🚀 Feature: Machine to Machine Authentication(Service Accounts) #46

New Issue

Closed

opened 2025-10-06 23:59:17 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2025-10-06 23:59:17 +03:00

Owner

Copy Link

Originally created by @swapnilraut3 on GitHub.

Feature description

Description:
Currently, PocketID allows user accounts to authenticate via OIDC, passkeys, and API keys. However, for automation and machine-to-machine communication, there is no clear mechanism to obtain credentials for service accounts.

Pitch

Use Case:

I want to run long-running jobs (e.g., scheduled ETL pipelines, background workers, or CI/CD tasks) that need to authenticate securely without relying on a user account.

These jobs require their own service accounts with scoped permissions, separate from human users.

Ideally, the service account would have its own credentials (client ID/secret, API key, or token) that can be rotated and managed independently.

Feature Proposal:

Add support for service account credentials in PocketID.

Each service account could generate:

A client ID/secret pair (for OIDC flows), OR

A scoped API key tied to the service account.

Credentials should be manageable via the admin UI or API (create, revoke, rotate).

Permissions/RBAC can be assigned to service accounts just like user accounts or groups.

Benefits:

Enables secure automation without binding jobs to human accounts.

Provides clear separation of concerns between users and services.

Aligns with common practices in IAM systems like Keycloak, Authentik, and AWS IAM.

Originally created by @swapnilraut3 on GitHub. ### Feature description Description: Currently, PocketID allows user accounts to authenticate via OIDC, passkeys, and API keys. However, for automation and machine-to-machine communication, there is no clear mechanism to obtain credentials for service accounts. ### Pitch Use Case: I want to run long-running jobs (e.g., scheduled ETL pipelines, background workers, or CI/CD tasks) that need to authenticate securely without relying on a user account. These jobs require their own service accounts with scoped permissions, separate from human users. Ideally, the service account would have its own credentials (client ID/secret, API key, or token) that can be rotated and managed independently. Feature Proposal: Add support for service account credentials in PocketID. Each service account could generate: A client ID/secret pair (for OIDC flows), OR A scoped API key tied to the service account. Credentials should be manageable via the admin UI or API (create, revoke, rotate). Permissions/RBAC can be assigned to service accounts just like user accounts or groups. Benefits: Enables secure automation without binding jobs to human accounts. Provides clear separation of concerns between users and services. Aligns with common practices in IAM systems like Keycloak, Authentik, and AWS IAM.

OVERLORD closed this issue 2025-10-06 23:59:18 +03:00

OVERLORD commented 2025-10-06 23:59:19 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

@swapnilraut3 isn't this what #901 implements? You'd create one client as the service account, and use the client credentials flow to get the token

What is missing here is assigning groups/permissions to other clients, however

@ItalyPaleAle commented on GitHub: @swapnilraut3 isn't this what #901 implements? You'd create one client as the service account, and use the client credentials flow to get the token What is missing here is assigning groups/permissions to other clients, however

OVERLORD commented 2025-10-06 23:59:19 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Are you referring to the client credentials flow? https://github.com/pocket-id/pocket-id/pull/901

@kmendell commented on GitHub: Are you referring to the client credentials flow? https://github.com/pocket-id/pocket-id/pull/901

OVERLORD commented 2025-10-06 23:59:20 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub:

I think documentation lacks on this topic on official website

This has not been released yet, it will be in the next version.

Also it would be greate if i am able to add service account a group permissions.

That's a good feature request. Mind opening a new issue specifically about assigning roles / groups to OAuth2 clients?

@ItalyPaleAle commented on GitHub: > I think documentation lacks on this topic on official website This has not been released yet, it will be in the next version. > Also it would be greate if i am able to add service account a group permissions. That's a good feature request. Mind opening a new issue specifically about assigning roles / groups to OAuth2 clients?

OVERLORD commented 2025-10-06 23:59:21 +03:00

Author

Owner

Copy Link

@swapnilraut3 commented on GitHub:

Not exactly. I am looking for machine to machine authentication or say service account authentication. I want it to run long running automated jobs. So a service account is needed rather than individual account.

@swapnilraut3 commented on GitHub: Not exactly. I am looking for machine to machine authentication or say service account authentication. I want it to run long running automated jobs. So a service account is needed rather than individual account.

OVERLORD commented 2025-10-06 23:59:22 +03:00

Author

Owner

Copy Link

@swapnilraut3 commented on GitHub:

I think documentation lacks on this topic on official website. Also it would be greate if i am able to add service account a group permissions.

@swapnilraut3 commented on GitHub: I think documentation lacks on this topic on official website. Also it would be greate if i am able to add service account a group permissions.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#46