Add PocketID OAuth provider support #7318
Open
+88
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Implements PocketIdSetting.svelte following Keycloak pattern - Configures OIDC endpoints for Pocket-ID (/authorize, /api/oidc/*) - Supports standard OIDC scopes (openid, profile, email) - Uses passkey-only authentication via Pocket-ID Refs windmill-labs#5678
- Import PocketIdSetting component - Add Pocket-ID to provider list in SSO tab - Update exclusion filter to prevent duplicate custom entries Refs windmill-labs#5678
- Create PocketIdIcon.svelte component with user profile icon - Register pocket-id in APP_TO_ICON_COMPONENT mapping - Fix PocketIdSetting to use IconedResourceType pattern matching other OAuth providers This resolves the issue where PocketID toggle was not appearing in SSO settings. Refs windmill-labs#5678
devdattatalele
requested review from
alpetric,
hugocasa and
rubenfiszel
as code owners
rubenfiszel
reviewed
Dec 8, 2025
Comment on lines
1
to
68
| <script lang="ts"> | ||
| import IconedResourceType from './IconedResourceType.svelte' | ||
| import Toggle from './Toggle.svelte' | ||
|
|
||
| export let value: any | ||
|
|
||
| $: enabled = value != undefined | ||
|
|
||
| let org = '' | ||
|
|
||
| $: changeOrg(org) | ||
|
|
||
| function changeOrg(org) { | ||
| if (value) { | ||
| value = { | ||
| ...value, | ||
| connect_config: { | ||
| auth_url: `${org}/authorize`, | ||
| token_url: `${org}/api/oidc/token`, | ||
| scopes: ['openid', 'profile', 'email'] | ||
| }, | ||
| login_config: { | ||
| auth_url: `${org}/authorize`, | ||
| token_url: `${org}/api/oidc/token`, | ||
| userinfo_url: `${org}/api/oidc/userinfo`, | ||
| scopes: ['openid', 'profile', 'email'] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| </script> | ||
|
|
||
| <div class="flex flex-col gap-1"> | ||
| <label class="text-xs font-semibold text-emphasis flex gap-4 items-center" | ||
| ><div class="w-[120px]"><IconedResourceType name={'pocket-id'} after={true} /></div><Toggle | ||
| checked={enabled} | ||
| on:change={(e) => { | ||
| if (e.detail) { | ||
| value = { id: '', secret: '' } | ||
| } else { | ||
| value = undefined | ||
| } | ||
| }} | ||
| /></label | ||
| > | ||
| {#if enabled} | ||
| <div class="border rounded p-2"> | ||
| <label class="block pb-2"> | ||
| <span class="text-primary font-semibold text-sm" | ||
| >Pocket-ID Base URL ({'POCKET_ID_URL/authorize'})</span | ||
| > | ||
| <input type="text" placeholder="https://id.example.com" bind:value={org} /> | ||
| </label> | ||
| <label class="block pb-2"> | ||
| <span class="text-primary font-semibold text-sm">Custom Name</span> | ||
| <input type="text" placeholder="Pocket ID" bind:value={value['display_name']} /> | ||
| </label> | ||
| <label class="block pb-2"> | ||
| <span class="text-primary font-semibold text-sm">Client Id</span> | ||
| <input type="text" placeholder="Client Id" bind:value={value['id']} /> | ||
| </label> | ||
| <label class="block pb-2"> | ||
| <span class="text-primary font-semibold text-sm">Client Secret </span> | ||
| <input type="text" placeholder="Client Secret" bind:value={value['secret']} /> | ||
| </label> | ||
| </div> | ||
| {/if} | ||
| </div> |
Contributor
There was a problem hiding this comment.
we should use svelte 5 here :)
Contributor
Author
There was a problem hiding this comment.
@rubenfiszel Migrated to Svelte 5 runes syntax. Also implemented base URL pre-population from existing config when editing saved settings.
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
|
|
||
| $: enabled = value != undefined | ||
|
|
||
| let org = '' |
Contributor
There was a problem hiding this comment.
Consider initializing the org variable from the existing configuration (e.g. from value.connect_config.auth_url) so that the base URL input is pre-populated when editing saved settings.
- Use $props() with $bindable() for reactive prop binding - Use $state() for local reactive state - Use $derived() for computed values - Use $effect() for reactive side effects - Replace on:change with onchange event handler - Pre-populate base URL from existing config when editing - Clean up bracket notation to dot notation for value properties Addresses reviewer feedback
Contributor
|
I think you missed oauth_connect.json + pocket-id => pocket_id or pockerid (need to match resource type) |
Change identifier from 'pocket-id' to 'pocketid' to match Windmill's naming convention.
No OAuth provider uses hyphens - all custom SSO providers (keycloak, authentik, authelia,
kanidm, zitadel) use no separator.
Changes:
- AuthSettings.svelte: oauths['pocket-id'] → oauths['pocketid'] (2 locations)
- PocketIdSetting.svelte: name={'pocket-id'} → name={'pocketid'}
- icons/index.ts: 'pocket-id': PocketIdIcon → pocketid: PocketIdIcon
Note: PocketID does not need oauth_connect.json entry as it's a custom SSO provider
with user-configured endpoints, similar to Keycloak/Authentik.
Addresses reviewer feedback
Contributor
Author
|
pocketid works like the other custom sso providers (e.g. Keycloak), also endpoints are supplied by the user, so it doesn’t need an entry in oauth_connect.json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds support for PocketID as an OAuth provider in Windmill's SSO configuration.
PocketID is a lightweight, self-hosted authentication solution that uses passkeys (WebAuthn/FIDO2) for passwordless authentication with built-in OIDC support.
Changes
Added PocketID OAuth provider configuration component following established patterns from existing providers like Keycloak, Authelia, and Kanidm. The implementation includes a settings component for administrators to configure PocketID base URL, client credentials, and custom display name. The component properly handles OIDC endpoints for authorization, token exchange, and user information retrieval.
Fixed component integration by adding the PocketID icon system and ensuring the component uses the standard IconedResourceType pattern consistent with other OAuth providers.
Testing
Tested locally using Docker environment. The PocketID toggle now appears correctly in SSO settings between existing OAuth providers. Configuration can be saved and persists correctly in workspace settings.
Closes #5678