starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:42:59 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🚀 Feature: QR Code / 2nd Device / Assisted Sign-In #332

New Issue
Closed
opened 2025-10-09 16:40:15 +03:00 by OVERLORD · 25 comments
OVERLORD commented 2025-10-09 16:40:15 +03:00
Owner
Copy Link

Originally created by @acidRain-burns on GitHub.

Feature description

I tried to look up the name for this process, but couldn't find what it would be called beyond just a QR Code sign in, so bear with me:

The pocket-id admin could enable this globally for all OIDC clients, or opt-in individual clients. The user would, when authenticating with approved clients, have the option to complete the request on another device. When that option is selected by the user, pocket-id would present the user with a QR code where the request would already be populated. If the user was already signed in to pocket-id, they would be prompted to approve or deny the sign-in. If they were not yet signed in, they would be requested to sign in first. Ideally, the QR Code URL is just a normal URL that could be typed in as a fallback, maybe something short like pocket-id.example.com/approvals/shortlivedcodehere)

Examples of this:

  • Discord
  • Steam

Pitch

For my use-cases, when using a device that does not support passkeys (TVs, XR Headsets, VMs), it would be appreciated to have the ability to complete the sign-in on your phone (via qr code) or another device (with say, a short-lived code).

Originally created by @acidRain-burns on GitHub. ### Feature description I tried to look up the name for this process, but couldn't find what it would be called beyond just a QR Code sign in, so bear with me: The pocket-id admin could enable this globally for all OIDC clients, or opt-in individual clients. The user would, when authenticating with approved clients, have the option to complete the request on another device. When that option is selected by the user, pocket-id would present the user with a QR code where the request would already be populated. If the user was already signed in to pocket-id, they would be prompted to approve or deny the sign-in. If they were not yet signed in, they would be requested to sign in first. Ideally, the QR Code URL is just a normal URL that could be typed in as a fallback, maybe something short like pocket-id.example.com/approvals/shortlivedcodehere) Examples of this: - Discord - Steam ### Pitch For my use-cases, when using a device that does not support passkeys (TVs, XR Headsets, VMs), it would be appreciated to have the ability to complete the sign-in on your phone (via qr code) or another device (with say, a short-lived code).
OVERLORD added the feature label 2025-10-09 16:40:15 +03:00
OVERLORD commented 2025-10-09 16:40:20 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

I will close this issue and we can continue the conversation in #112. Just upvote that issue and add your comments. Thank you!

@kmendell commented on GitHub: I will close this issue and we can continue the conversation in #112. Just upvote that issue and add your comments. Thank you!
OVERLORD commented 2025-10-09 16:40:22 +03:00
Author
Owner
Copy Link

@penalte commented on GitHub:

Duplicated #112

@penalte commented on GitHub: Duplicated #112
OVERLORD commented 2025-10-09 16:40:22 +03:00
Author
Owner
Copy Link

@acidRain-burns commented on GitHub:

I looked at #112; At the time the scope seemed different enough that this seemed warranted, but maybe I am mistaken. Feel free to close if this is the case. I can also add my thoughts to #112

@acidRain-burns commented on GitHub: I looked at #112; At the time the scope seemed different enough that this seemed warranted, but maybe I am mistaken. Feel free to close if this is the case. I can also add my thoughts to #112
OVERLORD commented 2025-10-09 16:40:23 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 My mistake i thought they were the same thing, sorry for closing that out by accident.

@kmendell commented on GitHub: @stonith404 My mistake i thought they were the same thing, sorry for closing that out by accident.
OVERLORD commented 2025-10-09 16:40:24 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

This is not a duplicate of #112 as this issue is meant to directly sign in to Pocket ID. #112 describes a way to authorize an OIDC client that doesn't have a browser built-in.

@acidRain-burns Do you have an actual example where you're currently limited with passkeys? For example I don't really see a reason why you want to sign in to Pocket ID on a tv. Also a VM should support passkeys by using this flow. Or do I miss something?

