### Execute Pocket ID Proxmox Helper Script Source: https://pocket-id.org/docs/setup/installation This command downloads and immediately executes a community-maintained helper script designed for installing Pocket ID on Proxmox. The script automates the setup process, typically creating a container or virtual machine for Pocket ID. ```bash bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)" ``` -------------------------------- ### Build Pocket ID from Source via Git, npm, and Go Source: https://pocket-id.org/docs/setup/installation This comprehensive set of commands guides the user through cloning the Pocket ID repository, checking out the latest stable version, building the frontend application using Node.js (npm), compiling the backend with Go, and preparing the environment configuration file. It requires Git, Node.js (>=22), and Go (>=1.24) to be installed. ```Bash # Clone the repo git clone https://github.com/pocket-id/pocket-id cd pocket-id # Checkout latest version git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`) # Build the frontend cd frontend npm ci npm run build # Build the backend cd ../backend/cmd go build -o ../../pocket-id # Create the .env file cd ../../ cp .env.example .env ``` -------------------------------- ### Start Pocket ID Docker Containers Source: https://pocket-id.org/docs/setup/installation Executes the `docker compose up` command with the `-d` flag, which starts all services defined in the `docker-compose.yml` file in detached mode. This allows Pocket ID to run in the background without occupying the terminal. ```bash docker compose up -d ``` -------------------------------- ### Execute Pocket ID Application Binary Source: https://pocket-id.org/docs/setup/installation This command runs the compiled Pocket ID executable. After execution, the application will be accessible via a web browser at the specified URL, allowing for initial setup with an admin account. ```Bash ./pocket-id ``` -------------------------------- ### Run Pocket ID Stand-alone Application Source: https://pocket-id.org/docs/setup/installation Executes the Pocket ID binary directly from the current directory. This command starts the Pocket ID application in stand-alone mode, making it accessible via the configured URL. ```bash ./pocket-id ``` -------------------------------- ### Download Pocket ID Stand-alone Environment File Source: https://pocket-id.org/docs/setup/installation This command fetches the `.env.example` file from the Pocket ID GitHub repository and saves it as `.env` in the current directory. This file is used to configure environment variables for the stand-alone Pocket ID application. ```bash curl -o .env https://raw.githubusercontent.com/pocket-id/pocket-id/main/.env.example ``` -------------------------------- ### Download Docker Compose Files for Pocket ID Source: https://pocket-id.org/docs/setup/installation This command sequence downloads the essential `docker-compose.yml` and `.env.example` files directly from the Pocket ID GitHub repository. These files are crucial for orchestrating and configuring the Pocket ID services using Docker Compose. ```bash curl -O https://raw.githubusercontent.com/pocket-id/pocket-id/main/docker-compose.yml curl -o .env https://raw.githubusercontent.com/pocket-id/pocket-id/main/.env.example ``` -------------------------------- ### Access Admin UI Setup Page Source: https://pocket-id.org/docs/troubleshooting/common-issues This snippet provides the URL path to access the initial setup page for the Pocket ID admin user. Navigating to this URL allows you to configure the first passkey for administrative access after the initial setup. ```shell https://id.example.com/setup ``` -------------------------------- ### Start Stand-alone Pocket ID Application Source: https://pocket-id.org/docs/setup/upgrading This command starts the Pocket ID application after it has been upgraded or freshly installed in a stand-alone setup. It executes the 'pocket-id' binary located in the current directory. ```Shell ./pocket-id ``` -------------------------------- ### Download Pocket ID Stand-alone Binary Source: https://pocket-id.org/docs/setup/installation This command downloads the latest Pocket ID binary for a specific operating system and architecture (e.g., Linux AMD64) from the official GitHub releases page. The `-L` flag handles redirects, and `-o` specifies the output filename. ```bash curl -L -o pocket-id-linux-amd64 https://github.com/pocket-id/pocket-id/releases/latest/download/pocket-id-linux-amd64 ``` -------------------------------- ### Run Playwright End-to-End Tests Source: https://pocket-id.org/docs/helping-out/contributing This sequence of commands guides contributors through setting up and executing end-to-end tests using Playwright. It involves navigating to the test setup directory, starting the Docker-based test environment, returning to the main test folder, and finally running the tests. ```Shell cd tests/setup docker compose up -d --build cd .. npx playwright test ``` -------------------------------- ### Rename and Make Pocket ID Binary Executable Source: https://pocket-id.org/docs/setup/installation These commands first rename the downloaded Pocket ID binary to a simpler, generic name (`pocket-id`). Subsequently, `chmod +x` grants execute permissions to the binary, making it runnable on Unix-like systems. ```bash mv pocket-id-- pocket-id chmod +x pocket-id ``` -------------------------------- ### Install SQLite and Access Pocket ID Database Source: https://pocket-id.org/docs/client-examples/oCIS This snippet provides the necessary shell commands to install SQLite within the `pocket-id` Docker container and initiate a SQLite session to access its database. It also includes a general example of how to update OIDC client entries, demonstrating the syntax for setting new client IDs and bcrypt-hashed secrets. ```Shell cd path-to-pocket-id-compose-file docker compose exec pocket-id apk add sqlite docker compose exec pocket-id sqlite3 ``` ```Shell docker compose exec pocket-id sqlite3 /app/data/pocket-id.db "UPDATE oidc_clients SET id='owncloud-client-id', secret='owncloud-client-secret-bcrypt-hashed' WHERE id='current-client-id';" ``` -------------------------------- ### Install Frontend Dependencies Source: https://pocket-id.org/docs/helping-out/contributing This command installs all necessary Node.js packages and dependencies for the Pocket ID frontend, which is built using SvelteKit and TypeScript. It should be executed from the `frontend` directory after navigating into it. ```npm npm install ``` -------------------------------- ### Enable Pocket ID Service in NixOS Source: https://pocket-id.org/docs/setup/installation This configuration snippet enables the `pocket-id` service module within a NixOS `configuration.nix` file. It leverages the NixOS Unstable channel to make the service available. ```Nix services.pocket-id.enable = true; ``` -------------------------------- ### Sign up Initial Admin User API Endpoint Source: https://pocket-id.org/docs/api/endpoints/sign-up-initial-admin-user This API endpoint allows the initial administrator user to sign up and generates a setup access token. It is a crucial step for the initial setup of the Pocket ID system. ```APIDOC POST /api/signup/setup Description: Sign up and generate setup access token for initial admin user Responses: 200: OK ``` -------------------------------- ### Configure Outline OIDC Environment Variables Source: https://pocket-id.org/docs/client-examples/outline This snippet provides the environment variables required to configure Outline to use OpenID Connect (OIDC) with Pocket ID. These variables should be added to your Outline container's `docker.env` file, replacing the placeholder values with those obtained from your Pocket ID OIDC client setup. ```Shell OIDC_CLIENT_ID=Client ID OIDC_CLIENT_SECRET=Client Secret OIDC_AUTH_URI=Authorization URL OIDC_TOKEN_URI=Token URL OIDC_USERINFO_URI=Userinfo URL OIDC_LOGOUT_URI=Logout URL OIDC_DISPLAY_NAME=Pocket ID OIDC_USERNAME_CLAIM=preferred_username OIDC_SCOPES=openid profile email groups ``` -------------------------------- ### Start Pocket ID Frontend in Development Source: https://pocket-id.org/docs/helping-out/contributing This command starts the Pocket ID frontend development server with hot reloading enabled. In development mode, the frontend proxies requests to the backend, allowing for separate development processes and real-time updates. ```npm npm run dev ``` -------------------------------- ### Backup Existing Pocket ID Installation Source: https://pocket-id.org/docs/setup/migrate-to-v1 Before migrating to Pocket ID v1.0, it is crucial to create a backup of your current installation directory. This command recursively copies the entire directory, providing a safe fallback in case of migration issues. ```Bash cp -r /path/to/pocket-id /path/to/pocket-id-old ``` -------------------------------- ### Start Caddy server with specified configuration Source: https://pocket-id.org/docs/guides/proxy-services This command initiates the Caddy server, instructing it to load and apply the configuration defined in the 'Caddyfile'. This activates the proxy and authentication rules, making the protected service accessible through Caddy. ```Shell caddy run --config Caddyfile ``` -------------------------------- ### Start Docker Compose Services Source: https://pocket-id.org/docs/guides/proxy-services This shell command starts all services defined in the `docker-compose.yml` file in detached mode, allowing them to run in the background without blocking the terminal. ```bash docker compose up -d ``` -------------------------------- ### Start Pocket ID Backend in Development Source: https://pocket-id.org/docs/helping-out/contributing This command initiates the Pocket ID backend server, built with Go and Gin, in development mode. The `-tags exclude_frontend` flag ensures it runs independently without serving the frontend statically, which is useful for separate development processes. ```Go go run -tags exclude_frontend ./cmd ``` -------------------------------- ### Install caddy-security plugin for Caddy Source: https://pocket-id.org/docs/guides/proxy-services This command installs the caddy-security plugin, which extends Caddy's capabilities to include advanced authentication features, such as OIDC integration, necessary for protecting services with Pocket ID. ```Shell caddy add-package github.com/greenpau/caddy-security ``` -------------------------------- ### Complete Caddyfile Configuration for Pocket-ID and RDPGW Integration Source: https://pocket-id.org/docs/client-examples/rdpgw This Caddyfile snippet provides a comprehensive configuration for setting up Caddy as a reverse proxy with Pocket-ID and RDPGW. It includes the definition of a generic OIDC identity provider, user transformation rules for UI links, and specific routing configurations for `example.com` (authentication portal), `rd.example.com` (RDPGW proxy), and `pocketid.example.com` (Pocket-ID proxy). It requires `caddy-security` to be installed and configured. ```Caddyfile oauth identity provider generic { delay_start 3 realm generic driver generic client_id your-client-id-from-pocket-id-for-caddy-security client_secret your-client-secret-from-pocket-id-for-caddy-security