🚀 Feature: Add custom keys and rotate key features to distroless #36

New Issue

Closed

opened 2025-10-06 23:58:56 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2025-10-06 23:58:56 +03:00

Owner

Copy Link

Originally created by @lordraiden on GitHub.

Feature description

distroless doesn't have shell so this security feature can't be used
https://pocket-id.org/docs/advanced/custom-keys

Pitch

A solution would be to configure this via environmental variables in docker compose, for example

environment:
   - KEY_ALGORITHM=EdDSA
   - KEY_ALGORITHM_CRV=Ed25519 #only required for EdDSA
   - KEY_ROTATE=false #true for rotate on next restart

Originally created by @lordraiden on GitHub. ### Feature description distroless doesn't have shell so this security feature can't be used https://pocket-id.org/docs/advanced/custom-keys ### Pitch A solution would be to configure this via environmental variables in docker compose, for example ``` environment: - KEY_ALGORITHM=EdDSA - KEY_ALGORITHM_CRV=Ed25519 #only required for EdDSA - KEY_ROTATE=false #true for rotate on next restart ```

OVERLORD closed this issue 2025-10-06 23:58:57 +03:00

OVERLORD commented 2025-10-06 23:58:59 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

It should work as long as you use docker exec - you can see the docs too

# Adjust the container name if needed
docker exec -it pocket-id /app/pocket-id key-rotate -a EdDSA -c Ed25519

@ItalyPaleAle commented on GitHub: It should work as long as you use `docker exec` - you can see the docs too ```sh # Adjust the container name if needed docker exec -it pocket-id /app/pocket-id key-rotate -a EdDSA -c Ed25519 ```

OVERLORD commented 2025-10-06 23:59:00 +03:00

Author

Owner

Copy Link

@lordraiden commented on GitHub:

The key-rotate command rotates the key that is used to sign tokens issued by Pocket ID. These are the tokens issued to OAuth clients (apps that use Pocket ID for auth), and the session tokens that keep you signed into Pocket ID.

Also note that if Pocket ID is running, you need to restart it for the new keys to be picked up

Passkeys are not encrypted in Pocket ID. Rotating the key has no impact on them, and it shouldn't - invalidating all passkeys would be destructive.

What about to choose the algorithm configuration per integration? would this be a thing? I have apps that support EdDSA and other only RSA? I guess I will what to stay with RSA.

Would be complex to implement to define several and choose in each integration which one to use?

@lordraiden commented on GitHub: > The key-rotate command rotates the key that is used to sign tokens issued by Pocket ID. These are the tokens issued to OAuth clients (apps that use Pocket ID for auth), and the session tokens that keep you signed into Pocket ID. > > > Also note that if Pocket ID is running, you need to restart it for the new keys to be picked up > > Passkeys are not encrypted in Pocket ID. Rotating the key has no impact on them, and it shouldn't - invalidating all passkeys would be destructive. What about to choose the algorithm configuration per integration? would this be a thing? I have apps that support EdDSA and other only RSA? I guess I will what to stay with RSA. Would be complex to implement to define several and choose in each integration which one to use?

OVERLORD commented 2025-10-06 23:59:00 +03:00

Author

Owner

Copy Link

@lordraiden commented on GitHub:

It should work as long as you use docker exec - you can see the docs too

Adjust the container name if needed

docker exec -it pocket-id /app/pocket-id key-rotate -a EdDSA -c Ed25519

You are right, it worked but why it invalidate the logins to all the other apps and not to login to pocket id? I thought I would need to setup pocket ID from scratch but I was able to login with the same old passkeys in pocket ID. Why?

@lordraiden commented on GitHub: > It should work as long as you use `docker exec` - you can see the docs too > > # Adjust the container name if needed > docker exec -it pocket-id /app/pocket-id key-rotate -a EdDSA -c Ed25519 You are right, it worked but why it invalidate the logins to all the other apps and not to login to pocket id? I thought I would need to setup pocket ID from scratch but I was able to login with the same old passkeys in pocket ID. Why?

OVERLORD commented 2025-10-06 23:59:00 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

The key-rotate command rotates the key that is used to sign tokens issued by Pocket ID. These are the tokens issued to OAuth clients (apps that use Pocket ID for auth), and the session tokens that keep you signed into Pocket ID.

Also note that if Pocket ID is running, you need to restart it for the new keys to be picked up

Passkeys are not encrypted in Pocket ID. Rotating the key has no impact on them, and it shouldn't - invalidating all passkeys would be destructive.

@ItalyPaleAle commented on GitHub: The key-rotate command rotates the key that is used to sign tokens issued by Pocket ID. These are the tokens issued to OAuth clients (apps that use Pocket ID for auth), and the session tokens that keep you signed into Pocket ID. > Also note that if Pocket ID is running, you need to restart it for the new keys to be picked up Passkeys are not encrypted in Pocket ID. Rotating the key has no impact on them, and it shouldn't - invalidating all passkeys would be destructive.

OVERLORD commented 2025-10-06 23:59:01 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

That isn’t possible today, it was done like this by design. If you have a need for that could you please open a separate issue?

@ItalyPaleAle commented on GitHub: That isn’t possible today, it was done like this by design. If you have a need for that could you please open a separate issue?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#36