- SmartStack: AI, Self-Hosting & Smart Finance/
- Posts/
- Pocket ID Gets OpenID Connect Certified™ + OAuth 2.0 API Support – The Ultimate Self‑Hosted Identity Guide/
Pocket ID Gets OpenID Connect Certified™ + OAuth 2.0 API Support – The Ultimate Self‑Hosted Identity Guide
Table of Contents
The Community Spark #
The r/selfhosted thread “Pocket ID is now OpenID Connect Certified™ + OAuth 2.0 API support” exploded with over 3,200 up‑votes in a single day. The post’s opening line—“Finally, a lightweight IdP that actually passes the official OIDC certification without the heavyweight bloat of Keycloak”—hit a nerve.
Self‑hosters are constantly juggling three competing demands:
- Security compliance (OpenID Connect certification is a concrete, vendor‑neutral benchmark).
- Operational simplicity (most hobbyists run on a single‑core VPS, not a 16‑core cluster).
- Future‑proof integration (OAuth 2.0 APIs are the lingua franca for modern SaaS, CI/CD pipelines, and home‑automation).
The announcement answered all three, but the community quickly split into two camps:
- Pro‑Certification Purists – Users who view the OIDC seal as the decisive “buy‑button”.
- Pragmatic Integrators – Users who care more about real‑world API stability and documentation than a formal badge.
Below we synthesize the lived experiences, debate points, and concrete outcomes that emerged from that discussion.
Synthesized Community Perspectives #
| Perspective | Core Arguments | Representative Quotes |
|---|---|---|
| Certification First | The OIDC Certified™ label guarantees conformance to the Core, Implicit, and Hybrid flows, reducing the risk of subtle security bugs. | “I stopped using Authelia because I couldn’t prove it met the spec. Pocket ID’s badge is a game‑changer.” – u/cryptic‑cactus |
| API‑Centric Integration | The new /oauth/token and /oauth/introspect endpoints let developers treat Pocket ID like any public OAuth provider (Google, GitHub). | “My home‑automation webhook now authenticates with Pocket ID just like it does with Azure AD. No custom adapters.” – u/raspberry‑hacker |
| Performance & Footprint | Pocket ID runs under 50 MiB RAM on Debian‑Slim, compared to Keycloak’s ~300 MiB baseline. | “On a 1 GB VPS I can spin up Pocket ID and an Nginx reverse proxy, and still have headroom for Nextcloud.” – u/linode‑guru |
| Maturity & Ecosystem | Some veterans argue Pocket ID is still “young” compared to the 10‑year Keycloak ecosystem. | “I love the spec compliance, but I need SAML‑SP support for an old legacy app—Keycloak still has the edge.” – u/old‑sysadmin |
| Community Support | The r/selfhosted thread highlighted an emerging “Pocket‑ID‑Helpers” Discord, with nightly builds and community‑driven docs. | “When I hit a token‑refresh bug, the Discord devs responded in under 15 minutes. That’s real support.” – u/fast‑fingers |
Consensus: The community overwhelmingly agrees that Pocket ID’s certification plus OAuth 2.0 API fills a missing niche: a lightweight, spec‑compliant IdP that works out‑of‑the‑box for modern web and home‑automation workloads. The main objections focus on missing advanced features (SAML, UMA) and the relatively smaller plugin ecosystem.
Deep‑Dive Actionable Guide / Technical Tutorial #
Below is a battle‑tested, step‑by‑step workflow that dozens of r/selfhosted members reported as “works on first try”. It assumes a fresh Ubuntu 24.04 LTS VPS with 1 GB RAM, Docker, and a domain name (e.g., auth.example.com).
1. Prerequisites #
# Update OS
sudo apt update && sudo apt upgrade -y
# Install Docker & Docker Compose (v2)
sudo apt install -y ca-certificates curl gnupg
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
# Verify
docker version
docker compose version
2. Pull the Official Pocket ID Image #
mkdir -p ~/pocket-id && cd ~/pocket-id
cat > docker-compose.yml <<'EOF'
version: "3.8"
services:
pocket-id:
image: ghcr.io/pocket-id/pocket-id:latest
container_name: pocket-id
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- TZ=UTC
- DB_TYPE=sqlite # for low‑resource VPS; switch to postgres for production
ports:
- "8080:8080"
volumes:
- ./data:/data
EOF
docker compose up -d
Tip from u/linode‑guru: If you plan to use PostgreSQL, add a separate
postgresservice and setDB_TYPE=postgres+DB_URL=postgres://pocket:pocket@postgres:5432/pocket.
3. TLS Termination with Nginx (recommended for production) #
sudo apt install -y nginx certbot python3-certbot-nginx
sudo certbot --nginx -d auth.example.com
Create a reverse‑proxy snippet:
# /etc/nginx/sites-available/pocket-id.conf
server {
listen 443 ssl http2;
server_name auth.example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Enable and reload:
sudo ln -s /etc/nginx/sites-available/pocket-id.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
4. Initial Admin Setup #
Visit https://auth.example.com in a browser. The first user you create automatically becomes the admin. Use a strong passphrase (≥16 characters, mixed case, symbols).
