pocket-id

Secrets & Credentials

A simple OIDC provider that authenticates users solely with passkeys, eliminating passwords.

Track releases GitHub Website

Go Latest v2.8.0 · 3d ago Security brief →

Features

Provides OIDC authentication using only passkeys (no passwords)
Supports physical security keys like YubiKey for secure sign‑in
Designed as a lightweight alternative to complex self‑hosted OIDC solutions

Recent releases

View all 13 releases →

Review required

v2.8.0 Breaking risk 3d

Auth Dependencies

Refresh token deletion

Open

v2.7.0 Bug fix 23d

Notable features

Added response_mode=form_post support
Added "select_account" prompt support

Full changelog

Bug Fixes

add _FILE support for S3_SECRET_ACCESS_KEY_FILE env var (#1452 by @ItalyPaleAle)
invalidate cache when changing image (#1462 by @GameTec-live)
fall back to Basic auth when PKCE puts client_id in body (#1466 by @mgabor3141)

Documentation

add missing /api prefix to app config swagger routes (#1454 by @aclerici38)

Features

add support for response_mode=form_post (#1360 by @Johnwulp)
add support for "select_account" prompt (#1453 by @ItalyPaleAle)

Other

add script to update deps (f9f93f0 by @stonith404)
upgrade dependencies (20df033 by @stonith404)
post dependency upgrade fixes (e33a9b8 by @stonith404)
migrate github actions runners to depot runners (#1329 by @kmendell)
fix caching of ldap-cli e2e tests docker build (#1457 by @kmendell)
fix incorrect container name variable (5c7e5f6 by @kmendell)

Full Changelog: https://github.com/pocket-id/pocket-id/compare/v2.6.2...v2.7.0

View release on GitHub

v2.6.2 Bug fix 1mo

Minor fixes and improvements.

Full changelog

Bug Fixes

return correct byte count in HEAD request writer (#1443 by @ahampal)
improve keyboard navigation and screen-reader labels (#1445 by @bjoernch)

Other

upgrade to vite 8.0 and pnpm 10.33.0 (#1446 by @kmendell)

Full Changelog: https://github.com/pocket-id/pocket-id/compare/v2.6.1...v2.6.2

View release on GitHub

v2.6.1 Mixed 1mo

Notable features

Catalan language support

Full changelog

Bug Fixes

restore login screen background from not showing up (975d3c7 by @kmendell)

Other

ignore webauthn type for swagger generation (ce4b89d by @kmendell)
update golangci-lint (#1440 by @ItalyPaleAle)
Add catalan language (#1436 by @mcasellas)

Full Changelog: https://github.com/pocket-id/pocket-id/compare/v2.6.0...v2.6.1

View release on GitHub

v2.6.0 Security relevant 1mo

Security fixes

Fixed access token renewal bypassing important checks
Blocked callback URLs with javascript: and data: protocols

Notable features

Admins can now revoke user passkeys
Added auth method claim (amr) to OIDC tokens
Added TLS support for HTTP/2 server

Full changelog

Bug Fixes

disable callback URLs with protocols "javascript" and "data" (#1397 by @ItalyPaleAle)
strip Root prefix from S3 List() returned paths (#1413 by @vtmocanu)
use valid Tailwind v4 transition class for auth animation squares (#1415 by @CoolShades)
resolve posixGroup memberUid as bare usernames (#1422 by @gucong3000)
prevent flickering if no background image is set on login page (027e6f0 by @stonith404)
improve form input layout if description next to it is multi col (9ec4683 by @stonith404)
access token renewal bypasses important checks (978ac87 by @stonith404)

Features

add ability to revoke passkeys of users as admin (#1386 by @jose-d)
add auth method claim (amr) to tokens (#1433 by @stonith404)
add TLS support for HTTP/2 server (#1429 by @IngmarStein)
add OpenID Connect prompt Parameter Handling (#1299 by @rjaakke)
return not found. on /setup if already completed (444f7ff by @stonith404)

Other

update AAGUIDs (#1403 by @github-actions[bot])
upgrade dependencies (f8f7222 by @stonith404)
combobox not closed in e2e test (fbdb93f by @stonith404)
Security upgrade alpine from latest to 3.23.4 (#1431 by @stonith404)
security upgrade alpine from latest to 3.23.4 (#1432 by @stonith404)
add Catalan language files (4f09de2 by @stonith404)
reduce complexity of ValidateEnvConfig and initRouter (a0cb574 by @stonith404)
pass context to shutdownServer (ff26c42 by @stonith404)