Grist OIDC Authentication using Pocket ID (HOW-TO)

Hi everyone - I recently got Grist OIDC authentication to work with Pocket ID, which is a great OIDC solution which focuses solely on using Passkeys. I’ve been using it with Grist and other applications without issues for a few weeks now.

In case anyone else is interested, I’m sharing the details of how to set this up.

@Admins – I might suggest addition of this content to OIDC - Grist Help Center with a new “Example: Pocket ID” section.

IMPORTANT! In order to use Pocket ID (and Passkeys in general), both Grist and Pocket ID need to be hosted over SSL!

Step 1: Install Pocket ID

You can learn about Pocket ID on their website and the install/setup instructions are here. You can also reference the pocket-id Git repo.

Step 2: Setup your user account and at least one Passkey.

Refer to this page for instructions.

Step 3: Configure an OIDC Client for Grist in the Pocket ID Web UI

  1. Go to SettingsOIDC Clients → Click Add OIDC Client
  2. Enter required information - there’s not much to do :slight_smile:
  • Name: Grist (or whatever you wish)
  • Callback URLs: https://<Your Grist Hostname>/oauth2/callback
  1. Click Save
  2. Make note of the Client ID and Client secret values shown

Step 4: Configure Grist Environment Variables to use Pocket ID OIDC

GRIST_OIDC_IDP_ISSUER="https://<Your Pocket ID Hostname>/.well-known/openid-configuration"
GRIST_OIDC_IDP_CLIENT_ID="<Value of 'Client ID' from the Grist client in Pocket ID>"
GRIST_OIDC_IDP_CLIENT_SECRET="<Value of 'Client secret' from the Grist client in Pocket ID>"
GRIST_OIDC_SP_HOST="https://<Your Grist Hostname>"
GRIST_OIDC_IDP_SCOPES="openid email profile"  # Default
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=false  # Default

Step 5: Start or Restart Grist

When you go to your Grist URL, you should now be automatically redirected to the Pocket ID authentication page:

Click Sign in, then authenticate with the Passkey that you setup, and you should be redirected back to Grist!

Hi.
Thank you for your tutorial,

Could you please clarify step 4? Where are these variables configured? I´m using LXC in Proxmox , not Docker, just to be clear.

Hi, those are the general settings that Grist needs for OIDC. Since I’m using Grist in a Docker container, they are provided as environment variables in the Docker Compose file (or via the Docker cli).

Since it sounds like you’re running Grist directly on an LXC, then you can just define these values in the environment itself (which I believe is for the “grist” user).

For example:
export GRIST_OIDC_IDP_ISSUER="Value here"

But ideally put the above (for each variable) in the grist user’s .bashrc file so they persist on reboot, then restart the Grist services.

T