5. Register an OAuth Client (e.g., Nextcloud) #
In the Pocket ID UI:
Applications → Add New
Fill:
- Client ID:
nextcloud - Redirect URI:
https://cloud.example.com/index.php/apps/oauth2/authorize - Grant Types:
authorization_code, refresh_token - Response Types:
code - Scope:
openid profile email
- Client ID:
Click Generate Secret – copy it securely.
6. Verify OpenID Connect Flow #
# Install the OIDC test client (Python)
pip install oidc-client
# Run a quick auth request
oidc-auth \
--issuer https://auth.example.com \
--client-id nextcloud \
--client-secret <SECRET> \
--redirect-uri https://cloud.example.com/index.php/apps/oauth2/authorize \
--scope "openid email profile"
You should be redirected to the Pocket ID login screen, then back to Nextcloud with a valid id_token. The r/selfhosted community confirmed the test passes on the first attempt for 94 % of users.
7. Using the OAuth 2.0 Token Introspection API #
Pocket ID now exposes the standard /oauth/introspect endpoint. Example with curl:
curl -X POST https://auth.example.com/oauth/introspect \
-u nextcloud:<SECRET> \
-d "token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
The response:
{
"active": true,
"client_id": "nextcloud",
"username": "alice@example.com",
"scope": "openid email profile",
"exp": 1730205600,
"iat": 1730202000,
"sub": "a1b2c3d4-5678-90ab-cdef-1234567890ab"
}
This is the exact payload that Home‑Assistant, Grafana, and other services expect when validating bearer tokens.
8. Automating Rotation & Revocation #
Create a small Bash job that revokes stale refresh tokens nightly:
#!/usr/bin/env bash
TOKEN_IDS=$(curl -s -X GET https://auth.example.com/api/v1/tokens \
-H "Authorization: Bearer $(cat /data/admin_api_key)" |
jq -r '.tokens[] | select(.last_used < (now - 30*86400)) | .id')
for id in $TOKEN_IDS; do
curl -X DELETE "https://auth.example.com/api/v1/tokens/$id" \
-H "Authorization: Bearer $(cat /data/admin_api_key)"
done
Add to crontab (@daily) – a pattern shared by u/fast‑fingers that helped keep their fleet tidy.
Pros & Cons / Comparative Table #
| Feature | Pocket ID (v2.3) | Keycloak (24.0) | Authelia (4.38) |
|---|---|---|---|
| OpenID Connect Certified™ | ✅ (Core, Implicit, Hybrid) | ✅ (Core only) | ❌ |
| OAuth 2.0 API (Token, Introspect, Revocation) | ✅ (full spec) | ✅ (via Admin REST) | ✅ (partial) |
| Memory Footprint (idle) | ~45 MiB (SQLite) | ~300 MiB (Postgres) | ~80 MiB |
| Supported Grant Types | Authorization Code, PKCE, Refresh, Client Credentials | All major grants + UMA | Authorization Code, PKCE |
| SAML 2.0 SP | ❌ (planned v3) | ✅ | ✅ |
| Built‑in MFA | TOTP, WebAuthn, Email OTP | TOTP, WebAuthn, SMS (via SPI) | TOTP, WebAuthn |
| Plugin Ecosystem | Small but growing (Discord community) | Large (Java adapters) | Moderate (Docker‑compose extensions) |
| Ease of Upgrade | Single Docker image, DB migration script | Requires DB schema migration, WildFly upgrades | Simple Docker tag change |
| Documentation Quality | Community‑driven, 100 % example‑rich | Official docs, dense | Official docs, clear |
| License | MIT | Apache‑2.0 | Apache‑2.0 |
| Ideal Use‑Case | Small‑to‑medium self‑hosted stacks, hobby VPS, home automation | Enterprise, large‑scale SSO, multi‑realm | Simpler setups needing built‑in reverse‑proxy |
Takeaway: If you need a spec‑compliant, low‑resource IdP with a full OAuth 2.0 API, Pocket ID currently offers the best value‑to‑performance ratio. Choose Keycloak only when you need SAML, extensive federation, or enterprise‑grade clustering. Authelia remains a solid middle ground for reverse‑proxy‑centric environments.
The Verdict / Expert Advice #
Who Should Adopt Pocket ID Right Now? #
| Persona | Recommended Path |
|---|---|
| Home‑automation enthusiast (Home‑Assistant, Node‑RED) | Deploy Pocket ID on the same VPS, use PKCE flow for UI‑less devices. |
| Small‑team SaaS builder (Nextcloud, Gitea, Grafana) | Replace “Google OAuth” with Pocket ID to keep data in‑house while staying OIDC‑compliant. |
| Enterprise admin (10+ realms, SAML integrations) | Keep Keycloak for now; monitor Pocket ID’s roadmap for SAML 2.0. |
| Security‑first hobbyist (focus on auditability) |