OIDC with pocket id

It’s very easy to set up. You only need a reverse proxy and pocket-id.

docker compose from Installation

services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id
    container_name: pocketid
    restart: unless-stopped
    ports:
      - 1411:1411
    volumes:
      - "/docker/pocketid:/app/data"
    environment:
      - APP_URL=https://<pocket id>
      - TRUST_PROXY=true
      - PUID=1000
      - PGID=1000
      - LOG_JSON=true
      - ANALYTICS_DISABLED=true

After docker compose up -d , use reverse proxy to reverse proxy pocket id and incus webui, go to https://(pocket id)/setup to create a admin account and setup passkey. Go to Administration - OIDC Clients click Add OIDC Client:

Give a name, add https://(incus url) + /oidc/callback in Client Launch URL, and click save, like this:

Then you will see an Client ID , click to copy it. Now we are done with pocket id. Let’s config incus:

incus config set oidc.client.id=<Client ID>

incus config set oidc.issuer=https://<pocket id>

incus config set oidc.scopes=openid,email,profile

Hope this cmds are right, I did it in webui.

Now you can visit https://(incus url) and login with SSO.

Hi,

I’m trying to configure with pocket-id v2 in docker.

The Launch URL Callback you give seems not working and should probably be:
https://incus-url/oidc/login.

However, I can authenticate with my passkey, but then I receive an error (logs from container):
{“time”:“2026-01-11T11:56:38.772146018Z”,“level”:“WARN”,“msg”:“Request with errors: Error #01: You’re not allowed to access this service\n”,“app”:“pocket-id”,“version”:“2.1.0”,“status”:403,“method”:“POST”,“path”:“/api/oidc/authorize”,“query”:“”,“route”:“/api/oidc/authorize”,“ip”:“xxx.xxx.xxx”,”referer”:”/authorize?”…}

SSL certificates are OK and full chain is trusted.

Any idea ?

Best regards,

/oidc/callback is the correct redirect URL for Incus, /oidc/login isn’t meant to receive the JWT data from the IdP, it’s just a trigger URL for the UI.

Changes of pocket-id v2:

docker compose:

  environment:
    ENCRYPTION_KEY=(a at least 16 characters long random string)

In pocket-id webui-OIDC clients-incus client page. You need to click Public Client, or else oauth will fail. You need to add whoever the users need to sso incus to Allowed User Groups, or else you cannot login.

Thanks for your reply.
Now I can connect to Pocket-ID and authenticate, but then I am returning back on the login page in incus !

Just have this error in logs of pocket-id:
Error getting logout callback URL, the user has to confirm the logout manually app=pocket-id version=2.0.0 error=“missing authorization”

On the pocket ID account, the login callback url has been successfully added automatically.

I dont know what to do now, i would like to succeed with pocket-id great interface !
Keycloak was infinitely more complicated, but I succeed with it in 5 mn only…

I cannot reproduce your error. I will show my config for reference:

$ incus version
Client version: 6.17
Server version: 6.17

$ incus config show
config:
  core.https_address: '[::]:8443'
  oidc.client.id: (client id)
  oidc.issuer: https://(pocket id url)
  oidc.scopes: openid,email,profile

If you don’t to unrestrict the OIDC client incus, here is a howto.

Create a group, and select all the users you want. And go back to OIDC client incus to select the group you just cteated.

Hi Catfish,

Thanks to you for your interest and time.
Like I tell earlier, I can authenticate on pocket-id, with success.
But incus redirect me always on login again.
I dont understand the error in logs.

My config is full ok with what you say and the recommendation on internet.
However, Im on incus v6.20. Maybe a regression…

Have a nice week.

I have updated incus to 6.20. I haven’t changed pocket id config, and I can still login normally. I have no idea how to reproduce your error .