website/integrations: improves netbird documentation (#14191)

* Matches up the doc with the official NetBird documentation. Also fixes order of the sidebar.

* Removed kbd and used angle brackets

* Changed wording of final section to mention filename and script that needs to be run

* Update website/integrations/services/netbird/index.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/integrations/services/netbird/index.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* added title to codeblock

---------

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dominic R <dominic@sdko.org>

website/integrations/services/netbird/index.md

@@ -33,12 +33,26 @@ To support the integration of NetBird with authentik, you need to create an appl
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
-    - Add two `Strict` redirect URIs and set them to <kbd>http://localhost:53000</kbd> and <kbd>https://<em>netbird.company</em></kbd>. Then, add a `Regex` redirect URI and set it to <kbd>https://<em>netbird.company</em>/.\*</kbd>.
-    - Select any available signing key.
-    - Under **Advanced Protocol Settings**, set **Access Code Validity** to `minutes=10`, then set **Subject Mode** to be `Based on the User's ID`.
+    - Under **Protocol Settings**:
+        - Note the **Client ID**, and **slug** values because they will be required later.
+        - Set **Client type** to `Public`.
+        - Add two `Strict` redirect URIs: `http://localhost:53000` and `https://<netbird.company>`.
+        - Add a `Regex` redirect: `https://<netbird.company>.*`.
+        - Select any available signing key.
+    - Under **Advanced Protocol Settings**:
+        - Set **Access Code Validity** to `minutes=10`.
+        - Set **Subject Mode** to be `Based on the User's ID`.
+        - Add the `authentik default OAuth Mapping: OpenID 'offline_access'` and `authentik default OAuth Mapping: authentik API access` scopes to **Selected Scopes**.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
+:::warning
+It is important to set a signing key to secure the provider because this is a `Public` client.
+:::
+
+:::note
+If an access group is created for the Netbird application, the Netbird service account must be included in the group. Otherwise you will see a 401 error after login.
+:::
+
 3. Click **Submit** to save the new application and provider.
 
 ### Set up a service account
@@ -55,12 +69,26 @@ NetBird requires the service account to have full administrative access to the a
 2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**.
 3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created.
 
+### Create and apply a device token authentication flow
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
+3. Set the following required configurations:
+    - **Name**: provide a name (e.g. `default-device-code-flow`)
+    - **Title**: provide a title (e.g. `Device code flow`)
+    - **Slug**: provide a slug (e.g `default-device-code-flow`)
+    - **Designation**: `Stage Configuration`
+    - **Authentication**: `Require authentication`
+4. Click **Create**.
+5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
+6. Set **Default code flow** to the newly created device code flow and click **Update**.
+
 ## NetBird configuration
 
-To configure NetBird to use authentik, add the following values to your `setup.env` file:
+To configure NetBird to use authentik, add the following environment variables to your NetBird deployment:
 
-```
-NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.company/application/o/netbird/.well-known/openid-configuration"
+```yaml showLineNumbers title="setup.env"
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.company/application/o/<application slug>/.well-known/openid-configuration"
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_CLIENT_ID="<Your Client ID>"
 NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
@@ -73,6 +101,19 @@ NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
 NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Your Service Account password>"
 ```
 
-After making these changes, restart your Docker containers to apply the new configuration.
+Restart the NetBird service for the changes to take effect. If using Docker, redeploy the NetBird container for the changes to take effect.
 
-Once completed, NetBird should be successfully configured to use authentik as its Single Sign-On provider.
+## Configuration verification
+
+To confirm that authentik is properly configured with NetBird, log out and log back in via authentik.
+
+## Troubleshooting
+
+When accessing NetBird through a reverse proxy, you might encounter a loop where the `/peers` URL continuously reloads. To resolve this, set the following variables accordingly:
+
+```yaml title="setup.env"
+NETBIRD_MGMT_API_PORT=443
+NETBIRD_SIGNAL_PORT=443
+```
+
+Run the `configure.sh` script for the change to take effect.