[How To] Pocket ID integration (SSO oidc) - web + desktop + mobile (ios and android)

[C8opmBM]

Ok, so I got it going with pocketID.

Docker compose:

  opencloud:
    image: opencloudeu/opencloud-rolling:latest
    container_name: opencloud
    profiles:
      - apps
    networks:
      - apps
    entrypoint:
      - /bin/sh
    command: ['-c', 'opencloud init || true; opencloud server']
    environment:
      OC_URL: https://open.cloud.domain
      OC_LOG_LEVEL: warn
      OC_LOG_COLOR: true
      OC_LOG_PRETTY: true
      OC_LOG_TIMEZONE: ${TZ}
      OC_EXCLUDE_RUN_SERVICES: idp
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 ##
      OC_INSECURE: false
      PROXY_ENABLE_BASIC_AUTH: false
      IDM_CREATE_DEMO_USERS: false
      # denial shares
      FRONTEND_OCS_ENABLE_DENIALS: false ##
      # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      # make the registry available to the app provider containers
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      # CSP configs
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE: 102400000
      # Allow public shares default without password
      OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: false
      OC_PASSWORD_POLICY_MIN_CHARACTERS: '5'
      OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: '0'
      OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: '0'
      OC_PASSWORD_POLICY_MIN_DIGITS: '0'
      OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: '0'
      # Email
      OC_ADD_RUN_SERVICES: 'notifications'
      NOTIFICATIONS_SMTP_HOST: ${NOTIFICATIONS_SMTP_HOST}
      NOTIFICATIONS_SMTP_PORT: ${NOTIFICATIONS_SMTP_PORT} 
      NOTIFICATIONS_SMTP_SENDER: ${NOTIFICATIONS_SMTP_SENDER} 
      NOTIFICATIONS_SMTP_USERNAME: ${NOTIFICATIONS_SMTP_USERNAME}
      NOTIFICATIONS_SMTP_PASSWORD: ${NOTIFICATIONS_SMTP_PASSWORD}
      NOTIFICATIONS_SMTP_INSECURE: "false"
      NOTIFICATIONS_SMTP_AUTHENTICATION: login
      NOTIFICATIONS_SMTP_ENCRYPTION: starttls
      NOTIFICATIONS_EMAIL_TEMPLATE_PATH: ${OC_NOTIFICATIONS_EMAIL_TEMPLATE_PATH}
      # OIDC
      OC_OIDC_ISSUER: https://id.pocket.auth
      ## Proxy
      PROXY_OIDC_REWRITE_WELLKNOWN: true
      PROXY_USER_OIDC_CLAIM: preferred_username
      PROXY_USER_CS3_CLAIM: username
      PROXY_AUTOPROVISION_ACCOUNTS: true
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
      PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
      PROXY_TLS: false 
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: false
      WEB_OIDC_CLIENT_ID: 6544440d-2a0b-492b-ba98-xxxxxxx  #Pocket ID autogenerated ID
      WEB_OIDC_METADATA_URL: https://id.pocket.auth/.well-known/openid-configuration
    volumes:
      - ${CONFIGDIR}/opencloud/config:/etc/opencloud
      - ${CONFIGDIR}/opencloud/config/csp.yaml:/etc/opencloud/csp.yaml
      - ${STUFF}/opencloud:/var/lib/opencloud
    restart: unless-stopped

networks:
  apps:
    driver: bridge
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: 172.20.230.0/24
          gateway: 172.20.230.1

Then csp.yaml file in config>csp.yaml modify rows 7 and 8 with your pocketID

directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    - 'https://id.pocket.auth/'
    - 'wss://id.pocket.auth/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''self'''
  frame-src:
    - '''self'''
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
  manifest-src:
    - '''self'''
  media-src:
    - '''self'''
  object-src:
    - '''self'''
    - 'blob:'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
  style-src:
    - '''self'''
    - '''unsafe-inline'''

Then add in pocket ID the following groups and roles as needed:

Everything should work now.
If you need tika search and collabora, you can add them later.

