probably get the concept with that name. I would not start with adding to the current basic auth flow. Its simplicity remains a feature of its own. I think to start an incognito button under the login code button in my account is the best way to go. For most use cases you would be logging in from your own device anyway and get punted straight to this page, so its still a seamless code login. This incogntio code is just treated differently on the backend.

OVERLORD commented 2025-10-06 23:58:54 +03:00

Author

Owner

Copy Link

@kleinweby commented on GitHub:

(sorry for writing twice) Another use case would be to improve the use of different accounts. E.g. one account with admin rights which I just want to use for this one login to elevate my privileges. Otherwise I would use my "normal" account.

@kleinweby commented on GitHub: (sorry for writing twice) Another use case would be to improve the use of different accounts. E.g. one account with admin rights which I just want to use for this one login to elevate my privileges. Otherwise I would use my "normal" account.

OVERLORD commented 2025-10-06 23:58:54 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

I personally wouldnt need to use this, but i added the needs more upvotes label. If the community wants this we can think about implementing it.

@kmendell commented on GitHub: I personally wouldnt need to use this, but i added the needs more upvotes label. If the community wants this we can think about implementing it.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label needs more upvotes

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#33