diff --git a/docs/integrations/identity-providers/self-hosted/keycloak.md b/docs/integrations/identity-providers/self-hosted/keycloak.md index cadf7866..7a3d3a83 100644 --- a/docs/integrations/identity-providers/self-hosted/keycloak.md +++ b/docs/integrations/identity-providers/self-hosted/keycloak.md @@ -71,28 +71,87 @@ The user will need an initial password set to be able to log in. To do this: ![](/img/integrations/identity-providers/self-hosted/keycloak-set-password.png) -### Step 4: Create NetBird application client +### Step 4: Create a NetBird client -In this step we will create and configure NetBird application client and register with the Keycloak instance. +In this step we will create NetBird application client and register with the Keycloak instance. - Open the Keycloak Admin Console - Make sure, that the selected realm is `Netbird` - Click `Clients` - Click `Create client` button -- Fill in the form with the following values: +- Fill in the form with the following values and click Next: - Client Type: `OpenID Connect` - Client ID: `netbird-client` - Name: `NetBird Application Client` ![](/img/integrations/identity-providers/self-hosted/keycloak-create-client.png) -- Click Next -- Tick the boxes as on the screenshot below and click Save +- Check the checkboxes as on the screenshot below and click Save ![](/img/integrations/identity-providers/self-hosted/keycloak-enable-auth.png) +### Step 5: Adjust NetBird client access settings +In this step we will configure NetBird application client access with the NetBird URLs. +- Open the Keycloak Admin Console +- Make sure, that the selected realm is `Netbird` +- Click `Clients` +- Choose `netbird-client` from the list +- Go to `Access Settings` section +- Fill in the fields with the following values: + - Root URL: `https://YOUR DOMAIN/` (this is the NetBird Dashboard root URL) + - Valid redirect URIs: `https://YOUR DOMAIN/*` + - Valid post logout redirect URIs: `https://YOUR DOMAIN/*` + - Web origins: `+` +![](/img/integrations/identity-providers/self-hosted/keycloak-access-settings.png) - - Root URL: `https://YOUR DOMAIN/` \ No newline at end of file +### Step 6: Create a NetBird client scope + +In this step, we will create and configure the NetBird client audience for Keycloak to add it to the generated JWT tokens. + +- Open the Keycloak Admin Console +- Make sure, that the selected realm is `Netbird` +- Click `Client scopes` (left-hand menu) +- Click `Create client scope` button +- Fill in the form with the following values: + - Name: `netbird-client-audience` + - Type: `Default` + - Type: `OpenID Connect` +- Click `Save` + +![](/img/integrations/identity-providers/self-hosted/keycloak-create-client-scope.png) + +- Switch to the `Mappers` tab +- Click `Configure a new mapper` +- Choose the `Audience` mapping + +![](/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper.png) + +- Fill in the form with the following values: + - Name: `Audience for NetBird Management API` + - Included Client Audience: `netbird-client` + - Add to access token: `On` + - Click `Save` + +![](/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper-2.png) + +### Step 7: Add client scope to NetBird client + +- Open the Keycloak Admin Console +- Make sure, that the selected realm is `Netbird` +- Click `Clients` +- Choose `netbird-client` from the list +- Switch to `Client scopes` tab +- Click `Add client scope` button +- Choose `netbird-client-audience` +- CLick `Add` choosing `Default` + +![](/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png) + +### Step 8: Continue with the self-hosting guide + +Set properties in the setup.env file + +You can now continue with the [NetBird Self-hosting Guide](/getting-started/self-hosting#step-3-configure-identity-provider). \ No newline at end of file diff --git a/static/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png b/static/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png new file mode 100644 index 00000000..9f3a9274 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloak-access-settings.png b/static/img/integrations/identity-providers/self-hosted/keycloak-access-settings.png new file mode 100644 index 00000000..e788a554 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloak-access-settings.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper-2.png b/static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper-2.png new file mode 100644 index 00000000..dce65781 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper-2.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper.png b/static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper.png new file mode 100644 index 00000000..3ce8f1a1 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloak-create-client-scope.png b/static/img/integrations/identity-providers/self-hosted/keycloak-create-client-scope.png new file mode 100644 index 00000000..a91fbf11 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloak-create-client-scope.png differ