# Authentik OAuth/ OIDC Setup - Portainer

Authentik uses many ways to connect to services, one being OAuth or Open ID Connect. This method is widely used on many services, such as Portainer.

Please follow Authentik and Portainer documentation

- [Portainer OAuth Setup Documentation](https://docs.portainer.io/admin/settings/authentication/oauth)
- [Authentik Portainer Integration Documentation](https://integrations.goauthentik.io/hypervisors-orchestrators/portainer/)

##### Authentik OAuth:

1. Login to Authentik **Admin Interface**
2. Go to **Applications** and select **Create with Provider**
    1. Choose a name and group
    2. Under **URI** in **Launch URL** enter [**https://portainer.cyberpaw.org**](https://portainer.cyberpaw.org)
    3. Choose **Oauth2** Provider
    4. Name the provider same as application
    5. For Authorization Flow choose **Cyberpaw-authorization-flow** (or default one)
    6. Make sure **Confidential** is selected for Client Type
    7. Copy Client ID and Client Key
    8. In Redirect URIs enter [**https://portainer.cyberpaw.org**](https://portainer.cyberpaw.org) (check portainer instructions for more detail)
    9. For Encryption key choose **default-authentic-self-signed-certificate**
    10. Under **Advanced flow** settings choose **Welcome to Authentick** (or default one)
    11. Under **Configure Bindings** click **Bind existing policy/group/users**
    12. Select **Group** and choose existing group that is authorized to use this service
    13. Review and Submit
3. The provider is created and should say it's connected to application

##### Portainer Steps:

1. Navigate to Portainer page and login
2. Under **Settings** go to **Authentication** and select **OAuth**
3. Enable **use SSO**

[![image.png](https://docs.cyberpaw.org/uploads/images/gallery/2025-08/scaled-1680-/image.png)](https://docs.cyberpaw.org/uploads/images/gallery/2025-08/image.png)

4. Choose **Automatic User Provisioning** allowing other Authentik users that don't have Portainer user can login 
    1. If not selected you will need to create an account with same email as Authentik user
5. Scroll down to **OAuth Configuration**
    1. Copy and Paste all the field ID, secret and URLs from Provider information in Authentik 
        1. Go back to Authentik **Admin Interface**
        2. Lower **Application** Section and click **Providers**
        3. Click on **Portainer** Provider and copy all the required information to Portainers OAuth Configuration
    2. For User Identification type "**email"**
    3. For Scope type "**email oauth provider" -**Portainer documentation says to use dashes but use space instead
    4. Save
6. Logout and you should see **Login with OAuth** button