@stonith404 commented on GitHub: This is not a duplicate of #112 as this issue is meant to directly sign in to Pocket ID. #112 describes a way to authorize an OIDC client that doesn't have a browser built-in. @acidRain-burns Do you have an actual example where you're currently limited with passkeys? For example I don't really see a reason why you want to sign in to Pocket ID on a tv. Also a VM should support passkeys by using [this flow](https://www.corbado.com/blog/webauthn-passkey-qr-code). Or do I miss something?
OVERLORD commented 2025-10-09 16:40:25 +03:00
Author
Owner
Copy Link

@Green-Kite commented on GitHub:

I've another example for this use case: Seafile supports SSO login in their desktop and mobile apps. If you click on the SSO Button you'll get directed to the Pocket ID Passkey Login in a built-in browser. If you click on "Don't have access to your passkey?" there and use the Link you get in the email, the system browser gets opened, but you can't login into Seafile as there's no matching between these requests and you're using different browsers.

@Green-Kite commented on GitHub: I've another example for this use case: Seafile supports SSO login in their desktop and mobile apps. If you click on the SSO Button you'll get directed to the Pocket ID Passkey Login in a built-in browser. If you click on "Don't have access to your passkey?" there and use the Link you get in the email, the system browser gets opened, but you can't login into Seafile as there's no matching between these requests and you're using different browsers.
OVERLORD commented 2025-10-09 16:40:26 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@acidRain-burns Alright thanks for your explanation. I think this would make sense to implement.

What do you think about #271 , this would also fix this, right? If this PR gets merged you would be able to create a one-time-access link on another device which you then could use to sign in on your TV, XR headset or VM.

@stonith404 commented on GitHub: @acidRain-burns Alright thanks for your explanation. I think this would make sense to implement. What do you think about #271 , this would also fix this, right? If this PR gets merged you would be able to create a one-time-access link on another device which you then could use to sign in on your TV, XR headset or VM.
OVERLORD commented 2025-10-09 16:40:26 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 based on green-kites reply , #271 wouldnt fix his issue, unless im reading it wrong, maybe theres another type of fix that could be implmemeted along side 271.

@kmendell commented on GitHub: @stonith404 based on green-kites reply , #271 wouldnt fix his issue, unless im reading it wrong, maybe theres another type of fix that could be implmemeted along side 271.
OVERLORD commented 2025-10-09 16:40:27 +03:00
Author
Owner
Copy Link

@acidRain-burns commented on GitHub:

@stonith404 I can think of a few examples right off the bat; I would like to preface this by saying I am probably not representative of a large part of pocket-id users BUT I do think this feature addresses a lot of edge cases, of which mine are a sample. I also acknowledge that there may be ways to technically accomplish a sign in, though they are not at all convenient. Many of my users are passkey-only: for many of the services pocket-id protects, they made an account by signing in to the service via pocket-id, and some have the option to sign in via passwords disabled or the service makes you choose between passkeys and passwords.

  1. TVs: I have multiple android TVs, with poor support for hardware passkeys or bitwarden, and connecting via phone is a pain as well, as I am not the only user signing into these devices. There are quite a few services that are very useful to access for configuration and updates to the device -- I use pingvin-share to store/update apks! Other services include jellyfin (has the quick connect though!), immich (very long api key, hard to switch users), and others.
  2. XR Headsets: many of my users (myself included) have standalone headsets (they have their own OS and apps). They don't support passkeys well (non Vision OS at least), and a tethered experience won't sign you in to the apps running on device. This would be where having a short code to enter instead of a QR code would be great, especially when there is passthrough support on most devices.
  3. VMs: I run most of my VMs on a central server and connect to them remotely, far out of bluetooth range. I also personally don't like the idea of the cloud assist part, but I honestly haven't looked into this angle much; I will research it further.
@acidRain-burns commented on GitHub: @stonith404 I can think of a few examples right off the bat; I would like to preface this by saying I am probably not representative of a large part of pocket-id users BUT I do think this feature addresses a lot of edge cases, of which mine are a sample. _I also acknowledge that there may be ways to technically accomplish a sign in, though they are not at all convenient._ Many of my users are passkey-only: for many of the services pocket-id protects, they made an account by signing in to the service via pocket-id, and some have the option to sign in via passwords disabled or the service makes you choose between passkeys and passwords. 1. TVs: I have multiple android TVs, with poor support for hardware passkeys or bitwarden, and connecting via phone is a pain as well, as I am not the only user signing into these devices. There are quite a few services that are very useful to access for configuration and updates to the device -- I use pingvin-share to store/update apks! Other services include jellyfin (has the quick connect though!), immich (very long api key, hard to switch users), and others. 2. XR Headsets: many of my users (myself included) have standalone headsets (they have their own OS and apps). They don't support passkeys well (non Vision OS at least), and a tethered experience won't sign you in to the apps running on device. This would be where having a short code to enter instead of a QR code would be great, especially when there is passthrough support on most devices. 3. VMs: I run most of my VMs on a central server and connect to them remotely, far out of bluetooth range. I also personally don't like the idea of the cloud assist part, but I honestly haven't looked into this angle much; I will research it further.
OVERLORD commented 2025-10-09 16:40:27 +03:00
Author
Owner
Copy Link

