Easiest to set up IAM solution? (OIDC, OAuth2, SSO, etc.) (feddit.org)

submitted 1 month ago by Lemmchen@feddit.org to c/selfhosted@lemmy.world

16 comments fedilink hide all child comments

I've just looked at some tutorials for Keycloak and Authentik and there's definitely a very steep learning curve for these two solutions. I feel like I need something a lot simpler to be able to fully grasp the concept.

What is the easiest solution for beginners to implement Sigle-Sign-On for their selfhosted services?

top 16 comments

sorted by: hot top controversial new old

[-] Chaser@lemmy.zip 3 points 1 month ago

I like Pocket ID. It's also very simple to set up and just works™

https://pocket-id.org/

[-] HybridSarcasm@lemmy.world 2 points 1 month ago

+1 for PocketID

[-] Lemmchen@feddit.org 1 points 1 month ago* (last edited 1 month ago)

I'd love to use PocketID, but I fear my users aren't really set up to use passkeys (they're awesome!) and I assume they wouldn't work on the Android TV Jellyfin client (does anybody have experience with that?).

[-] Chaser@lemmy.zip 1 points 1 month ago

That may be a problem, because Pocket ID works with Passkeys only. But you can also configure Emails, so your users can get one time login links.

Regarding Jellyfin: You can login on your phone using oidc. On the TV you can use Quick Connect then

[-] Lemmchen@feddit.org 1 points 1 month ago* (last edited 1 month ago)

If they can use their phones to log in with passkeys this might just work, hmm. I'll definitely take a closer look at that then. Thank you!

Edit:
That's very unfortunate as my users will basically only use the Android or Android TV app and not a browser. Maybe it's not too bad if it is a one time thing, but it definitely makes it not ideal.

[-] Chaser@lemmy.zip 2 points 1 month ago

Jellyfin is actually the only self hosted service I don't use LDAP or OIDC on purpose. Jellyfin is used only by me, my wife and sometimes a guest. So I just created the accounts by hand. I did so, because I want empty passwords there, so we can easily login. On the android tv app the login screen behaves like the Netflix profile selection screen, if the passwords are empty.

[-] stratself@lemdro.id 2 points 1 month ago

Protocol-wise, OIDC is generally the most supported out there. LDAP too, to an extent.

Software wise, I find Kanidm quite simple to set up (basically just one container). It's mostly managed via the terminal though, and lacks some eyecandy. But some of the examples in its docs should be easy to follow and get you familiar with mapping scopes/groups between Kanidm and services.

Authelia is okay too

[-] in_my_honest_opinion@piefed.social 2 points 1 month ago

What's the difficulty with keycloak? I just set this up last weekend

https://oneuptime.com/blog/post/2026-03-18-run-keycloak-podman-container/view

[-] Tinkerer@lemmy.ca 2 points 1 month ago

I just setup authentik in podman quadlet and got a lot of my services setup with it. Their documentation is actually very good and thorough. It covers a ton of services with easy to follow instructions.

[-] generaldenmark@programming.dev 1 points 1 month ago

I’ve gone with Authentik for my homelab, and sure there is some learning to do, but it is fairly simple once it’s setup, and in the end it is not that bad.

If I were to choose over, I’d god with KeyCloak as it seems like that’s almost exclusively what’s used in the marked ~ and thus would be good to know in depth

[-] chris@l.roofo.cc 1 points 1 month ago

I honestly didn't find authentik very complicated. You can be up and running pretty much after starting it. I used docker to run it.

[-] badlotus@discuss.online 1 points 1 month ago* (last edited 1 month ago)

I use Authelia. I found it pretty easy to set up. They even provide guides with examples on how to integrate with other applications. For instance, I use Traefik for my reverse proxy: Traefik | Integration | Authelia

You can use a simple YAML file for your IdP or LDAP if you need more than a handful of users.

[-] suzune@ani.social 0 points 1 month ago

I already have Forgejo installed and found out it does basic Oauth2. I didn't have to do anything. It just worked out of the box.

[-] Lemmchen@feddit.org 0 points 1 month ago

What do you mean? You can set up other services to use your Forgejo accounts?

[-] suzune@ani.social 1 points 1 month ago

Yes.

https://forgejo.org/docs/latest/user/oauth2-provider/

[-] pinball_wizard@lemmy.zip -1 points 1 month ago

.htaccess files are pretty simple to set up, if not hosting anything too sensitive.

this post was submitted on 24 Mar 2026

14 points (93.8% liked)

Selfhosted

58589 readers

20 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz