Identity Providers
There are a few Identity Provider options that you can choose to run a self-hosted version NetBird.
NetBird supports generic OpenID (OIDC) protocol allowing for the integration with any IDP that follows the specification.
Auth0
This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Auth0.
Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. It is a 3rd party managed service and can't be self-hosted. Auth0 is the right choice if you don't want to manage an Identity Provider (IDP) instance on your own.
If you prefer to have full control over authentication and authorization of your NetBird network, there are good self-hosted alternatives to the managed Auth0 service like Keycloak.
Step 1: Create Auth0 account
To create an Auth0 account, sign up at https://auth0.com.
There are five properties of the setup.env
file that we will configure in this guide:
NETBIRD_AUTH_CLIENT_ID
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
NETBIRD_USE_AUTH0
NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID
(Optional)
Step 2: Create and configure Auth0 application
This Auth0 application will be used to authorize access to NetBird Dashboard (Web UI).
- Follow the steps in the Auth0 React SDK Guide up until "Install the Auth0 React SDK".
- Use
https://YOUR DOMAIN
as:Allowed Callback URLs
,Allowed Logout URLs
,Allowed Web Origins
,Allowed Origins (CORS)
Make sure that Token Endpoint Authentication Method
is set to None
.
- Use
Client ID
to setNETBIRD_AUTH_CLIENT_ID
property in thesetup.env
file. - Use
Domain
to configureNETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
property in thesetup.env
file like so:
https:///.well-known/openid-configuration
Double-check if the endpoint returns a JSON response by calling it from your browser.
Step 3: Create and configure Auth0 API
This Auth0 API will be used to access NetBird Management Service API.
- Follow the steps in the Auth0 Create An API.
- Use API
Identifier
to setNETBIRD_AUTH_AUDIENCE
property in thesetup.env
file. - Set
NETBIRD_USE_AUTH0
totrue
in thesetup.env
file.
Step 4: Enable Interactive SSO Login (Optional)
The Interactive SSO Login feature allows for machine authorization with your Identity Provider. This feature can be used as an alternative to setup keys and is optional.
You can enable it by following these steps:
- Log in to your Auth0 account https://manage.auth0.com/
- Go to
Applications
(left-hand menu) - Click
Create Application
button (top right) - Fill in the form with the following values:
- Name:
Interactive Login
- Application type:
Native
- Click
Create
- Click
Settings
tab - Copy
Client ID
toNETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID
in thesetup.env
file
- Scroll down to the
Advanced Settings
section - Enable
Device Code
- Click
Save Changes
Step 4: Continue with the self-hosting guide
You can now continue with the NetBird Self-hosting Guide.
Keycloak
This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Keycloak.
Keycloak is an open source software product to allow single sign-on with Identity and Access Management aimed at modern applications and services.
If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like Auth0.
The following guide is an adapted version of the original Keycloak on Docker guide from the official website.
Expected Result
After completing this guide, you can log in to your self-hosted NetBird Dashboard and add your machines to your network using the Interactive SSO Login feature over Keycloak.
Step 1: Check your Keycloak Instance
For this guide, you need a fully configured Keycloak instance running with SSL.
We assume that your Keycloak instance is available at https://YOUR-KEYCLOAK-HOST-AND_PORT
.
Feel free to change the port if you have configured Keycloak with a different one.
Most of the OIDC software requires SSL for production use. We encourage you to comply with this requirement to make the world more secure 😊.
Step 2: Create a realm
To create a realm you need to:
- Open the Keycloak Admin Console
- Hover the mouse over the dropdown in the top-left corner where it says
Master
, then click onCreate Realm
- Fill in the form with the following values:
- Realm name:
netbird
- Click
Create
Step 3: Create a user
In this step we will create a NetBird administrator user.
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Users
(left-hand menu) - Click
Create new user
- Fill in the form with the following values:
- Username:
netbird
- Click
Create
The user will need an initial password set to be able to log in. To do this:
- Click
Credentials
tab - Click
Set password
button - Fill in the password form with a password
- Set the
Temporary
field toOff
to prevent having to update password on first login - Click
Save
Step 4: Create a NetBird client
In this step we will create NetBird application client and register with the Keycloak instance.
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Clients
- Click
Create client
button - Fill in the form with the following values and click Next:
- Client Type:
OpenID Connect
- Client ID:
netbird-client
- Your newly client
netbird-client
will be used later to setNETBIRD_AUTH_CLIENT_ID
in thesetup.env
- Check the checkboxes as on the screenshot below and click Save
Step 5: Adjust NetBird client access settings
In this step we will configure NetBird application client access with the NetBird URLs.
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Clients
- Choose
netbird-client
from the list - Go to
Access Settings
section - Fill in the fields with the following values:
- Root URL:
https://YOUR DOMAIN/
(this is the NetBird Dashboard root URL) - Valid redirect URIs:
https://YOUR DOMAIN/*
- Valid post logout redirect URIs:
https://YOUR DOMAIN/*
- Web origins:
+
- Click
Save
Step 6: Create a NetBird client scope
In this step, we will create and configure the NetBird client audience for Keycloak to add it to the generated JWT tokens.
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Client scopes
(left-hand menu) - Click
Create client scope
button - Fill in the form with the following values:
- Name:
api
- Type:
Default
- Protocol:
OpenID Connect
- Click
Save
- While in the newly created Client Scope, switch to the
Mappers
tab - Click
Configure a new mapper
- Choose the
Audience
mapping
- Fill in the form with the following values:
- Name:
Audience for NetBird Management API
- Included Client Audience:
netbird-client
- Add to access token:
On
- Click
Save
Step 7: Add client scope to NetBird client
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Clients
- Choose
netbird-client
from the list - Switch to
Client scopes
tab - Click
Add client scope
button - Choose
api
- Click
Add
choosingDefault
- The value
netbird-client
will be used as audience
Step 8: Create a NetBird-Backend client
In this step we will create NetBird backend client and register with the Keycloak instance.
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Clients
- Click
Create client
button - Fill in the form with the following values and click Next:
- Client Type:
OpenID Connect
- Client ID:
netbird-backend
- Your newly client
netbird-backend
will be used later to setKeycloakClientCredentials
in themanagement.json
- Check the checkboxes as on the screenshot below and click Save
The client will need secret to authenticate. To do this:
- Click
Credentials
tab - Copy
client secret
will be used later to setClientSecret
in themanagement.json
Step 9: Add manage-users role to netbird-backend
- Open the Keycloak Admin Console
- Make sure, that the selected realm is
Netbird
- Click
Clients
- Choose
netbird-backend
from the list - Switch to
Service accounts roles
tab - Click
Assign roles
button - Select
Filter by clients
and search formanage-users
- Check the role checkbox and click assign
Your authority OIDC configuration will be available under:
https:///realms/netbird/.well-known/openid-configuration
Double-check if the endpoint returns a JSON response by calling it from your browser.
-
Set properties in the
setup.env
file: -
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=
https://<YOUR-KEYCLOAK-HOST-AND-PORT>/realms/netbird/.well-known/openid-configuration
. -
NETBIRD_AUTH_CLIENT_ID=
netbird-client
-
NETBIRD_AUTH_AUDIENCE=
netbird-client
-
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=
netbird-client
. Optional, it enables the Interactive SSO Login feature (Oauth 2.0 Device Authorization Flow) -
You can now continue with the NetBird Self-hosting Guide.
-
Set property
IdpManagerConfig
in themanagement.json
file with:
The file management.json is created automatically. Please refer here for more information.
{
"ManagerType": "keycloak",
"KeycloakClientCredentials": {
"ClientID": "netbird-backend",
"ClientSecret": "<netbird-backend-client-secret>",
"GrantType": "client_credentials",
"TokenEndpoint": "https://<YOUR-KEYCLOAK-HOST-AND-PORT>/realms/netbird/protocol/openid-connect/token",
"AdminEndpoint": "https://<YOUR-KEYCLOAK-HOST-AND-PORT>/admin/realms/netbird"
}
}
Make sure that your Keycloak instance use HTTPS. Otherwise, the setup won't work.
Azure AD
This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Azure AD.
Azure AD is a an enterprise identity service that provides single sign-on and multifactor authentication to your applications. It is a 3rd party managed service and can't be self-hosted.
If you prefer to have full control over authentication and authorization of your NetBird network, there are good self-hosted alternatives to the managed Auth0 service like Keycloak.
Before you start creating and configuring an Azure AD application, ensure that you have the following:
-
An Azure account: To create an Azure AD application, you must have an Azure account. If you don't have one, sign up for a free account at https://azure.microsoft.com/free/.
-
User account with appropriate permissions: You must have an Azure AD user account with the appropriate permissions to create and manage Azure AD applications. If you don't have the required permissions, ask your Azure AD administrator to grant them to you.
Step 1. Create and configure Azure AD application
In this step, we will create and configure NetBird application in azure AD.
- Navigate to Azure Active Directory
- Click
App Registrations
in the left menu then click on the+ New registration
button to create a new application. - Fill in the form with the following values and click Register
- Name:
Netbird
- Account Types:
Accounts in this organizational directory only (Default Directory only - Single tenant)
- Redirect URI: select
Single-page application (SPA)
and URI ashttps://<yournetbirddomain.com>/silent-auth
Step 2. Platform configurations
- Click
Authentication
on the left side menu - Under the
Single-page application
Section, add another URIhttps://<yournetbirddomain.com>/auth
- Scroll down and setup other options as on the screenshot below and click Save
Step 3. Create a NetBird application scope
- Click
Expose an API
on the left menu - Under
Application ID URI
clickSet
and thenSave
- Click
+ Add a Scope
- Fill in the form with the following values and click
Add scope
- Scope name:
api
- Under
Authorized client Applications
, click on+ add a client application
and enter the following: - Fill in the form with the following values and click
Add application
- Client ID: same as your Application ID URI minus the
api://
Step 4. Add API permissions
- Add
Netbird
permissions - Click
API permissions
on the left menu - Click
Add a permission
- Click
My APIs
tab, and selectNetbird
. Next checkapi
permission checkbox and clickAdd permissions
.
- Add
Delagated permissions
to Microsoft Graph - Click
Add a permission
- Click
Microsoft Graph
and then clickDelagated permissions
tab and check all permissions under theOpenId permissions
section and clickAdd permissions
- Add
Application permissions
to Microsoft Graph - Click
Add a permission
- Click
Microsoft Graph
and then clickApplication permissions
tab - Search for
User.ReadWrite.All
and underUser
sections and checkUser.ReadWrite.All
checkbox section
- Search for
Application.ReadWrite.All
and underApplication
sections and checkApplication.ReadWrite.All
checkbox section and clickAdd permissions
- Click
Grant admin conset for Default Directory
and clickYes
Step 5. Update token version
- Click
Manifest
on left menu - Search for
accessTokenAcceptedVersion
and change the value fromnull
to2
- Click
Save
Step 6. Generate client secret
- Click
Certificates & secrets
on left menu - Click
New client secret
- Fill in the form with the following values and click
Add
- Description:
Netbird
- Copy
Value
and save it as it can be viewed only once after creation.
Your authority OIDC configuration will be available under:
https://login.microsoftonline.com//v2.0/.well-known/openid-configuration
Double-check if the endpoint returns a JSON response by calling it from your browser.
- Set properties in the
setup.env
file:
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<application_id>"
NETBIRD_AUTH_AUDIENCE="<application_id>"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<application_id>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_AUTH_USER_ID_CLAIM="oid"
-
You can now continue with the NetBird Self-hosting Guide.
-
Set property
IdpManagerConfig
in themanagement.json
file with:
The file management.json is created automatically. Please refer here for more information.
{
"ManagerType": "azure",
"AzureClientCredentials": {
"ClientID": "<application_id>",
"ClientSecret": "<client_secret>",
"GrantType": "client_credentials",
"ObjectID": "<object_id>",
"TokenEndpoint": "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
"GraphAPIEndpoint": "https://graph.microsoft.com/v1.0"
}
}
-
Modify the value of the
AUTH_SUPPORTED_SCOPES
environment variable for the dashboard service in the docker-compose.yml file toopenid profile email offline_access api://<application_id>/api
. -
Modify
Scope
value inDeviceAuthorizationFlow
within themanagement.json
toapi://<application_id>/api
.
Zitadel
This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Zitadel.
If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like Auth0.
Step 1. Create and configure Zitadel application
In this step, we will create and configure NetBird application in zitadel.
Create new zitadel project
- Navigate to zitadel console
- Click
Projects
at the top menu, then clickCreate New Project
to create a new project - Fill in the form with the following values and click
Continue
- Name:
NETBIRD
Create new zitadel application
- Click
Projects
in the top menu and selectNETBIRD
project from the list - Click
New
inAPPLICATIONS
section to create a new application - Fill in the form with the following values and click
Continue
- Name:
netbird
- TYPE OF APPLICATION:
User Agent
- Fill in the form with the following values and click
Continue
- Authentication Method:
PKCE
- Fill in the form with the following values and click
Continue
- Redirect URIs:
https://<domain>/auth
and click+
- Post Logout URIs:
https://<domain>/silent-auth
and click+
- Verify applications details and Click
Create
and then clickClose
- Under
Grant Types
selectAuthorization Code
,Device Code
andRefresh Token
and clicksave
- Copy
Client ID
will be used later in thesetup.env
Step 2: Application Token Configuration
To configure netbird
application token you need to:
- Click
Projects
in the top menu and selectNETBIRD
project from the list - Select
netbird
application fromAPPLICATIONS
section - Click
Token Settings
in the left menu - Fill in the form with the following values:
- Auth Token Type:
JWT
- Check
Add user roles to the access token
checkbox - Click
Save
Step 3: Application Redirect Configuration
:::caution This step is intended for setup running in development mode with no SSL :::
To configure netbird
application redirect you need to:
- Click
Projects
in the top menu and selectNETBIRD
project from the list - Select
netbird
application fromAPPLICATIONS
section - Click
Redirect Settings
in the left menu - Fill in the form with the following values:
- Toggle
Development Mode
- Click
Save
Step 4: Create a Service User
In this step we will create a netbird
service user.
