some file

PocketID with NetBird Self-Hosted

This guide is a part of the NetBird Self-hosting Guide and explains how to integrate self-hosted NetBird with PocketID.

PocketID is a simplified identity management solution designed for self hosted environments. It is secure and effective, but makes some tradeoffs in terms of features and usability. Notably, it does not allow scoping the access of API Tokens. This isn't an issue per se, but it does mean that you should keep careful track of the token used by NetBird for management.

Step 1. Create and configure PocketID application

In this step, we will create and configure NetBird application in pocketid.

Create new PocketID OIDC Client

  • Navigate to pocketid console
  • Click the Administration dropdown in the left hand bar, then select OIDC Clients
  • Fill in the form with the following values and click Continue
  • Name: NetBird
  • Client Launch URL: https://<domain>
  • Callback URL's:
  • http://localhost:53000
  • https://<domain>/auth
  • https://<domain>/silent-auth
  • Logout Callback URL: https://<domain>/
  • Public Client: On
  • PKCE: On
  • Click Save

high-level-dia

  • Copy Client ID will be used later in the setup.env

Step 2: Application Token Configuration

To configure the application token you need to:

  • Click Administration dropdown in the left hand bar, then select API Keys
  • Click Add API Key
  • Enter the following values and click Save
  • Name: 'NetBird Management Token'
  • Expires At: Pick a date in the future
  • Description: 'NetBird Management Token'
  • Click Save

high-level-dia

  • Copy API Key will be used later in the setup.env

Your authority OIDC configuration will be available under:

https://<YOUR_POCKETID_HOST_AND_PORT>/.well-known/openid-configuration

:::caution Double-check if the endpoint returns a JSON response by calling it from your browser. :::

  • Set properties in the setup.env file:
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR_POCKETID_HOST_AND_PORT>/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<CLIENT_ID>"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email groups"
NETBIRD_AUTH_AUDIENCE="<CLIENT_ID>"
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_TOKEN_SOURCE="idToken"

NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<CLIENT_ID>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<CLIENT_ID>"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid profile email groups"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true

NETBIRD_MGMT_IDP="pocketid"
NETBIRD_IDP_MGMT_CLIENT_ID="netbird"
NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="https://<YOUR_POCKETID_HOST_AND_PORT>"
NETBIRD_IDP_MGMT_EXTRA_API_TOKEN="<API_TOKEN>"

Step 3: Continue with the NetBird Self-hosting Guide

You've configured all required resources in PocketID. You can now continue with the NetBird Self-hosting Guide.