Configure Oauth for Portainer

Hello all,

i’am running Keycloak with Version 23.0.7 on Univention Server. I’ve configured Nextcloud for Saml and Proxmox for OpenID (Oauth). No my next goal is to configure Portainer für OpenID authentication. That i have done.

At least I already get an error message: Unauthorized

Thats good so i can see the Communication is working no. Here are my entries in portainer:

Client ID: portainer
Client secret: XXX
Authorization URL: https:/
Access token URL: https:/
Resource URL: https:/
Redirect URL: https:/
Logout URL: https:/
User identifier: username (should be ok, because the same works for Proxmox)
Scopes: Tested here a lot of things: mail, email, name, id…

(the links have only one “/” because i can’t post links, i’am new at the forum=

I even see a running session in Keycloak for Portainer, but it won’t let me in. Always “Unauthorized”.

Under Keycloak i’ve configured not very much.

Any idea? That can only be a small thing.

  • Client-ID
  • Valid redirect URIs
  • Web Origins (filled in automaticliy)
  • Client authentication, Authorization are “on”
  • Authentication flow: Standard flow, Direct access grants and OAuth 2.0 Device Authorization Grant are also “on”

Very Thanks


The scopes must at least contain openid, without the userinfo endpoint responds with unauthorized. So you can try:
Scopes: openid,email,profile
(check portainer documentation for correct multivalued syntax)
Scopes: openid
(if you don’t need mail addresses, names etc…)