@Green-Kite commented on GitHub:

I'm not sure if a simple thing just like "mail a six digit code and enter it on the sign in page" would be possible?

Or maybe sign in on the other browser and click "Yes" somewhere to allow the other request.

@Green-Kite commented on GitHub: I'm not sure if a simple thing just like "mail a six digit code and enter it on the sign in page" would be possible? Or maybe sign in on the other browser and click "Yes" somewhere to allow the other request.
OVERLORD commented 2025-10-09 16:40:28 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@Green-Kite what your describing sounds more like the the Device Code Endpoint this is currently in dvelopment here: https://github.com/pocket-id/pocket-id/pull/270 , but still different in ways, so i cant speak for certain if we can do something like that, would have to have stonith review.

@kmendell commented on GitHub: @Green-Kite what your describing sounds more like the the Device Code Endpoint this is currently in dvelopment here: https://github.com/pocket-id/pocket-id/pull/270 , but still different in ways, so i cant speak for certain if we can do something like that, would have to have stonith review.
OVERLORD commented 2025-10-09 16:40:28 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

v0.37.0 allows you now to create a login code in your account settings and use it for signing in.

@stonith404 commented on GitHub: `v0.37.0` allows you now to create a login code in your account settings and use it for signing in.
OVERLORD commented 2025-10-09 16:40:28 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 Gotcha, The page should be easy to copy, and reusable, i think. Though im not sure the best way to implement this feature, you may have better ideas.

@kmendell commented on GitHub: @stonith404 Gotcha, The page should be easy to copy, and reusable, i think. Though im not sure the best way to implement this feature, you may have better ideas.
OVERLORD commented 2025-10-09 16:40:30 +03:00
Author
Owner
Copy Link

@Green-Kite commented on GitHub:

@stonith404 thx I tried the Seafile SSO login feature and it worked. Would be great to get the code via email too and not just through the UI. But it's great now to have a way for browsers that don't support passkeys or when on devices other than your main one.

@Green-Kite commented on GitHub: @stonith404 thx I tried the Seafile SSO login feature and it worked. Would be great to get the code via email too and not just through the UI. But it's great now to have a way for browsers that don't support passkeys or when on devices other than your main one.
OVERLORD commented 2025-10-09 16:40:30 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

based on green-kites reply , https://github.com/pocket-id/pocket-id/pull/271 wouldnt fix his issue, unless im reading it wrong, maybe theres another type of fix that could be implmemeted along side 271.

@kmendell You're right.

I think @Green-Kite suggestion would make sense. We could just create a page where a user can enter the one-time access token, this would be pretty easy to implement. We could build a similar page to the page you've created in #270. If the code is provided in the URL the user gets signed in automatically or else he can enter it manually. This can actually not be achieved with #270 because the device code endpoint only allows to authorize clients, not to sign in to Pocket ID.

@stonith404 commented on GitHub: > based on green-kites reply , https://github.com/pocket-id/pocket-id/pull/271 wouldnt fix his issue, unless im reading it wrong, maybe theres another type of fix that could be implmemeted along side 271. @kmendell You're right. I think @Green-Kite suggestion would make sense. We could just create a page where a user can enter the one-time access token, this would be pretty easy to implement. We could build a similar page to the page you've created in #270. If the code is provided in the URL the user gets signed in automatically or else he can enter it manually. This can actually not be achieved with #270 because the device code endpoint only allows to **authorize clients**, not to sign in to Pocket ID.
OVERLORD commented 2025-10-09 16:40:32 +03:00
Author
Owner
Copy Link

@acidRain-burns commented on GitHub:

I still think this auth flow should work from other direction instead, where the code is presented by the device you want to sign into, not the device you are signed into already/capable of signing into easily.

That said, this definitely works -- thank you sooo much!!!!

@acidRain-burns commented on GitHub: I still think this auth flow should work from other direction instead, where the code is presented by the device you want to sign into, not the device you are signed into already/capable of signing into easily. That said, this definitely works -- thank you sooo much!!!!
OVERLORD commented 2025-10-09 16:40:32 +03:00
Author
Owner
Copy Link

@Green-Kite commented on GitHub:

I've played around with it a bit now and found out that the Email Code feature logs you into the Pocket ID web interface instead of redirecting to the service you started the login process with. Is this the behaviour that is intended with this feature?

@Green-Kite commented on GitHub: I've played around with it a bit now and found out that the Email Code feature logs you into the Pocket ID web interface instead of redirecting to the service you started the login process with. Is this the behaviour that is intended with this feature?
OVERLORD commented 2025-10-09 16:40:33 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@Green-Kite This is possible but you have to enable "Email Login Code" in the application configuration.

@stonith404 commented on GitHub: @Green-Kite This is possible but you have to enable "Email Login Code" in the application configuration.
OVERLORD commented 2025-10-09 16:40:33 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@acidRain-burns What your describing is the device authorization endpoint, which is still in dvelopment here: https://github.com/pocket-id/pocket-id/pull/270

That being said this requires the application to be setup with this functionality as it follows oidc spec. So its a bit different than this feature.

@kmendell commented on GitHub: @acidRain-burns What your describing is the device authorization endpoint, which is still in dvelopment here: https://github.com/pocket-id/pocket-id/pull/270 That being said this requires the application to be setup with this functionality as it follows oidc spec. So its a bit different than this feature.
OVERLORD commented 2025-10-09 16:40:34 +03:00
Author
Owner
Copy Link

@Green-Kite commented on GitHub:

Sorry I was blind...
I only paid attention to the login code option and ignored the second option after clicking on it haha

@Green-Kite commented on GitHub: Sorry I was blind... I only paid attention to the login code option and ignored the second option after clicking on it haha
OVERLORD commented 2025-10-09 16:40:36 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

This was actually a bug which should be fixed in the latest version.

@stonith404 commented on GitHub: This was actually a bug which should be fixed in the latest version.
OVERLORD commented 2025-10-09 16:40:36 +03:00
Author
Owner
Copy Link

@Oni commented on GitHub:

So, if I understand this correctly, the flow would be like this:

  • user opens the client (like Jellyfin on a TV or seafile on a PC that doesn't support passkeys);
  • user clicks on login;
  • user is redirected to Pocket-ID login page;
  • user clicks on "You don't have access to your passkey?" at the bottom (I have a localized version of Pocket-ID, so I don't know what's the exact wording);
  • user gets prompted with two options: "access code" and "QR code";
  • user clicks "QR code";
  • Pocket-ID shows a QR code holding a short-lived URL;
  • user scans the QR code with its smartphone that supports passkeys;
  • user sees a login page on the smartphone and uses the passkey for loging in;
  • the client gets notified that the login is successful and the TV/PC is now logged in.
@Oni commented on GitHub: So, if I understand this correctly, the flow would be like this: * user opens the client (like Jellyfin on a TV or seafile on a PC that doesn't support passkeys); * user clicks on login; * user is redirected to Pocket-ID login page; * user clicks on "You don't have access to your passkey?" at the bottom (I have a localized version of Pocket-ID, so I don't know what's the exact wording); * user gets prompted with two options: "access code" and "QR code"; * user clicks "QR code"; * Pocket-ID shows a QR code holding a short-lived URL; * user scans the QR code with its smartphone that supports passkeys; * user sees a login page on the smartphone and uses the passkey for loging in; * the client gets notified that the login is successful and the TV/PC is now logged in.
OVERLORD commented 2025-10-09 16:40:36 +03:00
Author
Owner
Copy Link

@Oni commented on GitHub:

So, if I understand this correctly, the flow would be like this:

  • user opens the client (like Jellyfin on a TV or seafile on a PC that doesn't support passkeys);
  • user clicks on login;
  • user is redirected to Pocket-ID login page;
  • user clicks on "You don't have access to your passkey?" at the bottom (I have a localized version of Pocket-ID, so I don't know what's the exact wording);
  • user gets prompted with two options: "access code" and "QR code";
  • user clicks "QR code";
  • Pocket-ID shows a QR code holding a short-lived URL;
  • user scans the QR code with its smartphone that supports passkeys;
  • user sees a login page on the smartphone and uses the passkey for loging in;
  • the client gets notified that the login is successful and the TV/PC is now logged in.

But this isn't currently working this way, is it? I don't have any QR code option...

Sorry for the bad wording.

What I have described is the workflow proposed here.

The current workflow (see #270) requires you to log in to the pocket-id admin page and generate a code there. You then have to put the code inside the client. In my opinion, the current workflow is counter-intuitive and inconvenient for clients like TVs where the keyboard is far from practical.

@Oni commented on GitHub: > > So, if I understand this correctly, the flow would be like this: > > > > * user opens the client (like Jellyfin on a TV or seafile on a PC that doesn't support passkeys); > > * user clicks on login; > > * user is redirected to Pocket-ID login page; > > * user clicks on "You don't have access to your passkey?" at the bottom (I have a localized version of Pocket-ID, so I don't know what's the exact wording); > > * user gets prompted with two options: "access code" and "QR code"; > > * user clicks "QR code"; > > * Pocket-ID shows a QR code holding a short-lived URL; > > * user scans the QR code with its smartphone that supports passkeys; > > * user sees a login page on the smartphone and uses the passkey for loging in; > > * the client gets notified that the login is successful and the TV/PC is now logged in. > > But this isn't currently working this way, is it? I don't have any QR code option... Sorry for the bad wording. What I have described is the workflow proposed here. The current workflow (see #270) requires you to log in to the pocket-id admin page and generate a code there. You then have to put the code inside the client. In my opinion, the current workflow is counter-intuitive and inconvenient for clients like TVs where the keyboard is far from practical.
OVERLORD commented 2025-10-09 16:40:37 +03:00
Author
Owner
Copy Link

@IzeQube commented on GitHub:

So, if I understand this correctly, the flow would be like this:

  • user opens the client (like Jellyfin on a TV or seafile on a PC that doesn't support passkeys);
  • user clicks on login;
  • user is redirected to Pocket-ID login page;
  • user clicks on "You don't have access to your passkey?" at the bottom (I have a localized version of Pocket-ID, so I don't know what's the exact wording);
  • user gets prompted with two options: "access code" and "QR code";
  • user clicks "QR code";
  • Pocket-ID shows a QR code holding a short-lived URL;
  • user scans the QR code with its smartphone that supports passkeys;
  • user sees a login page on the smartphone and uses the passkey for loging in;
  • the client gets notified that the login is successful and the TV/PC is now logged in.

But this isn't currently working this way, is it? I don't have any QR code option...

@IzeQube commented on GitHub: > So, if I understand this correctly, the flow would be like this: > > * user opens the client (like Jellyfin on a TV or seafile on a PC that doesn't support passkeys); > * user clicks on login; > * user is redirected to Pocket-ID login page; > * user clicks on "You don't have access to your passkey?" at the bottom (I have a localized version of Pocket-ID, so I don't know what's the exact wording); > * user gets prompted with two options: "access code" and "QR code"; > * user clicks "QR code"; > * Pocket-ID shows a QR code holding a short-lived URL; > * user scans the QR code with its smartphone that supports passkeys; > * user sees a login page on the smartphone and uses the passkey for loging in; > * the client gets notified that the login is successful and the TV/PC is now logged in. But this isn't currently working this way, is it? I don't have any QR code option...
OVERLORD commented 2025-10-09 16:40:37 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Does the same happen if you try without the email code? I think this was the intended use case as it replaced the onetime link. But if the same does not happen with the email version then im not sure..

@kmendell commented on GitHub: Does the same happen if you try without the email code? I think this was the intended use case as it replaced the onetime link. But if the same does not happen with the email version then im not sure..
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#332
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?