Tech Nest

Appearance

OIDC Middleware (Traefik)

Ensure Pocket ID is set up and configured. See Pocket ID.

yaml
services:
  pocketid:
    image: ghcr.io/pocket-id/pocket-id:v1
    container_name: pocketid
    restart: unless-stopped
    env_file: .env
    # ports:
      # - 3000:80
    volumes:
      - "./data:/app/data"
    environment:
      - PUBLIC_APP_URL=https://auth.domain.lol
      - TRUST_PROXY=true
      - PUID=1000
      - PGID=1000
    networks:
      - reverseproxy-nw
  # If using Traefik:
    labels:
      traefik.enable: true
      traefik.http.routers.pocketid.rule: Host(`auth.domain.lol`)

networks:
  reverseproxy-nw:
    external: true
yaml
# .env file
# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
APP_URL=https://auth.domain.lol
TRUST_PROXY=false
MAXMIND_LICENSE_KEY=
PUID=1000
PGID=1000

TIP

Application reference: https://traefik-oidc-auth.sevensolutions.cc/docs/identity-providers/pocket-id

  1. Log into the admin interface and navigate to OIDC Clients on the sidebar.
  2. Click Add OIDC Client. Give it a name and provide a callback URL e.g. https://my-app.mydomain.com/oidc/callback. Save.
  3. Copy the client ID and client secret and use them below.

Please make sure you also provide the same callback URL as a Logout Callback URL in Pocket ID. Otherwise, log out will not work.

Config plugin

In traefik.yml add:

yaml
experimental:
  plugins:
    traefik-oidc-auth:
      moduleName: "github.com/sevensolutions/traefik-oidc-auth"
      version: "v0.16.0"

Middleware config

yaml
http:
  middlewares:
    oidc-auth:
      plugin:
        traefik-oidc-auth:
          Secret: "32 character secret" # openssl rand -hex 16
          SessionCookie:
            MaxAge: "3600" # (3600) 1 hour, (300) 5 minutes
          Provider:
            Url: "https://auth.domain.lol"
            ClientId: "client ID from Pocket ID"
            ClientSecret: "Client secret from Pocket ID"
            #UsePkce: true # Or use PKCE if your Provider supports this
          Scopes: ["openid", "profile", "email"]
          # Option: bypass to allow certain subfolders through middleware
          # BypassAuthenticationRule: " Host(`domain.xyz`) && PathPrefix(`/share`)"
          BypassAuthenticationRule: HostRegexp(`^(scrutiny|sonarr|radarr|sabnzbd)\.domain\.lol`) && PathPrefix(`/api`)

Container labels

yaml
    labels:
      traefik.enable: True
      traefik.http.routers.webserver.rule: Host(`domain.lol`)
      traefik.http.routers.webserver.middlewares: oidc-auth@file

A nest of technical knowledge.