add authentik idp setup docs

2026-04-16 15:36:36 +00:00 · 2023-05-25 15:55:22 +03:00
parent dbc55502f9
commit c506d3ee16
7 changed files with 125 additions and 0 deletions
--- a/src/pages/docs/selfhosted/identity-providers.mdx
+++ b/src/pages/docs/selfhosted/identity-providers.mdx
@@ -698,3 +698,128 @@ The file management.json is created automatically. Please refer [here](/docs/sel
  }
 }
  ```
+
+## Authentik
+
+This guide is a part of the [NetBird Self-hosting Guide](/docs/selfhosted/selfhosted-guide) and explains how to integrate
+**self-hosted** NetBird with [Authentik](https://goauthentik.io).
+
+<Note>
+    If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like
+    [Auth0](/integrations/identity-providers/self-hosted/using-netbird-with-auth0).
+</Note>
+
+### Step 1: Create OAuth2/OpenID Provider
+In this step, we will create OAuth2/OpenID Provider in Authentik.
+
+- Navigate to authentik  admin interface
+- Click `Applications` on the left menu, then click `Providers`
+- Click `Create` to create new provider
+- Fill in the form with the following values and click `Next`
+    - type: `OAuth2/OpenID Provider`
+
+<p>
+    <img src="/img/integrations/identity-providers/self-hosted/authentik-new-provider-type.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+- Fill in the form with the following values and click `Finish`
+    - Name: `Netbird`
+    - Authentication Flow: `default-authentication-flow (Welcome to authentik!)`
+    - Authorization Flow: `default-provider-authorization-explicit-consent (Authorize Application)`
+    - Protocal Settings:
+        - Client type: `Public`
+        - Redirect URIs/Origins (RegEx): `*`
+    - Advanced protocol settings:
+        - Subject mode: `Based on the User's ID`
+
+Take note of `Client ID`, we will use it later
+<p>
+    <img src="/img/integrations/identity-providers/self-hosted/authentik-new-provider-config.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+### Step 2: Create external applications
+In this step, we will create external applications in Authentik.
+
+- Navigate to authentik  admin interface
+- Click `Applications` on the left menu, then click `Applications`
+- Click `Create` to create new application
+- Fill in the form with the following values and click `Create`
+    - Name: `Netbird`
+    - Slug: `netbird`
+    - Provider: `Netbird`
+
+<p>
+    <img src="/img/integrations/identity-providers/self-hosted/authentik-new-application.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+### Step 3: Create service account
+In this step, we will create service account.
+
+- Navigate to authentik  admin interface
+- Click `Directory` on the left menu, then click `Users`
+- Click `Create Service Account` to create service account
+- Fill in the form with the following values and click `Create`
+    - Username: `Netbird`
+    - Create Group: `Disable`
+ 
+<p>
+    <img src="/img/integrations/identity-providers/self-hosted/authentik-new-service-account.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+- Take note of service account `username` and `password`, we will need it later
+
+<p>
+    <img src="/img/integrations/identity-providers/self-hosted/authentik-service-account-details.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+### Step 4: Add service account to admin group
+In this step, we will add `Netbird` service account to `authentik Admins` group.
+
+- Navigate to authentik  admin interface
+- Click `Directory` on the left menu, then click `Groups`
+- Click `authentik Admins` from list of groups and select `Users` tab at the top
+- Click `Add existing user` and click `+` button to add user
+- Select `Netbird` and click `Add`
+- Disable `Hide service-accounts` and verify if user `Netbird` is added to the group
+
+<p>
+    <img src="/img/integrations/identity-providers/self-hosted/authentik-add-user-group.png" alt="high-level-dia" class="imagewrapper"/>
+</p>
+
+Your authority OIDC configuration will be available under:
+```
+https://< YOUR-AUTHENTIK-HOST-AND-PORT >/application/o/netbird/.well-known/openid-configuration
+```
+<Note>
+Double-check if the endpoint returns a JSON response by calling it from your browser.
+</Note>
+
+- Set properties in the `setup.env` file:
+```json
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR-AUTHENTIK-HOST-AND-PORT>/application/o/netbird/.well-known/openid-configuration"
+NETBIRD_USE_AUTH0=false
+NETBIRD_AUTH_CLIENT_ID="<PROVIDER Client ID>"
+NETBIRD_AUTH_AUDIENCE="<PROVIDER Client ID>"
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<PROVIDER Client ID>"
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<PROVIDER Client ID>"
+```
+
+- You can now continue with the [NetBird Self-hosting Guide](/docs/selfhosted/selfhosted-guide#step-3-configure-identity-provider).
+
+- Set property `IdpManagerConfig` in the `management.json` file with:
+<Note>
+The file management.json is created automatically. Please refer [here](/docs/selfhosted/selfhosted-guide#step-5-run-configuration-script) for more information.
+</Note>
+
+```json
+{
+  "ManagerType":  "authentik",
+  "AuthentikClientCredentials": {
+      "ClientID": "<PROVIDER Client ID>",
+      "Username": "Netbird",
+      "Password": "<SERVICE ACCOUNT PASSWORD>",
+      "GrantType": "client_credentials",
+      "TokenEndpoint": "https://<YOUR-AUTHENTIK-HOST-AND-PORT>/application/o/token"
+  }
+}
+  ```