Auth Flow Questions & Multi-step Docker Compose setup
Hey everyone š,
A couple weeks/month ago I tried setting up ZITADEL as an SSO for my personal/hobby projects and self-hosted services (like outline/headscale). However, it was just after the v4 (pre-)release candidates and I found that some things did not work for my setup so I decided to setup PocketID as an alternative.
Right now I'm facing the issue that PocketID does not support SAML (which I need for a service) so I was looking again at possible SSO/Identity Providers and eventually came back to ZITADEL with the idea of also being able to use it for other projects/tenants other than myself.
I was wondering 2 things:
1. Does ZITADEL support logging in with passkeys, without having to enter a username/email? In PocketID we where able to do the following: "Open a site that requires login (like outline) -> Redirect to SSO (PocketID) -> Press "Authenticate" -> Select passkey -> Get logged in and redirected back to the original site (e.g. outline)". I was wondering if this "passkey only setup was possible in ZITADEL aswell as I could not find a lot about it online.
2. When I first tried to setup ZITADEL (first V4, then V3 to see if it was more stable), I saw a multi-step Docker Compose with multiple services to setup and migrate the zitadel instance (
zitadel-init, zitadel-setup, zitadel, db (and for v4 login aswell). I was wondering if there is a guide to set it up like this again as I can not find anything related to this type of multi-service/container setup on the current documentation page.
If anyone has any ideas/guides/tips for me, please do tell š
Hope you all have a blessed day!3 Replies
Hi @Koen, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
1. ZITADEL's current authentication flow for passkeys (passwordless/FIDO2/WebAuthN) requires users to first provide a username or identifier before selecting the passkey option; a "passkey only" flow (no username/email required before authentication) is not supported as of now (1) . There is discussion about this feature, but it would require changes to the session API and is not available in the standard flow .
2. For Docker Compose setup, the official documentation provides an example with
zitadel, login, and db services, where the login service is used for the login UI and the setup is initialized using a single command (not separate zitadel-init/zitadel-setup containers as in some older versions) (2) . The guide at Set up Zitadel with Docker Compose shows the currently recommended multi-service setup . There are also community examples and discussions on initializing service users and PATs for automation, but the official docs do not detail a multi-step migration/init/serve container workflow as a standard approach (2) (3) .
ā
To learn more, see the sources I considered:
[1] Passkey Authentication with "Autofill UI"
[2] Set up Zitadel with Docker Compose
[3] Setting up Project and App from zero using Terraform Provider (Docker Compose)
ā
Feel free to tag @Ask Inkeep with additional questions.@Ask Inkeep what would objectively be better? the multi-step compose or just the
zitadel, login and db (not the -setup or -init)Thanks for the follow-up, @Koen. I'll get back to you soon.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Set up Zitadel with Docker Compose :
Shows the officially recommended setup using only
Details on configuring ZITADEL, including environment variables and compose structure, but does not compare multi-step vs. single-step compose approaches. Feel free to tag @Ask Inkeep with additional questions.
Shows the officially recommended setup using only
zitadel, login, and db services, without multi-step (-init/-setup) containers.
2. Configuration Options in ZITADEL :Details on configuring ZITADEL, including environment variables and compose structure, but does not compare multi-step vs. single-step compose approaches. Feel free to tag @Ask Inkeep with additional questions.