- Go to your Keycloak admin console (e.g.,
https://auth.example.com/). - Log in with your admin credentials.
If you don't already have a realm:
- Click Add Realm in the left-hand menu.
- Name your realm (e.g.,
unifi-voucher). - Save the realm.
- Inside your realm, go to Clients in the left-hand menu.
- Click Create.
- Fill in the following fields:
- Client ID:
unifi-voucher-site(You can choose any name relevant to your UniFi Voucher Site). - Client Protocol:
openid-connect. - Click Save.
- Client ID:
You’ll see various tabs for configuring the client. Set the following fields:
-
Go to the Settings tab.
-
Set Access Type to
confidential. -
Ensure Standard Flow Enabled is set to
ON. -
Set Valid Redirect URIs to your UniFi voucher callback URL (e.g.,
https://voucher.example.com/oidc/callback). -
Click Save.
-
After saving, go to the Credentials tab to get the Client Secret. This secret will be used by your UniFi Voucher Site when authenticating as a confidential client.
Now, configure your UniFi Voucher Site to use the Keycloak client.
- In your UniFi Voucher Site configuration, set
AUTH_OIDC_ENABLEDtotrue. - Set the
AUTH_OIDC_CLIENT_IDas configured in Keycloak (e.g.,unifi-voucher-site). - Provide the
AUTH_OIDC_CLIENT_SECRET(found in the Credentials tab in Keycloak). - Provide the
AUTH_OIDC_ISSUER_BASE_URLfrom your Keycloak server (e.g.,https://auth.example.com/realms/{realm}/.well-known/openid-configuration). - Provide the
AUTH_OIDC_APP_BASE_URLfrom your UniFi Voucher Site instance (e.g.,https://voucher.example.com). - Restart the container after these changes
- Test the login flow from your UniFi Voucher Site. Ensure it redirects to Keycloak for authentication.
- After logging in, the user should be redirected back to the voucher site with the appropriate tokens.
- Invalid Redirect URI: Ensure the callback URI matches what is configured in Keycloak.
- Client Secret Errors: Double-check the client secret in both Keycloak and your UniFi configuration.