[michaelalbertshofer]

Actually you can manually modify the client id in pocket-id as pointed out by the developer of pocket-id here

[C8opmBM]

Thanks for the link, I did manage to change client ids, but unfortunately we still cannot make other clients work.
See this issue

[C8opmBM]

Update - desktop app also can be configured with pocketID.
We need to update the clientID inside pocketid database and use the given client ID names shown in the documentation

A bit that was missing but was filled in by @savely-krasovsky is that the redirect uri for desktop app need to end with :*
So, below some screens:

Some more details here

Update 2 - android also released and working from Google Play

[janreinhardt]

Sadly, this is not working for me. Ive configured OpenCloud and PocketID the way it is described above, and I have double-checked every setting. But it's not working, i.e. OpenCloud doesn't start up anymore. I don't even get to the login page, and Im also not getting any error logging 😖
Which means, there is no container log and no console output from OpenCloud at all.

[janreinhardt]

No way, suddenly there is log data!?
Im getting 3 errors:

level=error
service=proxy
error=failed to verify access token: token has invalid claims: token is expired
authenticator=oidc
path=/ocs/v1.php/cloud/capabilities
user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15
client.address=100.117.18.53
network.peer.address=
network.peer.port=
time=2025-10-18T03:58:07Z
message=failed to authenticate the request

and

path=/api/v0/settings/roles-list

and

path=/graph/v1.0/me

Where do I need to look now? At my Pocket ID settings? Or anywhere at OpenCloud?

[janreinhardt]

ok solved it myself! 🏆
proxy_tls=true
was the key!

[kylepyke]

We need to update the clientID inside pocketid database and use the given client ID names shown in the documentation

The 'documentation' link is broken. Is this the new page? Does that mean the client ID is just OpenCloudDesktop? That's the value we need to change the pocketid client ID to?

[savely-krasovsky]

Does that mean the client ID is just OpenCloudDesktop? That's the value we need to change the pocketid client ID to?

Yes.

[FrankelJb]

Does this work for mobile?

[savely-krasovsky]

Yes, I have working iOS app.

[C8opmBM]

Also android (from GooglePlay) works.

[savely-krasovsky]

Oh, I missed Android release! It also works, just checked, yeah.

[maxiride]

I tried to follow the official guide with the additional information provided here and in the official external idp compose, while I think I am close I still can't get authenticated. Maybe @C8opmBM you can help me catch what's misaligned?

I am getting a Access Denied message. An admin account with my email was already present in OpenCloid, it was created after the initial setup through the default admin account. In Pocket-ID my user has the same email, so I expected it to be matched with the existing Opencloud user.

In the browser console I can see two requests with errors:

I am using email both for PROXY_USER_OIDC_CLAIM and PROXY_USER_CS3_CLAIM since I want to identify users by email and both claims should be available from Pocket-ID and into Opencloud.

docker-compose.yaml
env
csp.yaml
browser console with requests in error

Pocket-ID

[C8opmBM]

I glanced over, but cannot find anything to help you out.
My setup is still working, all the details are in this thread.

[micbar]

You have serious CSP issues. CSP issues are always a show stopper. Seems that your IdP has media elements on its login page.

Please add a line here to allow that: https://github.com/opencloud-eu/opencloud-compose/blob/main/config/opencloud/csp.yaml#L34

[themadcodger]

Following this, I was able to get the web version to work (albeit with a generated id, not using web). After that I added desktop, android, and ios as separate entries using the client ids and redirect urls found in the documentation. Unfortunately, I'm getting an invalid callback when I try to sign in on the desktop version (Linux). I noticed the part about adding :* to the callback url, but pocketid is telling me that's invalid.

I removed the callback urls in PocketId, and it let me log in with a specific port number shown. However, it gave me the message of: You logged-in with user [my username], but must login with user . Please return to the OpenCloud Desktop and restart the authentication. It looks like it was expecting a username after the second user at the end of the sentence? Though who is that, and how do I log in as that while still seeing my files and not whatever user it was expecting?

