UniFi Guest Portal

A captive portal for UniFi guest WiFi networks using Authentik OIDC authentication.

Overview

This portal replaces the built-in UniFi captive portal with a custom web app that:

  • Authenticates guests via Authentik OIDC
  • Supports multiple UniFi sites (JFMT, JFHR)
  • Authorizes guest MAC addresses via the UniFi API
  • Supports per-user session duration overrides via Authentik user attributes

Architecture

Guest connects to WiFi
  → UniFi redirects to portal (/portal?site=jfmt&mac=xx:xx&...)
  → Portal initiates Authentik OIDC login
  → Guest authenticates (password + optional MFA)
  → Portal calls UniFi API to authorize guest MAC
  → Guest redirected to original URL

Setup

1. Copy environment file

cp .env.example .env

Edit .env with your Authentik and UniFi credentials.

2. Add static assets

Place the following in app/static/:

  • pup.jpg — the Shiba Inu photo
  • jfmt-pdx-logo.svg — the JFMT-PDX logo

3. Configure Authentik

Create an OIDC provider in Authentik for the portal:

  • Redirect URI: https://portal.jfmt-pdx.net/callback
  • Note the Client ID and Client Secret for your .env

4. Configure UniFi

In UniFi Hotspot Portal:

  • Enable External Portal Server
  • Set URL to https://portal.jfmt-pdx.net/portal

5. Run

docker compose up -d

Per-User Session Duration

By default guests get 24 hours (1440 minutes). To override for a specific user, set the following attribute on their Authentik user profile:

guest_wifi_duration_minutes: 480

Dependencies

License

Apache License 2.0

Description
UniFi Guest WiFi captive portal with Authentik OIDC authentication
Readme 105 KiB
Languages
Python 74.1%
HTML 24.2%
Dockerfile 1.7%