scopes openid email profile base_auth_url https://pocketid.example.com metadata_url https://pocketid.example.com/.well-known/openid-configuration } transform user { match role user ui link "Pocket-ID" https://pocketid.example.com/ target_blank icon "las la-id-card" ui link "RDPGW Unraid-vm" https://rd.example.com/connect?host=unraid-vm.local%3A3389 target_blank icon "las la-desktop" ui link "RDPGW My-PC" https://rd.example.com/connect?host=192.168.100.14%3A3389 target_blank icon "las la-desktop" } example.com { handle / { redir / /auth } handle /login* { redir * /auth/login } handle /auth* { authenticate with myportal } respond * "Forbidden" 403 { close } } rd.example.com { route { @ws { header Connection *Upgrade* header Upgrade websocket } reverse_proxy http://rdpgw { # Allow non-standard HTTP methods used by RDPGW header_up X-HTTP-Method-Override {http.method} header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} header_up X-Forwarded-Host {host} transport http { versions 1.1 } } } } pocketid.example.com { route { reverse_proxy http://pocket-id { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} header_up X-Forwarded-Proto {scheme} header_up X-Forwarded-Host {host} } } route /caddy-security/* { authenticate with myportal } } ``` -------------------------------- ### Complete Docker Compose Stack for Healthchecks with Pocket ID Source: https://pocket-id.org/docs/client-examples/healthchecks A comprehensive `docker-compose.yml` example demonstrating the full integration of Healthchecks with Pocket ID via `oauth2-proxy`, including all necessary service definitions, environment variables, volumes, and port configurations. ```yaml --- services: healthchecks: image: healthchecks/healthchecks:latest environment: - ALLOWED_HOSTS=hc.example.com - DB=sqlite - DB_NAME=/data/hc.sqlite - SECRET_KEY=${SECRET_KEY} - SITE_ROOT=https://hc.example.com - PING_EMAIL_DOMAIN=hc.example.com - REGISTRATION_OPEN=False - SITE_NAME=Healthchecks - RP_ID=hc.example.com - REMOTE_USER_HEADER=HTTP_X_FORWARDED_EMAIL volumes: - ./data:/data restart: unless-stopped # ports: # - 8000:8000 oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy restart: unless-stopped command: --config /oauth2-proxy.cfg volumes: - ./oauth2-proxy.cfg:/oauth2-proxy.cfg ports: - 1234:4180 ``` -------------------------------- ### List All Application Configurations API Endpoint Source: https://pocket-id.org/docs/api/endpoints/list-all-application-configurations This API endpoint allows for the retrieval of all application configurations, including private settings. It is accessed via a GET request and returns a 200 OK status upon successful execution. ```APIDOC GET /application-configuration/all - Description: Get all application configurations including private ones - Responses: - 200 OK: Successful retrieval of all configurations ``` -------------------------------- ### Restart Outline Docker Container Source: https://pocket-id.org/docs/client-examples/outline These commands are used to stop and then restart the Outline Docker container. This action applies any changes made to its environment variables or configuration, ensuring the new OIDC settings take effect. ```Shell docker compose down docker compose up -d ``` -------------------------------- ### List Signup Tokens API Endpoint Source: https://pocket-id.org/docs/api/endpoints/list-signup-tokens Describes the HTTP GET endpoint for retrieving a paginated list of signup tokens. This API call returns a 200 OK response upon successful retrieval. ```APIDOC Method: GET Endpoint: /api/signup-tokens Description: Get a paginated list of signup tokens Responses: 200 OK ``` -------------------------------- ### Conventional Commits Example for Pull Requests Source: https://pocket-id.org/docs/helping-out/contributing This snippet demonstrates the required format for pull request commit messages, adhering to the Conventional Commits specification. It shows an example of a 'fix' type commit, which is a bug fix. ```text fix: hide global audit log switch for non admin users ``` -------------------------------- ### Comprehensive Audiobookshelf Advanced Permission Claim JSON Example Source: https://pocket-id.org/docs/client-examples/audiobookshelf This comprehensive JSON structure illustrates various access controls for the 'abspermissions' custom claim in Audiobookshelf. It details permissions for downloading, uploading, deleting, updating, accessing explicit content, and managing library and tag access, including the use of allow/deny lists and specific library/tag IDs. ```JSON { "canDownload": false, //Allows a user to download content "canUpload": false, //Allows a user to Upload content "canDelete": false, //Allows a user to delete content "canUpdate": false, "canAccessExplicitContent": false, //Allow access to explicit content "canAccessAllLibraries": false, //Allow access to all Libraries (only set to true if nothing is specified below) "canAccessAllTags": false, //Allow access to all tags (only set to true if nothing is specified below) "canCreateEReader": false, "tagsAreDenylist": false, //Invert the allowed tags list to a deny list "allowedLibraries": [ //Specify which libraries are allowed to be accessed via the library ID "5406ba8a-16e1-451d-96d7-4931b0a0d966", //You can get this ID via the Audiobookshelf api "918fd848-7c1d-4a02-818a-847435a879ca" //https://audiobookshelf.example.com/api/libraries ], "allowedTags": [ //Specify which tags are allowed (or denied) "Romance", "Fantasy", "ThirdTag" ] } ``` -------------------------------- ### Example OIDC Token Structure Source: https://pocket-id.org/docs/client-examples/Talos