PocketID SSO with QuFabric Self-Hosted (Advanced)
PocketID is a simplified identity management solution designed for self-hosted environments, offering a lightweight and easy-to-deploy option for authentication.
PocketID is secure and effective but makes some tradeoffs in terms of features. Notably, it does not allow scoping the access of API Tokens. Keep careful track of the token used by QuFabric for management.
Standalone Setup (Advanced)
QuFabric includes built-in local user management powered by an embedded IdP, allowing you to create and manage users directly without requiring an external identity provider. You can also add multiple external identity providers alongside local users, giving users multiple login options.
We highly recommend using the simpler setup that adds PocketID as an external IdP directly in the QuFabric Management Dashboard. This approach requires minimal configuration, works alongside local users, and doesn't require replacing your embedded IdP. See the Management Setup (Recommended) section in the main PocketID documentation.
The standalone setup below replaces your embedded IdP entirely and is only recommended for experienced PocketID administrators who need full control over authentication and user management.
Use PocketID as your primary identity provider instead of QuFabric's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced PocketID administrators as it also requires additional setup and ongoing maintenance.
For most deployments, the embedded IdP is the simpler choice — it's built into QuFabric, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the Management Setup (Recommended) section above.
Prerequisites
- PocketID instance running with SSL
- Docker and Docker Compose for QuFabric
Step 1: Create and Configure PocketID Application
- Navigate to PocketID console
- Click the Administration dropdown, then select OIDC Clients
- Fill in the form:
- Name:
QuFabric - Client Launch URL:
https://<domain> - Callback URLs:
http://localhost:53000https://<domain>/authhttps://<domain>/silent-auth
- Logout Callback URL:
https://<domain>/ - Public Client: On
- PKCE: On
- Name:
- Click Save
- Copy Client ID for later use
Step 2: Create API Token
- Click Administration dropdown, then select API Keys
- Click Add API Key
- Fill in:
- Name:
QuFabric Management Token - Expires At: Pick a date in the future
- Description:
QuFabric Management Token
- Name:
- Click Save
- Copy API Key for later use
Step 3: Configure QuFabric
Your authority OIDC configuration will be available at:
https://<YOUR_POCKETID_HOST_AND_PORT>/.well-known/openid-configuration
Double-check if the endpoint returns a JSON response by calling it from your browser.
Set properties in the setup.env file:
QUFABRIC_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR_POCKETID_HOST_AND_PORT>/.well-known/openid-configuration"
QUFABRIC_USE_AUTH0=false
QUFABRIC_AUTH_CLIENT_ID="<CLIENT_ID>"
QUFABRIC_AUTH_SUPPORTED_SCOPES="openid profile email groups"
QUFABRIC_AUTH_AUDIENCE="<CLIENT_ID>"
QUFABRIC_AUTH_REDIRECT_URI="/auth"
QUFABRIC_AUTH_SILENT_REDIRECT_URI="/silent-auth"
QUFABRIC_TOKEN_SOURCE="idToken"
QUFABRIC_AUTH_DEVICE_AUTH_PROVIDER="none"
QUFABRIC_AUTH_DEVICE_AUTH_CLIENT_ID="<CLIENT_ID>"
QUFABRIC_AUTH_DEVICE_AUTH_AUDIENCE="<CLIENT_ID>"
QUFABRIC_AUTH_DEVICE_AUTH_SCOPE="openid profile email groups"
QUFABRIC_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true
QUFABRIC_MGMT_IDP="pocketid"
QUFABRIC_IDP_MGMT_CLIENT_ID="qufabric"
QUFABRIC_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="https://<YOUR_POCKETID_HOST_AND_PORT>"
QUFABRIC_IDP_MGMT_EXTRA_API_TOKEN="<API_TOKEN>"
Step 4: Continue with QuFabric Setup
You've configured all required resources in PocketID. Continue with the QuFabric Self-hosting Guide.
Troubleshooting
API token not working
- Verify the token hasn't expired
- Ensure the token was created by an admin user
Device authorization not available
- PocketID has limited device auth support
- Set
QUFABRIC_AUTH_DEVICE_AUTH_PROVIDER="none"if issues persist