Single Sign-On in my homelab: Pocket ID
Why I started using SSO in my homelab, why Authentik felt too heavy and how Pocket ID solves that.
When you run a handful of self-hosted services, separate logins are fine. Maybe five or six apps, you know the passwords, and logging in separately is not a big deal.
But at some point I started noticing how often I was creating a new account for something I had already set up before. Or how long it took to figure out which applications would each need their own account when I wanted to give someone else access.
That is when SSO stops feeling like something only companies need.
What I actually wanted
I am not running a business. Fewer accounts to keep track of, fewer passwords to remember, one place to manage access. That is it.
A lot of applications already support OIDC anyway. If it is built in, there is not much reason to ignore it.
First attempt: Authentik
Authentik is what you find first when you start looking into SSO. It handles everything: OIDC, SAML, LDAP, SCIM. The documentation is thorough and it is actively maintained.
It is also heavy. Multiple containers, its own database, a cache layer. On a homelab that is already well occupied, that is manageable, but it started feeling more like a project in itself than a tool.
What bothered me more was the configuration layer. Authentik works with flows, stages and policies. That gives you a lot of control, but for a straightforward OIDC setup there is a lot between you and a working login. At some point I had something that did what it needed to, but I had lost track of how exactly. Making changes felt uncomfortable because I could not tell what I might break.
In the end I was spending more time on Authentik itself than on the services I wanted to connect to it.
Switched to Pocket ID
Pocket ID does one thing: OIDC. No flows, no policy layers, no LDAP. You create a client, fill in the redirect URI, and it works.
I got more done with it in an afternoon than I had in multiple sessions with Authentik. The interface is minimal, the configuration options are limited, and that is exactly why it is pleasant to use.
I run it at id.dsyr.nl. Services that support OIDC get connected directly.
Logging in with a passkey
Pocket ID does not support passwords. Everyone who logs in does so with a passkey. That goes for me, but also for anyone I give access to.
That does not require a YubiKey. The built-in Passwords app on macOS and iOS supports passkeys, Bitwarden does too, and most other password managers have added support by now. A device with biometrics or a hardware security key is enough.
I log in with my YubiKey. Plug it in, tap it, done. No password to forget, lose or accidentally reuse somewhere.
The benefit of passkey-only is that it removes the weaker option entirely. The moment you allow passwords alongside passkeys, the password becomes the vulnerable path. By dropping passwords altogether, that choice is gone. A fake login page also gets nothing from a passkey, because the key is bound to the domain. That matters especially here, since this is the one login that sits in front of everything else.
I was honestly a bit skeptical before setting this up. Passkey support is still uneven and the experience differs per device. But for a login page I control myself, it works well enough that I would not go back to a password.
What you should not forget
If Pocket ID is unreachable, you cannot get into anything. In a homelab that is less hypothetical than it sounds. Nodes restart, CephFS has its moments, and sometimes I have done something myself that left a VM offline for a bit.
Pocket ID runs on a stable VM with few other workloads, but it is still worth keeping in mind. Some applications have a local fallback alongside SSO; others do not. You usually find that out the first time something goes wrong.
Not every OIDC integration is well put together either. Most work fine, but I have run into a few applications with unclear documentation or a flow that behaved slightly differently than expected. Not a Pocket ID problem, but something to be ready for.
How it looks now
Open an application, tap the YubiKey, continue. If the Pocket ID session is still valid, that is the whole process. No separate account per service, no password to recall.
In hindsight I should have moved on from Authentik sooner. Not because Pocket ID is dramatically better in some absolute sense, but because it fits what I actually need. Less maintenance, less chance of breaking something without understanding why.