An example JSON payload representing the OIDC ID token returned after successful authentication, showing claims like audience, email, groups, and issuer. This structure confirms the token's validity and included scopes. ```json { "aud": "a60960a8-c856-43b7-add7-50d83bf7eeab", "email": "[email\u00a0protected]", "email_verified": true, "exp": 1749867571, "groups": [ "kubernetes" ], "iat": 1749863971, "iss": "", "nonce": "sLY0SUaiLxe9JDfUpNEsBDbhKceOB-T1zxxRYJPQbvk", "sub": "643c3fba-370a-4738-92a6-9ergec96cd99" } ``` -------------------------------- ### Pocket ID OIDC Client and FreeScout OAuth Integration Parameters Source: https://pocket-id.org/docs/client-examples/freescout Detailed specification of parameters required for configuring OpenID Connect (OIDC) within Pocket ID and integrating it with FreeScout's OAuth module. This includes parameters for both the Pocket ID client setup and FreeScout's OAuth settings. ```APIDOC Pocket ID OIDC Client Configuration: - Callback URL: https:///oauth-login/callback/* - Description: The URI where Pocket ID will redirect the user after authentication. Must be updated with FreeScout's generated Redirect URI. - Type: URL pattern - Client ID: - Description: Unique identifier for the client application (FreeScout) registered with Pocket ID. - Type: string - Client Secret: - Description: Secret key used by the client to authenticate with Pocket ID. - Type: string - OIDC Discovery URL: - Description: The URL for Pocket ID's OIDC discovery endpoint, providing metadata about the OIDC provider. - Type: URL FreeScout OAuth Configuration (Manage > Settings > OAuth): - Provider: Custom Oauth Provider - Description: Specifies the type of OAuth provider. - Type: enum (Custom Oauth Provider) - Name: Pocket ID - Description: A user-friendly name for the OAuth provider in FreeScout. - Type: string - Redirect URI: (Generated by FreeScout) - Description: The specific URI generated by FreeScout for OAuth callbacks. This value must be copied back to the Pocket ID Callback URL. - Type: URL - Logout URI: (Generated by FreeScout) - Description: The URI for handling user logout. - Type: URL - Client ID: (from Pocket ID) - Description: The Client ID obtained from Pocket ID. - Type: string - Client Secret: (from Pocket ID) - Description: The Client Secret obtained from Pocket ID. - Type: string - Authorization URL: (from Pocket ID) - Description: The authorization endpoint URL from Pocket ID's OIDC discovery. - Type: URL - Token URL: (from Pocket ID) - Description: The token endpoint URL from Pocket ID's OIDC discovery. - Type: URL - User Info URL: (from Pocket ID) - Description: The user info endpoint URL from Pocket ID's OIDC discovery. - Type: URL - User Info Method: POST - Description: The HTTP method used to retrieve user information. - Type: enum (POST) - Proxy URL, Field Mappings, Scopes: (Optional) - Description: Additional configuration fields, typically left blank unless specific environment needs. - Type: string (URL), object, array ``` -------------------------------- ### Apply Docker Compose Configuration Changes Source: https://pocket-id.org/docs/setup/migrate-to-v1 Use this command to apply the updated `docker-compose.yml` configuration. It starts or restarts the Pocket ID service in detached mode, ensuring the new settings take effect without blocking the terminal. ```Bash docker compose up -d ``` -------------------------------- ### Configure paperless-ngx Environment Variables for Pocket ID OAuth Source: https://pocket-id.org/docs/client-examples/paperless-ngx This snippet provides the essential environment variables required for the paperless-ngx web server container to enable OpenID Connect (OIDC) authentication with Pocket ID. It defines the `PAPERLESS_APPS` for `allauth.socialaccount.providers.openid_connect` and configures `PAPERLESS_SOCIALACCOUNT_PROVIDERS` with Pocket ID specific details, including scopes, PKCE enablement, client ID, secret, and server URL. ```Shell PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect PAPERLESS_SOCIALACCOUNT_PROVIDERS='{"openid_connect":{"SCOPE":["openid","profile","email"],"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"pocket-id","name":"Pocket-ID","client_id":"Place the Client ID","secret":"Place the Client Secret","settings":{"server_url":"https://pocketid.example.com"}}]}}' ``` -------------------------------- ### Configure Prometheus Metrics Exporter for Pocket ID Source: https://pocket-id.org/docs/configuration/environment-variables This snippet shows how to set the `OTEL_METRICS_EXPORTER` environment variable to enable Prometheus for metrics scraping in Pocket ID, which starts a dedicated HTTP server for the `/metrics` endpoint. ```Shell OTEL_METRICS_EXPORTER=prometheus ``` -------------------------------- ### Retrieve Public Application Configurations API Source: https://pocket-id.org/docs/api/endpoints/list-public-application-configurations This API endpoint allows retrieval of all public application configurations. It performs a GET request to the `/application-configuration` path and returns a 200 OK status upon successful retrieval. ```APIDOC GET /application-configuration Description: Get all public application configurations Responses: 200 OK ``` -------------------------------- ### Configure Minio and Pocket ID for OIDC Integration Source: https://pocket-id.org/docs/client-examples/minio This guide details the steps to set up OpenID Connect (OIDC) authentication between Pocket ID and Minio. It covers creating necessary groups and OIDC clients in Pocket ID, and configuring the OpenID settings within Minio, including client