Spent years setting up identity for homelabs - mostly Keycloak, once Authelia, sometimes just reverse-proxy basic auth because the effort ratio didn’t justify. Pocket ID is the right-sized middle: a small Go service that speaks OIDC, backs onto SQLite, and sits behind Caddy without drama.

My current homelab uses it as the IdP behind Cloudflare Access - which means tools like the /admin route of this site, Netbird’s web UI, and the VS Code server are gated by a real OAuth flow tied to my actual identity rather than a shared password in 1Password.

The specific things I like:

  • Single binary + SQLite. Deploys in the same docker-compose.yml as everything else. No Postgres required.
  • WebAuthn-first. Passkeys by default, passwords as fallback. The flow for adding a new device takes about 30 seconds.
  • Admin UI that doesn’t fight you. Keycloak’s admin UI is powerful and infamously hostile. Pocket ID’s admin UI is minimal and works.
  • Native Caddyfile examples. The docs give you an import snippet you can drop into your Caddyfile. That’s the level of care I want from a homelab tool.

If you’re running a homelab and you don’t have a real IdP yet, skip Keycloak and start here. The graduation path (Pocket ID → Keycloak) is straightforward when you outgrow it. Most people don’t.