It's nice to see more OIDC services coming out that (presumably) work well for self-hosting. Pocket-ID (via This Week in Self-Hosted and Rauthy.
I'm still using kanidm with no need to switch, but it's nice to see maybe-easier things to recommend for other folks to try!
I'm trying to figure out if I can create Service Accounts in Kanidm and get a JWT that will work with pREST. pREST can be configured to use a .well-known URL to pull a JWK. This would allow me to give a long-lived service account API key to each service and keep token generation out of my services.
It looks like not yet! But they seem to be aware of this use case.