credentials, claim names, and scopes. ```APIDOC Pocket ID OIDC Client Configuration: Create Group: - Name: consoleAdmin - Description: Adding user to this group grants Minio administrator access. Create OIDC Client: - Name: Minio (or custom) - Callback URLs: - Type: URL - Value: https://minio-console.example.com/oauth_callback - Note: Adjust if MINIO_BROWSER_REDIRECT_URL is used. - Client ID: - Type: String - Description: Unique identifier for the client. - Client Secret: - Type: String - Description: Secret key for client authentication. Minio OpenID Configuration: Path: Administrator -> Identity -> OpenID -> Create Configuration Parameters: - Config URL: - Type: URL - Value: https://auth.example.com/.well-known/openid-configuration - Description: The OpenID Connect discovery endpoint for Pocket ID. - Client ID: - Type: String - Value: [Your Client ID from Pocket ID] - Description: The Client ID obtained from Pocket ID. - Client Secret: - Type: String - Value: [Your Client Secret from Pocket ID] - Description: The Client Secret obtained from Pocket ID. Note: Must be re-entered on edit. - Claim Name: - Type: String - Value: groups - Description: The OIDC claim that contains user group information. - Display Name: - Type: String - Value: Pocket ID (or custom) - Description: Display name for the OpenID provider in Minio. - Scopes: - Type: String (comma-separated) - Value: openid,profile,email,groups - Description: OIDC scopes requested for user information. - Redirect URI: - Type: URL - Value: https://minio-console.example.com/oauth_callback - Description: The URI where Minio redirects after successful authentication. Note: Adjust if MINIO_BROWSER_REDIRECT_URL is used. Notes: - Client Secret Management: Regenerate new secret on Pocket ID if frequent edits are needed in Minio. - Redirect URL Adjustment: If MINIO_BROWSER_REDIRECT_URL is set (e.g., to https://minio.example.com/minio-console/), then Callback URLs in Pocket ID and Redirect URI in Minio should be https://minio.example.com/minio-console/oauth_callback. ``` -------------------------------- ### PostgreSQL Database Connection String Format Source: https://pocket-id.org/docs/configuration/environment-variables This snippet provides the standard DSN (Data Source Name) format for connecting Pocket ID to a PostgreSQL database, along with a concrete example. It illustrates the components required, such as user, password, host, port, database name, and optional query parameters. ```APIDOC Format: postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...] Example: postgres://pocketid:123456@localhost:5432/pocketid ``` -------------------------------- ### FreshRSS Docker Compose Configuration with OIDC Source: https://pocket-id.org/docs/client-examples/freshrss This `docker-compose.yml` example configures FreshRSS with OpenID Connect (OIDC) enabled, linking it to a Pocket ID instance. It sets up environment variables for OIDC client ID, secret, provider metadata URL, scopes, and user claim mapping, along with volume mounts and network settings. Ensure Pocket ID usernames match FreshRSS usernames exactly, including case. ```yaml services: freshrss: image: freshrss/freshrss:1.25.0 container_name: freshrss ports: - 8080:80 volumes: - /freshrss_data:/var/www/FreshRSS/data - /freshrss_extensions:/var/www/FreshRSS/extensions environment: CRON_MIN: 1,31 TZ: Etc/UTC OIDC_ENABLED: 1 OIDC_CLIENT_ID: OIDC_CLIENT_SECRET: OIDC_PROVIDER_METADATA_URL: https://id.example.com/.well-known/openid-configuration OIDC_SCOPES: openid email profile OIDC_X_FORWARDED_HEADERS: X-Forwarded-Proto X-Forwarded-Host OIDC_REMOTE_USER_CLAIM: preferred_username restart: unless-stopped networks: - freshrss networks: freshrss: name: freshrss ``` -------------------------------- ### Remove Old Pocket ID Stand-alone Binary Source: https://pocket-id.org/docs/setup/upgrading Before installing a new version of Pocket ID in a stand-alone setup, it is recommended to remove the existing executable. This command deletes the old 'pocket-id' binary from the current directory. ```Shell rm pocket-id ``` -------------------------------- ### Download Pocket ID v1.0 Prebuilt Binary Source: https://pocket-id.org/docs/setup/migrate-to-v1 This command demonstrates how to download the latest prebuilt Pocket ID v1.0 binary directly from the GitHub releases page using `curl`. Ensure you replace the placeholder with the correct operating system and architecture for your environment. ```Bash curl -L -o pocket-id-linux-amd64 https://github.com/pocket-id/pocket-id/releases/latest/download/pocket-id-linux-amd64 ``` -------------------------------- ### Configure Actual OpenID using config.json Source: https://pocket-id.org/docs/client-examples/actual This JSON snippet demonstrates how to configure Actual Budget's OpenID settings within a `config.json` file. It specifies the discovery URL, client ID, client secret, the Actual server's hostname for redirects, and the authentication method. ```json "openId": { "discoveryURL": "URL for the OpenID Provider", "client_id": "client_id given by the provider", "client_secret": "client_secret given by the provider", "server_hostname": "your Actual Server URL (so the provider redirects you to this)", "authMethod": "openid" // or "oauth2" } ``` -------------------------------- ### Configure Actual OpenID using .env file Source: https://pocket-id.org/docs/client-examples/actual This snippet shows how to configure Actual Budget's OpenID settings using environment variables in a `.env` file. It includes the discovery URL, client ID, and client secret required for the OpenID Connect flow. ```plaintext