- Click
Users
in the top menu - Select
Service Users
tab - Click
New
- Fill in the form with the following values:
- User Name:
netbird
- Name:
netbird
- Description:
Netbird Service User
- Access Token Type:
JWT
- Click
Create
In this step we will generate ClientSecret
for the netbird
service user.
- Click
Actions
in the top right corner and clickGenerate Client Secret
- Copy
ClientSecret
from the dialog will be used later to setClientSecret
in themanagement.json
Step 5: Grant manage-users role to netbird service user
In this step we will grant Org User Manager
role to netbird
service user.
- Click
Organization
in the top menu - Click
+
in the top right corner - Search for
netbird
service user - Check
Org User Manager
checkbox - Click
Add
Your authority OIDC configuration will be available under:
https://< YOUR-ZITADEL-HOST-AND-PORT >/.well-known/openid-configuration
:::caution Double-check if the endpoint returns a JSON response by calling it from your browser. :::
- Set properties in the
setup.env
file:
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR-ZITADEL-HOST-AND-PORT>/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<Client ID>"
NETBIRD_AUTH_AUDIENCE="<Client ID>"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<Client ID>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<Client ID>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<Client ID>"
-
You can now continue with the NetBird Self-hosting Guide.
-
Set property
IdpManagerConfig
in themanagement.json
file with: :::caution The file management.json is created automatically. Please refer here for more information. :::
{
"ManagerType": "zitadel",
"ZitadelClientCredentials": {
"ClientID": "netbird",
"ClientSecret": "<CLIENT SECRET>",
"GrantType": "client_credentials",
"TokenEndpoint": "https://<YOUR-ZITADEL-HOST-AND-PORT>/oauth/v2/token",
"ManagementEndpoint": "https://<YOUR-ZITADEL-HOST-AND-PORT>/management/v1"
}
}
Authentik
This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Authentik.
If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like Auth0.
Step 1: Create OAuth2/OpenID Provider
In this step, we will create OAuth2/OpenID Provider in Authentik.
- Navigate to authentik admin interface
- Click
Applications
on the left menu, then clickProviders
- Click
Create
to create new provider - Fill in the form with the following values and click
Next
- type:
OAuth2/OpenID Provider
- type:
- Fill in the form with the following values and click
Finish
- Name:
Netbird
- Authentication Flow:
default-authentication-flow (Welcome to authentik!)
- Authorization Flow:
default-provider-authorization-explicit-consent (Authorize Application)
- Protocal Settings:
- Client type:
Public
- Redirect URIs/Origins (RegEx):
*
- Client type:
- Advanced protocol settings:
- Subject mode:
Based on the User's ID
- Subject mode:
- Name:
Take note of Client ID
, we will use it later
Step 2: Create external applications
In this step, we will create external applications in Authentik.
- Navigate to authentik admin interface
- Click
Applications
on the left menu, then clickApplications
- Click
Create
to create new application - Fill in the form with the following values and click
Create
- Name:
Netbird
- Slug:
netbird
- Provider:
Netbird
- Name:
Step 3: Create service account
In this step, we will create service account.
- Navigate to authentik admin interface
- Click
Directory
on the left menu, then clickUsers
- Click
Create Service Account
to create service account - Fill in the form with the following values and click
Create
- Username:
Netbird
- Create Group:
Disable
- Username:
- Take note of service account
username
andpassword
, we will need it later
Step 4: Add service account to admin group
In this step, we will add Netbird
service account to authentik Admins
group.
- Navigate to authentik admin interface
- Click
Directory
on the left menu, then clickGroups
- Click
authentik Admins
from list of groups and selectUsers
tab at the top - Click
Add existing user
and click+
button to add user - Select
Netbird
and clickAdd
- Disable
Hide service-accounts
and verify if userNetbird
is added to the group
Your authority OIDC configuration will be available under:
https://< YOUR-AUTHENTIK-HOST-AND-PORT >/application/o/netbird/.well-known/openid-configuration
Double-check if the endpoint returns a JSON response by calling it from your browser.
