Skip to content

[BUG] OAuth groups access control broken in v5.1.0 - empty app OAuth whitelist denies access #1009

Description

@mitchgu

Describe the Bug

After upgrading to v5.1.0, OAuth groups-based access control stopped working. Debug logs show:

{"level":"warn","stream":"app","error":"filter is empty","item":"user@example.com","time":"2026-07-16T01:00:44Z","time":"2026-07-16T01:00:44Z","caller":"/tinyauth/internal/service/access_controls_rules.go:46","message":"Invalid entry in OAuth whitelist"}

This is with the env var TINYAUTH_APPS_[NAME]_OAUTH_GROUPS configured and the env var TINYAUTH_APPS_[NAME]_OAUTH_WHITELIST not configured. Here [NAME] and user@example.com are placeholders for my actual app name and email. I confirmed in pocket-id that user@example.com is still in the right group.

It seems like the default OAuth whitelist of the empty string prevents a user from being granted access even if the user is in the configured group. My agent says it's from #852

When I set TINYAUTH_APPS_[NAME]_OAUTH_WHITELIST=/.*/, it works again.

How to Reproduce

No response

Expected Behavior

Setting TINYAUTH_APPS_[NAME]_OAUTH_GROUPS to use groups based access control does not require also setting the TINYAUTH_APPS_[NAME]_OAUTH_WHITELIST env var to have users or a wildcard.

Additional Context

No response

Logs

No response

Operating System

Linux

Browser

No response

Tinyauth Version

v5.1.0

Docker Version (if applicable)

No response

Human Written Confirmation

  • I confirm this issue was written by me and not generated by an LLM or AI assistant.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions