OIDC with pocket id

Incus
1

It’s very easy to set up. You only need a reverse proxy and pocket-id.

docker compose from Installation

services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id
    container_name: pocketid
    restart: unless-stopped
    ports:
      - 1411:1411
    volumes:
      - "/docker/pocketid:/app/data"
    environment:
      - APP_URL=https://<pocket id>
      - TRUST_PROXY=true
      - PUID=1000
      - PGID=1000
      - LOG_JSON=true
      - ANALYTICS_DISABLED=true

After docker compose up -d , use reverse proxy to reverse proxy pocket id and incus webui, go to https://(pocket id)/setup to create a admin account and setup passkey. Go to Administration - OIDC Clients click Add OIDC Client:

1
11898×962 18.4 KB

Give a name, add https://(incus url) + /oidc/callback in Client Launch URL, and click save, like this:

2
21898×963 27.6 KB

Then you will see an Client ID , click to copy it. Now we are done with pocket id. Let’s config incus:

incus config set oidc.client.id=<Client ID>

incus config set oidc.issuer=https://<pocket id>

incus config set oidc.scopes=openid,email,profile

Hope this cmds are right, I did it in webui.

4
4924×159 6.91 KB

Now you can visit https://(incus url) and login with SSO.

3
31920×962 25.8 KB

3 Likes
2

Hi,

I’m trying to configure with pocket-id v2 in docker.

The Launch URL Callback you give seems not working and should probably be:
https://incus-url/oidc/login.

However, I can authenticate with my passkey, but then I receive an error (logs from container):
{“time”:“2026-01-11T11:56:38.772146018Z”,“level”:“WARN”,“msg”:“Request with errors: Error #01: You’re not allowed to access this service\n”,“app”:“pocket-id”,“version”:“2.1.0”,“status”:403,“method”:“POST”,“path”:“/api/oidc/authorize”,“query”:“”,“route”:“/api/oidc/authorize”,“ip”:“xxx.xxx.xxx”,”referer”:”/authorize?”…}

SSL certificates are OK and full chain is trusted.

Any idea ?

Best regards,

3

/oidc/callback is the correct redirect URL for Incus, /oidc/login isn’t meant to receive the JWT data from the IdP, it’s just a trigger URL for the UI.

4

Changes of pocket-id v2:

docker compose:

  environment:
    ENCRYPTION_KEY=(a at least 16 characters long random string)

In pocket-id webui-OIDC clients-incus client page. You need to click Public Client, or else oauth will fail. You need to add whoever the users need to sso incus to Allowed User Groups, or else you cannot login.