- Set properties in the
setup.env
file:
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR-AUTHENTIK-HOST-AND-PORT>/application/o/netbird/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<PROVIDER Client ID>"
NETBIRD_AUTH_AUDIENCE="<PROVIDER Client ID>"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<PROVIDER Client ID>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<PROVIDER Client ID>"
-
You can now continue with the NetBird Self-hosting Guide.
-
Set property
IdpManagerConfig
in themanagement.json
file with:
The file management.json is created automatically. Please refer here for more information.
{
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://<YOUR-AUTHENTIK-HOST-AND-PORT>",
"ClientID": "<PROVIDER Client ID>",
"TokenEndpoint": "https://<YOUR-AUTHENTIK-HOST-AND-PORT>/application/o/token",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Username": "Netbird",
"Password": "<SERVICE ACCOUNT PASSWORD>",
}
}
Okta
This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with Okta.
If you prefer to have full control over authentication and authorization of your NetBird network, there are good self-hosted alternatives to the managed Okta service like Keycloak.
Before you start creating and configuring an Okta application, ensure that you have an Okta workforce identity cloud account. If you don't have one, sign up for a free account at https://www.okta.com/free-trial/.
Step 1. Create and configure Okta single-page application
In this step, we will create and configure Netbird single-page application in okta.
- Navigate to Okta Admin Dashboard
- Click
Applications
in the left menu and then click onApplications
- Click
Create App Intergration
- Fill in the form with the following values and click
Next
- Sign-in method:
OIDC - OpenID Connect
- Application type:
Single-Page Application
- Sign-in method:
- Fill in the form with the following values and click
Save
- App integration name:
Netbird
- Grant type:
Authorization Code
andRefresh Token
- Sign-in redirect URIs:
https://<yournetbirddomain.com>/auth
andhttps://<yournetbirddomain.com>/silent-auth
- Sign-out redirect URIs:
https://<yournetbirddomain.com>/
- App integration name:
- Click
Save
- Navigate to Okta Admin Dashboard
- Click
Applications
in the left menu and then click onApplications
- Select
Netbird
application on the list and take a note of theClient ID
, we will use it later - Click on
Sign On
tab on top menu - Under
OpenID Connect ID Token
section, clickEdit
and updateIssuer
to use theOkta URL
- Click
Save
Step 2. Create and configure Okta native application
In this step, we will create and configure Netbird native application in okta.
- Navigate to Okta Admin Dashboard
- Click
Applications
in the left menu and then click onApplications
- Click
Create App Intergration
- Fill in the form with the following values and click
Next
- Sign-in method:
OIDC - OpenID Connect
- Application type:
Native Application
- Sign-in method:
- Fill in the form with the following values and click
Save
- App integration name:
Netbird Native App
- Grant type:
Device Authorization
- App integration name:
- Click
Save
- Navigate to Okta Admin Dashboard
- Click
Applications
in the left menu and then click onApplications
- Select
Netbird Native App
application on the list and take a note of theClient ID
, we will use it later - Click on
Sign On
tab on top menu - Under
OpenID Connect ID Token
section, clickEdit
and updateIssuer
to use theOkta URL
- Click
Save
Step 3. Generate api token
In this step, we will generate netbird api token in okta for authorizing calls to user api.
- Navigate to Okta Admin Dashboard
- Click
Security
in the left menu and then click onAPI
- Click on
Tokens
tab on top menu - Click
Create token
- Fill in the form with the following values and click
Create token
- Name:
Netbird
- Name:
- Take note of token value and click
OK, got it
Your authority OIDC configuration will be available under:
https://< your_okta_organization_url >/.well-known/openid-configuration
Double-check if the endpoint returns a JSON response by calling it from your browser.
- Set properties in the
setup.env
file:
NETBIRD_DOMAIN="<your_domain>"
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<your_okta_organization_url>/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_AUDIENCE="<netbird_client_id>"
NETBIRD_AUTH_CLIENT_ID="<netbird_client_id>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_TOKEN_SOURCE="idToken"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<netbird_native_client_id>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<netbird_native_client_id>"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true
-
You can now continue with the NetBird Self-hosting Guide.
-
Set property
IdpManagerConfig
in themanagement.json
file with:
The file management.json is created automatically. Please refer here for more information.
{
"ManagerType": "okta",
"ClientConfig": {
"Issuer": "<ISSUER_URL>",
"TokenEndpoint": "<ISSUER_URL>/oauth2/v1/token",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"APIToken": "<api_token>",
}
}
- Modify the value of the
AUTH_SUPPORTED_SCOPES
environment variable for the dashboard service in the docker-compose.yml file toopenid profile email
.