ACTUAL_OPENID_DISCOVERY_URL=https:// ACTUAL_OPENID_CLIENT_ID=xxxxx-xxxxx-xxxxx ACTUAL_OPENID_CLIENT_SECRET=xxxxx-xxxxx-xxxxx ``` -------------------------------- ### Retrieve Application Favicon via API Source: https://pocket-id.org/docs/api/endpoints/get-favicon This API endpoint allows retrieval of the application's favicon image. A successful GET request to this endpoint will return the favicon image directly. ```APIDOC GET /api/application-configuration/favicon Description: Get the favicon for the application Responses: 200 OK: Returns the favicon image. ``` -------------------------------- ### Retrieve User by ID API Endpoint Source: https://pocket-id.org/docs/api/endpoints/get-user-by-id Documents the API endpoint for retrieving detailed information about a specific user by their unique identifier. This is a standard GET request that returns the user's profile data. ```APIDOC GET /api/users/:id - Description: Retrieve detailed information about a specific user. - Method: GET - Path Parameters: - id: (string) The unique identifier of the user to retrieve. - Responses: - 200 OK: Returns the detailed user object. ``` -------------------------------- ### Configure Proxmox Backup Server OpenID Connect Realm and Permissions Source: https://pocket-id.org/docs/client-examples/proxmox-backup This APIDOC entry outlines the complete process for setting up an OpenID Connect realm in Proxmox Backup Server (PBS) to authenticate users via Pocket ID. It includes initial realm creation, specifying OpenID parameters like issuer URL and client credentials, enabling automatic user provisioning, and subsequently assigning administrative permissions to the newly created Pocket ID users within PBS. ```APIDOC Proxmox Backup Server OpenID Connect Setup: 1. Add OpenID Connect Server Realm: - Navigation: Configuration -> Access Control -> Realms -> Add -> OpenID Connect Server - Parameters: - Issuer URL: https://id.example.com (Pocket ID's OpenID Connect issuer URL) - Realm Name: PocketID (User-defined name for the realm) - Client ID: [Your Pocket ID Client ID] - Client Key: [Your Pocket ID Client Secret] - Default: [Optional, check if this should be the default login realm] - Autocreate Users: Checked (Enables automatic user creation in PBS upon first login) - Username Claim: username (Controls how the username is displayed, e.g., 'username@PocketID') - Action: Click 'OK' to save the new realm. - Post-setup Note: Sign in with a Pocket ID account immediately after creation to ensure the user is provisioned in PBS. 2. Configure User Permissions for Pocket ID Realm: - Prerequisite: A user from Pocket ID must have logged in at least once to be created in PBS. - Navigation: Edit the 'PocketID' realm created in step 1. - Parameters: - Scope: openid profile email groups (Essential for synchronizing user profile and group information from Pocket ID) - Navigation: Configuration -> Access Control -> Permissions -> Add -> User Permission - Parameters: - Path: / (To grant permissions across the entire datacenter) or specify a more granular path (e.g., /vm/101) - User: YourUsername@PocketID (Select the specific user created via Pocket ID login) - Role: Administrator (Assign the desired role, e.g., Administrator, Auditor, etc.) - Action: Save the permission entry. ``` -------------------------------- ### Get OIDC User Information Endpoint Source: https://pocket-id.org/docs/api/endpoints/get-user-information Documents the API endpoint used to retrieve user claims. This endpoint requires an access token and returns user-specific information based on the scopes granted during authorization. ```APIDOC GET /api/oidc/userinfo Description: Get user information based on the access token. Responses: 200: User claims based on requested scopes. ``` -------------------------------- ### Retrieve Application Logo Image API Source: https://pocket-id.org/docs/api/endpoints/get-logo-image This API endpoint allows clients to retrieve the current logo image configured for the application. It uses a standard GET request and returns the image data upon successful execution. ```APIDOC GET /api/application-configuration/logo Get the logo image for the application Responses: * 200: Logo image ``` -------------------------------- ### Configure OIDC Login for Kubernetes Source: https://pocket-id.org/docs/client-examples/Talos This command initializes the `kubelogin` tool, setting up the OIDC issuer URL, client ID, client secret, and required scopes for Kubernetes authentication. It generates a configuration and validates the token. ```bash kubectl oidc-login setup \ --oidc-issuer-url= \ --oidc-client-id= \ --oidc-client-secret= \ --oidc-extra-scope=groups,email,name,sub,email_verified ``` -------------------------------- ### Retrieve Current User Information API Source: https://pocket-id.org/docs/api/endpoints/get-current-user This API endpoint allows retrieval of information about the currently authenticated user. It is a simple GET request with no additional parameters and returns a 200 OK response upon success. ```APIDOC GET /api/users/me Description: Retrieve information about the currently authenticated user. Responses: 200 OK: Successfully retrieved user information. ``` -------------------------------- ### Create New User Account API Source: https://pocket-id.org/docs/api/endpoints/sign-up This API endpoint facilitates the creation of new user accounts. It expects a request body containing user details (e.g., credentials) and returns a 201 Created status upon successful account registration. ```APIDOC POST /api/signup Description: Create a new user account. Request: (Details for request body are implied, typically