Similarly, in Android, I'm able to log in I think, but it immediately tells me my token has expired and to sign back in. I'm guessing this is a similar problem? Has anything changed since this was first published in June?

[themadcodger]

Curious. I wonder why PocketID won't let me save when I try. It's fine with adding a : to the URL, but adding the * after it says it's not valid.

And are you both logging in as the same user you do on the web? It's not looking for something different?

[savely-krasovsky]

Same problem, it seems they add some validation but our values kept as is since we have added them a long before. I can only suggest editing database manually by hand, but I have to add that allowing * like this actually is a vulnerability, since this can allow things like this: http://localhost:password@malicious-site.com/authorization_code_stealer_handler. And technically Pocket-ID can accept that. So some malicious agent can craft special URL for your own Pocket-ID server, send you a link, ask you to login in your own Pocket-ID server but Pocket-ID will redirect and send authorization_code to this malicious server. After that they will exchange authorization code with tokens and access your OpenCloud. Pretty risky? I would say yes.

[themadcodger]

Yeah, that doesn't sound like a great idea. PocketID warns against it as well.

Removing the callback URL worked as in it it filled in the port on 127 that it used, but I don't know if it'll always be that same port.

Still haven't figured out why it didn't like me signing in as myself yet.

[savely-krasovsky]

It would probably make sense for Pocket-ID to add special case as Keycloak did: https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Basically RFC 8252 suggest to accept any port in that special case.

[savely-krasovsky]

I've prepared a pull request, hopefully it will end up merged.
pocket-id/pocket-id#1012

[GjMan78]

There's one thing I don't understand.
How do I change the client ID to "OpenCloudAndroid" in PocketID?

EDIT : Solved! Sorry!

[willyp713]

With recent Pocket-ID changes this seems to be failing now for the Desktop app. My web/mobile are still fine. I think it might be related to the wildcard (*) changes that have happened in Pocket-ID v2.0. Anyone been able to figure out how to make it work?

[willyp713]

With recent Pocket-ID changes this seems to be failing now for the Desktop app. My web/mobile are still fine. I think it might be related to the wildcard (*) changes that have happened in Pocket-ID v2.0. Anyone been able to figure out how to make it work?

Never mind! resolved in Pocket-ID v2.0.2.

[savely-krasovsky]

You shouldn't use port anymore. There is a special case now, you can just leave http://127.0.0.1 and it will allow redirect to any port.

[themadcodger]

I was hoping the new update to PocketID would make everything better, but I'm still having issues with Desktop. I'm using the opencloud-compose docker file with the default traefik reverse proxy. I'm able to use pocketid to log into the web and to android, but can't get it to work for desktop.

When I try, it asks me to log in with my web browser (or copy the link manually) but doing so, the web browser returns a 403 Forbidden error making me think there's a disconnect between the reverse proxy and trying to redirect to http://127.0.0.1. If I edit the link it provides and change the redirect to https://127.0.0.1 it at least goes to PocketID, attempts to log in, and then complain that it's an invalid redirect url.

Any ideas?

[savely-krasovsky]

Set http://127.0.0.1, not https://127.0.0.1 in client settings.

[themadcodger]

I did. I originally set the callback in pocketid to http://127.0.0.1 and that's when it threw up the 403. It wasn't until I changed the provided URL from desktop to https that it at least allowed pocketid to try and login but fail. The logs are complaining about sending an http request to a https server, so somewhere it's not happy about the http bit.

…

On Sun, 11 Jan 2026, at 14:53, Savely Krasovsky wrote: Set `http://127.0.0.1`, not `https://127.0.0.1`. — Reply to this email directly, view it on GitHub <#1018 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4FERELDBCGEGUW7TM7MQL4GLH7BAVCNFSM6AAAAAB6ZUMXLWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKNBXGA4DKMA>. You are receiving this because you commented.Message ID: ***@***.***>

[savely-krasovsky]

This is my Pocket-ID configuration.

And here is my OpenCloud: https://github.com/savely-krasovsky/homelab/blob/master/configs/containers/systemd/opencloud/opencloud-server.container.tftpl