🐛 Bug Report: Custom Claims with same key overrides previous defined values #625

New Issue

Open

opened 2026-02-04 20:41:10 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-04 20:41:10 +03:00

Owner

Copy Link

Originally created by @etho201 on GitHub (Jan 26, 2026).

Reproduction steps

If a user belongs to multiple groups, and you assign a custom claim to each group, the key-value pairs seem to conflict when the same key (but different value) is defined in more than one group.

For example:
I have Pocket-ID configured with both OCIS and OpenCloud. OpenCloud is a fork of OCIS so the way it is configured with OIDC is nearly identical. The difference is you have a group called ocisAdmin, and a group called opencloudAdmin. For the ocisAdmin group you are to add a custom claim key-value pair called roles:ocisAdmin, and for the opencloudAdmin group you are to add a custom claim key-value pair called roles:opencloudAdmin.

After doing this, if you click on `OIDC Data Preview" you will only see one of the values (probably whichever one was added most recently).

The only way around this is to instead define the custom claims at the user level instead, and it needs to be defined in a very specific way. So if I want my admin user to have a key called roles with two values: ocisAdmin and opencloudAdmin, I need to define it within an array list. The key is roles, the value needs to be defined as ["ocisAdmin", "opencloudAdmin"].

I'm happy to have found a workaround, but I think it would be far more elegant if Pocket ID could simply combine any key-value pairs that have the same key into an array list, rather than wiping out the previously defined key-value pair.

Expected behavior

I expected that if I define a key-value pair in a group, if the key is the same as another key defined in a different group, the user profile assigned to those groups would have both values for that key.

Actual Behavior

I define a key-value pair in a group, if the key is the same as another key defined in a different group, the user profile assigned to those groups only has the latest value for that key (as verified in the OIDC Data Preview).

Pocket ID Version

v2.2.0

Database

SQLite

OS and Environment

Docker on Armbian 25.11.2 jammy

Log Output

No response

Originally created by @etho201 on GitHub (Jan 26, 2026). ### Reproduction steps If a user belongs to multiple groups, and you assign a custom claim to each group, the key-value pairs seem to conflict when the same key (but different value) is defined in more than one group. For example: I have Pocket-ID configured with both OCIS and OpenCloud. OpenCloud is a fork of OCIS so the way it is configured with OIDC is nearly identical. The difference is you have a group called `ocisAdmin`, and a group called `opencloudAdmin`. For the `ocisAdmin` group you are to add a custom claim key-value pair called `roles:ocisAdmin`, and for the `opencloudAdmin` group you are to add a custom claim key-value pair called `roles:opencloudAdmin`. After doing this, if you click on `OIDC Data Preview" you will only see one of the values (probably whichever one was added most recently). The only way around this is to instead define the custom claims at the user level instead, and it needs to be defined in a very specific way. So if I want my admin user to have a key called `roles` with two values: `ocisAdmin` and `opencloudAdmin`, I need to define it within an array list. The key is `roles`, the value needs to be defined as `["ocisAdmin", "opencloudAdmin"]`. I'm happy to have found a workaround, but I think it would be far more elegant if Pocket ID could simply combine any key-value pairs that have the same key into an array list, rather than wiping out the previously defined key-value pair. ### Expected behavior I expected that if I define a key-value pair in a group, if the key is the same as another key defined in a different group, the user profile assigned to those groups would have both values for that key. ### Actual Behavior I define a key-value pair in a group, if the key is the same as another key defined in a different group, the user profile assigned to those groups only has the latest value for that key (as verified in the OIDC Data Preview). ### Pocket ID Version v2.2.0 ### Database SQLite ### OS and Environment Docker on Armbian 25.11.2 jammy ### Log Output _No response_

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#625