user credentials such as username, password, and email. Refer to full API documentation for specific schema.) Responses: 201 Created: Successfully created a new user account. ``` -------------------------------- ### Retrieve OIDC Client Metadata Source: https://pocket-id.org/docs/api/endpoints/get-client-metadata Documents the HTTP GET endpoint for fetching OIDC client metadata. This endpoint allows applications to discover and configure OIDC clients by retrieving their associated metadata. The `:id` in the path represents the unique identifier of the OIDC client. ```APIDOC GET /api/oidc/clients/:id/meta Description: Get OIDC client metadata for discovery and configuration. Path Parameters: :id (string, required): The unique identifier of the OIDC client. Responses: 200 OK: Description: Client metadata successfully retrieved. Content: (Implicitly, the client metadata object) ``` -------------------------------- ### Get OIDC Client Logo API Endpoint Source: https://pocket-id.org/docs/api/endpoints/get-client-logo Documents the API endpoint for retrieving the logo image associated with a specific OIDC client. The client is identified by its unique ID provided as a path parameter. A successful request returns the logo image. ```APIDOC GET /api/oidc/clients/:id/logo Description: Get the logo image for an OIDC client Parameters: :id (path): The unique identifier of the OIDC client. Responses: 200: Logo image ``` -------------------------------- ### Retrieve Custom Claim Suggestions API Endpoint Source: https://pocket-id.org/docs/api/endpoints/get-custom-claim-suggestions Documents the API endpoint used to fetch a list of suggested custom claim names. This endpoint uses the GET HTTP method and returns a list of strings representing the suggestions upon a successful 200 response. ```APIDOC GET /api/custom-claims/suggestions Description: Get a list of suggested custom claim names Responses: 200: List of suggested custom claim names ``` -------------------------------- ### Retrieve Application Background Image API Source: https://pocket-id.org/docs/api/endpoints/get-background-image This API endpoint allows clients to retrieve the current background image configured for the application. A successful request will return the image data directly. ```APIDOC GET /api/application-configuration/background-image Responses: 200: Background image ``` -------------------------------- ### Configure Linkding OIDC Environment Variables Source: https://pocket-id.org/docs/client-examples/linkding Add these environment variables to your Linkding `.env` file to enable OIDC authentication and connect to Pocket ID. Ensure you replace the placeholder values for `OIDC_RP_CLIENT_ID` and `OIDC_RP_CLIENT_SECRET` with your actual credentials from Pocket ID, and adjust endpoint URLs if your Pocket ID instance is not at `pocketid.example.com`. ```Shell # Enable OIDC in Linkding LD_ENABLE_OIDC=True # Client credentials from Pocket ID OIDC_RP_CLIENT_ID= OIDC_RP_CLIENT_SECRET= # OIDC endpoints OIDC_OP_AUTHORIZATION_ENDPOINT=https://pocketid.example.com/authorize OIDC_OP_TOKEN_ENDPOINT=https://pocketid.example.com/api/oidc/token OIDC_OP_USER_ENDPOINT=https://pocketid.example.com/api/oidc/userinfo OIDC_OP_JWKS_ENDPOINT=https://pocketid.example.com/.well-known/jwks.json # Use PKCE if required (adjust based on your setup, True by default) OIDC_USE_PKCE=False # Verify SSL certificate (set to False if using self-signed certificates) OIDC_VERIFY_SSL=True # Optional: Customize the username claim (defaults to email if not set) # OIDC_USERNAME_CLAIM=preferred_username ``` -------------------------------- ### Create Signup Token API Endpoint Source: https://pocket-id.org/docs/api/endpoints/create-signup-token Documents the API endpoint for creating new signup tokens. This endpoint allows for the generation of tokens that enable user registration. ```APIDOC POST /api/signup-tokens Description: Create a new signup token that allows user registration. Responses: - 201 Created: Indicates the signup token was successfully created. ``` -------------------------------- ### Retrieve User Profile Picture API Source: https://pocket-id.org/docs/api/endpoints/get-user-profile-picture Documents the API endpoint for retrieving a user's profile picture. This endpoint allows fetching the profile image associated with a specific user ID. ```APIDOC GET /api/users/:id/profile-picture.png - Description: Retrieve a specific user's profile picture. - Parameters: - :id: The unique identifier of the user. - Responses: - 200: Returns the user's profile picture as a PNG image. ``` -------------------------------- ### Retrieve User Group by ID API Endpoint Source: https://pocket-id.org/docs/api/endpoints/get-user-group-by-id Documents the API endpoint for retrieving detailed information about a specific user group, including its associated users, by providing its unique ID. This is a read-only operation. ```APIDOC GET /api/user-groups/:id Description: Retrieve detailed information about a specific user group including its users. Path Parameters: :id (string): The unique identifier of the user group. Responses: 200 OK: Successful retrieval of the user group details. ``` -------------------------------- ### Configure Open WebUI Environment Variables for Pocket ID OIDC Source: https://pocket-id.org/docs/client-examples/open-webui This code snippet provides the essential environment variables to be added to Open WebUI's Docker .env file. These variables enable OIDC authentication, linking Open WebUI to your Pocket ID instance by specifying the client ID, client secret, provider name, and the OpenID configuration