habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: improves netbird documentation (#14191)

Browse Source 
* Matches up the doc with the official NetBird documentation. Also fixes order of the sidebar.

* Removed kbd and used angle brackets

* Changed wording of final section to mention filename and script that needs to be run

* Update website/integrations/services/netbird/index.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/integrations/services/netbird/index.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* added title to codeblock

---------

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dominic R <dominic@sdko.org>
This commit is contained in:
Dewi Roberts
2025-04-24 09:26:40 +01:00
committed by GitHub
parent 2f3ae0f607
commit 5aedc8a5f2
2 changed files with 51 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
website/integrations/services/netbird/index.md
View File

@ -33,12 +33,26 @@ To support the integration of NetBird with authentik, you need to create an appl
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - Under **Protocol Settings**:
- Add two `Strict` redirect URIs and set them to <kbd>http://localhost:53000</kbd> and <kbd>https://<em>netbird.company</em></kbd>. Then, add a `Regex` redirect URI and set it to <kbd>https://<em>netbird.company</em>/.\*</kbd>. - Note the **Client ID**, and **slug** values because they will be required later.
- Set **Client type** to `Public`.
- Add two `Strict` redirect URIs: `http://localhost:53000` and `https://<netbird.company>`.
- Add a `Regex` redirect: `https://<netbird.company>.*`.
- Select any available signing key. - Select any available signing key.
- Under **Advanced Protocol Settings**, set **Access Code Validity** to `minutes=10`, then set **Subject Mode** to be `Based on the User's ID`. - Under **Advanced Protocol Settings**:
- Set **Access Code Validity** to `minutes=10`.
- Set **Subject Mode** to be `Based on the User's ID`.
- Add the `authentik default OAuth Mapping: OpenID 'offline_access'` and `authentik default OAuth Mapping: authentik API access` scopes to **Selected Scopes**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
:::warning
It is important to set a signing key to secure the provider because this is a `Public` client.
:::
:::note
If an access group is created for the Netbird application, the Netbird service account must be included in the group. Otherwise you will see a 401 error after login.
:::
3. Click **Submit** to save the new application and provider. 3. Click **Submit** to save the new application and provider.
### Set up a service account ### Set up a service account
@ -55,12 +69,26 @@ NetBird requires the service account to have full administrative access to the a
2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**. 2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**.
3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created. 3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created.
### Create and apply a device token authentication flow
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
3. Set the following required configurations:
- **Name**: provide a name (e.g. `default-device-code-flow`)
- **Title**: provide a title (e.g. `Device code flow`)
- **Slug**: provide a slug (e.g `default-device-code-flow`)
- **Designation**: `Stage Configuration`
- **Authentication**: `Require authentication`
4. Click **Create**.
5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
6. Set **Default code flow** to the newly created device code flow and click **Update**.
## NetBird configuration ## NetBird configuration
To configure NetBird to use authentik, add the following values to your `setup.env` file: To configure NetBird to use authentik, add the following environment variables to your NetBird deployment:
``` ```yaml showLineNumbers title="setup.env"
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.company/application/o/netbird/.well-known/openid-configuration" NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.company/application/o/<application slug>/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<Your Client ID>" NETBIRD_AUTH_CLIENT_ID="<Your Client ID>"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
@ -73,6 +101,19 @@ NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Your Service Account password>" NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Your Service Account password>"
``` ```
After making these changes, restart your Docker containers to apply the new configuration. Restart the NetBird service for the changes to take effect. If using Docker, redeploy the NetBird container for the changes to take effect.
Once completed, NetBird should be successfully configured to use authentik as its Single Sign-On provider. ## Configuration verification
To confirm that authentik is properly configured with NetBird, log out and log back in via authentik.
## Troubleshooting
When accessing NetBird through a reverse proxy, you might encounter a loop where the `/peers` URL continuously reloads. To resolve this, set the following variables accordingly:
```yaml title="setup.env"
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443
```
Run the `configure.sh` script for the change to take effect.

2
website/sidebarsIntegrations.js
View File

@ -127,9 +127,9 @@ module.exports = {
"services/fortigate-ssl/index", "services/fortigate-ssl/index",
"services/fortimanager/index", "services/fortimanager/index",
"services/gravity/index", "services/gravity/index",
"services/netbird/index",
"services/opnsense/index", "services/opnsense/index",
"services/pfsense/index", "services/pfsense/index",
"services/netbird/index",
], ],
}, },
{ {