|
| 1 | +# Tinyauth with Pocket ID |
| 2 | + |
| 3 | +[Pocket ID](https://pocket-id.org) is a really popular OIDC server that allows you to login to your apps with passkeys. Most proxies do not support OIDC/OAuth servers for authentication meaning that Pocket ID cannot be connected with them. With tinyauth you can connect Pocket ID to your favorite proxy and use it to secure your apps. |
| 4 | + |
| 5 | +## Requirements |
| 6 | + |
| 7 | +This guide assumes you have a working Pocket ID installation. If you don't already have one you can checkout [Pocket ID's documentation](https://pocket-id.org/docs/setup/installation) on how to install it. |
| 8 | + |
| 9 | +## Configuring Pocket ID |
| 10 | + |
| 11 | +To begin with you should visit Pocket ID's admin dashboard which should look like this: |
| 12 | + |
| 13 | + |
| 14 | + |
| 15 | +There you should go to the _OIDC Clients_ tab and click _Add OIDC Client_. A new menu will appear prompting you to provide some information. We only need to set two of these fields. |
| 16 | + |
| 17 | +**Name** -> Give your client a name. You can use `Tinyauth` |
| 18 | + |
| 19 | +**Callback URLs** -> Here, you will need to fill in your tinyauth app URL followed by `/api/oauth/callback/generic`. For example `https://tinyauth.example.com/api/oauth/callback/generic`. |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +You can also upload a logo for your OIDC client. You can download the tinyauth logo from [Github](https://github.com/steveiliop56/tinyauth/blob/main/frontend/public/logo.png). |
| 24 | + |
| 25 | +Finally click _Save_. A new page should be appear containing your OIDC credentials: |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +Make sure to note down your client ID and secret as we will need them later. |
| 30 | + |
| 31 | +## Configuring Tinyauth |
| 32 | + |
| 33 | +In order for Pocket ID to work with tinyauth we will need to use the generic provider. An example configuration will look like: |
| 34 | + |
| 35 | +```yaml |
| 36 | +tinyauth: |
| 37 | + image: ghcr.io/steveiliop56/tinyauth:v3 |
| 38 | + container_name: tinyauth |
| 39 | + restart: unless-stopped |
| 40 | + environment: |
| 41 | + - SECRET=some-random-32-chars-string |
| 42 | + - APP_URL=https://tinyauth.example.com |
| 43 | + - GENERIC_CLIENT_ID=your-pocket-id-client-id |
| 44 | + - GENERIC_CLIENT_SECRET=your-pocket-id-client-secret |
| 45 | + - GENERIC_AUTH_URL=https://pocket-id.example.com/authorize |
| 46 | + - GENERIC_TOKEN_URL=https://pocket-id.example.com/api/oidc/token |
| 47 | + - GENERIC_USER_URL=https://pocket-id.example.com/api/oidc/userinfo |
| 48 | + - GENERIC_SCOPES=openid email profile groups |
| 49 | + - GENERIC_NAME=Pocket ID |
| 50 | + labels: |
| 51 | + traefik.enable: true |
| 52 | + traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`) |
| 53 | + traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik |
| 54 | +``` |
| 55 | +
|
| 56 | +::: tip |
| 57 | +You can set the `OAUTH_AUTO_REDIRECT` environment variable to `generic` so every time you try to access a tinyauth app you will be automatically redirected to Pocket ID. |
| 58 | +::: |
| 59 | + |
| 60 | +::: warning |
| 61 | +OAuth doesn't mean security, with the current setup everybody with a Pocket ID account can login to tinyauth as a normal user. If you would like to limit which users can login with OAuth, you can add the `OAUTH_WHITELIST` environment variable and only allow your email address to login. For more information check the [configuration](/docs/reference/configuration.md) page. |
| 62 | +::: |
| 63 | + |
| 64 | +And you are done! After you restart tinyauth and try to login to an app, you should have an additional option to login with Pocket ID. |
| 65 | + |
| 66 | +## Access controls with Pocket ID groups |
| 67 | + |
| 68 | +Pocket ID has support for user groups, this can be useful for managing your access controls entirely through Pocket ID and not through whitelists on tinyauth. To use groups you will firstly need to create one. To do so firstly go to the _User Groups_ tab and click _Add Group_. There you should give it a name and click _Save_. |
| 69 | + |
| 70 | + |
| 71 | + |
| 72 | +After you create your group, you will be prompted to select the users included in it. You can select as many users as you like. |
| 73 | + |
| 74 | + |
| 75 | + |
| 76 | +Finally you will need to configure the tinyauth protected apps to require OAuth groups. This can be configured with a simple label: |
| 77 | + |
| 78 | +```yaml |
| 79 | +whoami: |
| 80 | + container_name: whoami |
| 81 | + image: traefik/whoami:latest |
| 82 | + restart: unless-stopped |
| 83 | + labels: |
| 84 | + traefik.enable: true |
| 85 | + traefik.http.routers.nginx.rule: Host(`whoami.example.com`) |
| 86 | + traefik.http.routers.nginx.middlewares: tinyauth |
| 87 | + tinyauth.oauth.groups: admins # <-- Added line |
| 88 | +``` |
| 89 | +
|
| 90 | +In this example, only the Pocket ID users within the `admins` group will be able to access the app. Users not included in the group will be redirected to an unauthorized page. |
| 91 | + |
| 92 | +::: warning |
| 93 | +In order for the access controls to work the app must have the same container name as the subdomain it is exposed at, e.g. container name should be `hello` and the app should be exposed at `hello.example.com`. Using a different subdomain will **_not_** work. |
| 94 | +::: |
| 95 | + |
| 96 | +::: info |
| 97 | +The OAuth and user whitelist can be a regular regex expression if it has the slash (`/`) prefix and suffix. |
| 98 | +::: |
0 commit comments