URL. ```Shell ENABLE_OAUTH_SIGNUP=true OAUTH_CLIENT_ID= OAUTH_CLIENT_SECRET= OAUTH_PROVIDER_NAME=Pocket ID OPENID_PROVIDER_URL=https:///.well-known/openid-configuration ``` -------------------------------- ### Retrieve All Audit Logs API Endpoint Source: https://pocket-id.org/docs/api/endpoints/list-all-audit-logs This API endpoint allows administrators to retrieve a paginated list of all audit logs. It uses the GET HTTP method and returns a 200 OK status upon successful retrieval. ```APIDOC GET /api/audit-logs/all Description: Get a paginated list of all audit logs (admin only) Responses: 200 OK ``` -------------------------------- ### Rename and Make Pocket ID Binary Executable Source: https://pocket-id.org/docs/setup/migrate-to-v1 After downloading the Pocket ID binary, these commands rename it to a more convenient `pocket-id` and grant execute permissions. This step is essential for running the binary directly from your terminal. ```Bash mv pocket-id-- pocket-id chmod +x pocket-id ``` -------------------------------- ### Configure APP_URL for Passkey Addition Source: https://pocket-id.org/docs/troubleshooting/common-issues This snippet demonstrates the correct way to set the `APP_URL` environment variable. Ensuring this variable points to the public URL of your Pocket ID instance is essential for successfully adding passkeys. ```shell APP_URL=https://id.example.com ``` -------------------------------- ### Retrieve OIDC Client Details API Endpoint Source: https://pocket-id.org/docs/api/endpoints/get-oidc-client This API endpoint allows retrieving detailed information about a specific OIDC client using its unique identifier. It returns the client's configuration and metadata upon successful request. ```APIDOC GET /api/oidc/clients/:id - Description: Get detailed information about an OIDC client - Parameters: - :id (path): The unique identifier of the OIDC client. - Responses: - 200 OK: Client information ``` -------------------------------- ### Download Latest Pocket ID Stand-alone Binary Source: https://pocket-id.org/docs/setup/upgrading This command demonstrates how to download the latest Pocket ID binary for a specific operating system and architecture (e.g., Linux AMD64) directly from the GitHub releases page using 'curl'. The '-L' flag follows redirects, and '-o' specifies the output filename. ```Shell curl -L -o pocket-id-linux-amd64 https://github.com/pocket-id/pocket-id/releases/latest/download/pocket-id-linux-amd64 ``` -------------------------------- ### Copy Data Directory for Pocket ID v1.0 Migration Source: https://pocket-id.org/docs/setup/migrate-to-v1 If default data paths were used in previous Pocket ID versions, the `data` directory needs to be moved to the new binary's location. This command copies the existing data, preserving user data and configurations during the migration. ```Bash cp -r /path/to/pocket-id-old/data /path/to/pocket-id/data ``` -------------------------------- ### Rename and Make Pocket ID Binary Executable Source: https://pocket-id.org/docs/setup/upgrading After downloading the new Pocket ID binary, this snippet renames it to a generic 'pocket-id' for easier execution and then grants it executable permissions using 'chmod +x'. This prepares the binary to be run as a program. ```Shell mv pocket-id-- pocket-id chmod +x pocket-id ``` -------------------------------- ### Configure rallly OIDC Environment Variables for Docker Source: https://pocket-id.org/docs/client-examples/rallly This snippet provides the essential environment variables required to configure rallly for OIDC authentication with Pocket ID. These variables, including the OIDC discovery URL, client ID, client secret, and issuer URL, should be placed in a `config.env` file within your rallly project directory for Docker deployments. ```shell other environment variables... OIDC_DISCOVERY_URL=https://pocketid.example.com/.well-known/openid-configuration OIDC_CLIENT_ID=your-client-id-here OIDC_CLIENT_SECRET=your-client-secret-here OIDC_ISSUER_URL=https://pocketid.example.com ``` -------------------------------- ### Upgrade Pocket ID using Docker Compose Source: https://pocket-id.org/docs/setup/upgrading This snippet shows how to update a Pocket ID installation managed with Docker Compose. It pulls the latest image for all services defined in the compose file and then restarts them in detached mode, ensuring the application runs the updated version. ```Shell docker compose pull docker compose up -d ``` -------------------------------- ### Authorize OIDC Client via API Source: https://pocket-id.org/docs/api/endpoints/authorize-oidc-client Documents the API endpoint used to start the OIDC authorization process for a client. Upon successful authorization, the API returns an authorization code and a callback URL, enabling the client to proceed with token exchange. ```APIDOC Method: POST Endpoint: /api/oidc/authorize Description: Start the OIDC authorization process for a client Responses: 200: Authorization code and callback URL ``` -------------------------------- ### Retrieve OpenID Connect Discovery Configuration Source: https://pocket-id.org/docs/api/endpoints/get-open-id-connect-discovery-configuration Documents the API endpoint for retrieving the OpenID Connect discovery document. This document is crucial for OIDC clients to dynamically discover the identity provider's public endpoints and capabilities, such as authorization, token, and JWKS endpoints. ```APIDOC GET /.well-known/openid-configuration Returns the OpenID Connect discovery document with endpoints and capabilities. Responses: 200 OK: OpenID Connect configuration document ```