diff --git a/docs/integrations/identity-providers/self-hosted/keycloak.md b/docs/integrations/identity-providers/self-hosted/keycloak.md index 42fa6d93..6ff613c9 100644 --- a/docs/integrations/identity-providers/self-hosted/keycloak.md +++ b/docs/integrations/identity-providers/self-hosted/keycloak.md @@ -152,12 +152,64 @@ In this step, we will create and configure the NetBird client audience for Keycl - Switch to `Client scopes` tab - Click `Add client scope` button - Choose `api` -- CLick `Add` choosing `Default` +- Click `Add` choosing `Default` - The value `netbird-client` will be used as audience ![](/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png) -### Step 8: Continue with the self-hosting guide +### Step 8: Ensure that all users will join the same NetBird network (Optional) + +In this step, we will configure custom JWT claims that will be included in every generated token. +This step is necessary if you want every user created via Keycloak to join the same NetBird network. +Otherwise, every user will have a separate account and network. + +- Open the Keycloak Admin Console +- Make sure, that the selected realm is `Netbird` +- Click `Client scopes` (left-hand menu) +- Click `Create client scope` button +- Fill in the form with the following values: + - Name: `Domain Token Claims` + - Type: `Default` + - Protocol: `OpenID Connect` +- Click `Save` + +![](/img/integrations/identity-providers/self-hosted/keycloak-domain-token-claim-scope.png) + +- While in the newly created Client Scope, switch to the `Mappers` tab +- Click `Configure a new mapper` +- Choose the `Hardcoded claim` mapping + +![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper.png) + +- Fill in the form with the following values: + - Name: `domain` + - Token Claim Name: `netbird-clientwt_account_domain`. This is not a typo. The name is a concat of `NETBIRD_AUTH_AUDIENCE` and a `wt_account_domain` string + - Claim value: ``. E.g. `netbird.io` + - Click `Save` + +![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain.png) + +- Repeat the same operation and add a new mapper +- Fill in the form with the following values: + - Name: `domain_category` + - Token Claim Name: `netbird-clientwt_account_domain_category`. This is not a typo. The name is a concat of `NETBIRD_AUTH_AUDIENCE` and a `wt_account_domain_category` string + - Claim value: `private` + - Click `Save` + +![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain-category.png) + +- Open the Keycloak Admin Console +- Make sure, that the selected realm is `Netbird` +- Click `Clients` +- Choose `netbird-client` from the list +- Switch to `Client scopes` tab +- Click `Add client scope` button +- Choose `Domain_Token_Claims` +- CLick `Add` choosing `Default` + +![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claims-client.png) + +### Step 9: Continue with the self-hosting guide Your authority OIDC configuration will be available under: ``` diff --git a/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain-category.png b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain-category.png new file mode 100644 index 00000000..6b05b331 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain-category.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain.png b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain.png new file mode 100644 index 00000000..1d1a2aff Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper.png b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper.png new file mode 100644 index 00000000..669ee2ca Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claims-client.png b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claims-client.png new file mode 100644 index 00000000..df338aef Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claims-client.png differ diff --git a/static/img/integrations/identity-providers/self-hosted/keycloak-domain-token-claim-scope.png b/static/img/integrations/identity-providers/self-hosted/keycloak-domain-token-claim-scope.png new file mode 100644 index 00000000..4378c3e3 Binary files /dev/null and b/static/img/integrations/identity-providers/self-hosted/keycloak-domain-token-claim-scope.png differ