Keycloak

1. Create a client in Keycloak

Log in to your Keycloak Admin Console.
Select your realm (or create one).
Go to Clients → Create client.
Set Client ID (e.g. my-client-id) and Client type to OpenID Connect.
Set Root URL to your Dokploy base URL, e.g. https://your-dokploy-domain.com.
Save.
Open the client, set Access type to confidential, then open the Credentials tab and note the Secret.
From Realm settings → OpenID Endpoint Configuration, note the Issuer (e.g. https://keycloak.example.com/realms/your-realm).

In Dokploy, go to Settings (or Organization / Security in Enterprise).
Enable SSO and choose OpenID Connect.
Enter:
- Provider: my-client-id (Unique)
- Issuer URL: your Keycloak realm URL (e.g. https://keycloak.example.com/realms/your-realm)
- Domain: the domain users use to authenticate via Keycloak (e.g. your organization domain like acme.com), not the Dokploy instance URL
- Client ID: my-client-id
- Client Secret: the secret from the Keycloak client Credentials tab
- Scopes: openid email profile
Save.

In your Keycloak client, go to Settings.
Set Valid redirect URIs to your Dokploy callback URL, for example:
- https://your-dokploy-domain.com/api/auth/callback/my-client-id
Set Valid post logout redirect URIs to:
- https://your-dokploy-domain.com
Set Allowed Origins to:
- https://your-dokploy-domain.com
Save changes.

Redirect URI mismatch — Ensure the callback URL in Dokploy matches exactly what is configured in Keycloak (including protocol and path). Use the same Provider value in the path (e.g. .../api/auth/callback/myorg-name-keycloak).
Invalid client — Double-check Client ID and Client Secret, and that the client is enabled and set to confidential access.
Scopes — Ensure the client is configured to request openid and, if required, email and profile.
Attribute mapping — If user email or name is missing, map Keycloak attributes (e.g. email, preferred_username) in Dokploy if your setup supports it.

For help with your setup, contact us.