Indentity and Profile Manages tests

• pocket-id
  • ✅ packaged in nixpkgs
    • ⚠️ But not everything can be declaratively configured.
      • ⚠️ Oidc clients must be manually created and then client id and secret must be copied to client app or traefik plugin config
      • ⚠️ Setting to send email have to be manually configured by admin. But it may be possible to set this via env vars : https://pocket-id.org/docs/configuration/environment-variables#overriding-the-ui-configuration
      • ⚠️ User self registration has to be manually enabled by admin. But it may be possible to set this via env vars : https://pocket-id.org/docs/configuration/environment-variables#overriding-the-ui-configuration
      • ⚠️ User self modification of profile has to be manually enabled by admin. But it may be possible to set this via env vars : https://pocket-id.org/docs/configuration/environment-variables#overriding-the-ui-configuration
  • ✅ tested support by traefik plugin to secure apps that do not have any authentication mecanism.
    • ⚠️ but need to test again with better plugin config
  • ✅ tested support by traefik plugin to secure apps that can authenticate using X-Oidc-* headers.
    • ⚠️ but need to test again with better plugin config)
  • ✅ Self registration of users (has to be enabled by admin), or creation of users by admin through web app
  • ✅ account/profile page for users to configure their password/otp/passkey/email?
    • ⚠️ if enabling self-eccount editing (which is desirable), user can also change their username, which could be a problem for applications if there is no other user claim that is unique and immutable. There is only an all of nothing admin setting for this.
  • ✅ lightweight, does the job, very simple,
    • ⚠️ but maybe too simple as only passkey auth is supported (auth by password + OTP is not possible)
  • ⚠️ Legacy apps that only support ldap auth (ex jellyfin) can be integrated though an external LDAP. But in that case users can only be managed from the external LDAP. Meaning admins will have to interact with 2 systems One for the users and one for OIDC.
• keycloak
  • ✅ packaged in nixpkgs
    • ⚠️ But not everything can be declaratively configured.
      • ⚠️ Actually needs quite a lot of manual configuration by an admin for most uses cases (Oidc client, roles, passey enabling, including roles in id token, ...)
  • ✅ tested support by traefik plugin to secure apps that do not have any authentication mecanism.
  • ✅ tested support by traefik plugin to secure apps that can authenticate users using X-Oidc-* headers. (need to test again)
  • ⚠️ kind of bloatware (java) but does the job
  • ✅ Self registration of users (has to be enabled by admin), or creation of users by admin through web app
  • ✅ account/profile page for users to configure their password/otp/passkey/email
    • ✅ username seems to be immutable, which is good.
  • ❓ can legacy apps that only support ldap auth (ex jellyfin) be integrated?
    • ❓ Mays need to manage users externally with an ldap system for that
• Kanidm
• ✅ packaged in nixpkgs
  • ⚠️ Looks like it is posible to provision most things declaratively though services.kanidm.provision. However this requires a kanidm version build with non offical patches. See https://thinglab.org/2025/02/keycloak_to_kanidm/#patches
• ✅ Read only LDAPS gateway for Legacy Systems
• ⚠️ Adding passkeys disables password sign-in : Mentioned on https://thinglab.org/2025/02/keycloak_to_kanidm/#kanidm-praise
• ❓User creation by admin only from command line? (but could be declaratively provisioned also, so maybe not a blocker)
• ❓Need to test "User Self Service via the WebUI" feature to check if it fullfils :
  • ❓ user registration form ?
  • ❓ account/profile page for users to configure their password/otp/passkey/email?
• Zitadel
• Authelia?
  • ❓ Does it have a user registration form
  • ❓ Does it have an account/profile page for users to configure their password/otp/passkey/email?
  • ✅ Good potential for fully declarative configuration
  • ✅ Can be linked with lldap for apps that only support ldap auth
• Casdoor?
  • ✖ Will not test
    • ✖ not packaged in nixpkgs
    • ✖ Dubious stability and security : https://lacontrevoie.fr/en/blog/2024/comparatif-de-onze-solutions-de-sso-libres/#casdoor
• Ory
  • ✖ Will not test
    • ✖ not packaged in nixpkgs
    • ✖ labyrinthine system : https://lacontrevoie.fr/en/blog/2024/comparatif-de-onze-solutions-de-sso-libres/#ory
• Authentik?
  • ✖ Will not test
    • ✖ bloatware : https://lacontrevoie.fr/en/blog/2024/comparatif-de-onze-solutions-de-sso-libres/#authentik
    • ⚠️ partially packaged in nixpkgs (packages seem to exist in nixpkgs but services are only available in https://github.com/nix-community/authentik-nix)