I have migrated my HomeLab’s authentication infrastructure from Authentik to PocketID.
While Authentik is incredibly feature-rich, it often felt overkill for a personal setup, with complex configuration and significant resource consumption. The primary drivers for this migration were “lightweight operations” and the “introduction of Passkeys.”
The Main Driver: Easy Passkey Integration
The biggest reason for switching to PocketID is how easily it allows for the implementation of Passkeys.
Passkeys enable modern, passwordless authentication using devices with biometric sensors or security keys. In PocketID, the setup is seamless. Once registered, you are freed from the hassle of typing complex passwords or opening MFA apps every time you log in.
Limited Features, Better Experience
PocketID has fewer features than Authentik, but that has turned out to be a major advantage.
- No More Confusion: Because the features are focused, I no longer get lost wondering which advanced setting to tweak.
- Intuitive UI: The UI is designed to be simple and modern, making user management and client configuration stress-free.
- Low Resource Usage: Running on Kubernetes, its resource footprint is drastically smaller compared to Authentik.
Deployment Configuration on Kubernetes
Setting up PocketID on Kubernetes is straightforward. Here are the basic manifest examples.
Deployment
Configure the application environment variables like APP_URL and database connection strings.
apiVersion: apps/v1kind: Deploymentmetadata: name: pocket-idspec: replicas: 1 template: spec: containers: - name: pocket-id image: "pocketid/pocket-id:latest" env: - name: APP_URL value: "https://id.example.com" - name: TRUST_PROXY value: "true" - name: FILE_BACKEND value: "true" - name: DB_CONNECTION_STRING valueFrom: secretKeyRef: name: pocket-id-secrets key: DB_CONNECTION_STRINGService
Create an internal service. PocketID uses port 1411 by default.
apiVersion: v1kind: Servicemetadata: name: pocket-idspec: type: ClusterIP ports: - port: 80 targetPort: 1411 selector: app: pocket-idCommon OIDC Integration Patterns
When migrating from Authentik to PocketID, I integrated several self-hosted apps (Gitea, Paperless-ngx, Vaultwarden, etc.). Here are the most common patterns and pitfalls to watch out for.
Discovery URL Specification
Most apps will automatically find .well-known/openid-configuration. If manual configuration is required, use https://id.example.com/.well-known/openid-configuration.
Trailing Slashes in Issuer URL
Some clients are picky about trailing slashes in the Issuer URL. Standardizing your configuration (usually without the slash) across your environment is the best way to avoid validation errors.
Switching OIDC for Existing Users
If users are already linked to another OIDC provider (like Authentik), switching providers without disconnecting the old one first can lead to login failures. Since most OSS applications rarely support linking multiple OIDC providers to a single account, the best practice is to disconnect the old provider first before attempting the first login with the new one.
Future Outlook: Migrating to TinyAuth and Traefik
One challenge that remains is protecting applications that do not natively support OIDC. Since PocketID lacks the proxy authentication features found in Authentik Outposts, I plan to bridge this gap by introducing TinyAuth.
By using it together with Traefik’s Middleware, ForwardAuth becomes easily possible, so I’m planning to take this opportunity to replace the reverse proxy itself from Ingress-Nginx to Traefik in one fell swoop.
This transition will also conveniently solve the upcoming end-of-life issue for Ingress-Nginx (scheduled for March 2026), making it the perfect opportunity to update my entire HomeLab architecture into a more modern and sustainable state.
Conclusion
By switching to the lightweight PocketID, I’ve gained the powerful protection of Passkeys and a confusion-free management environment. For a HomeLab where resources are limited, I feel this is an excellent choice that balances utility, security, and ease of use.
