ContextQMD
Back to Authelia

NetBird

docs/content/integration/openid-connect/clients/netbird/index.md

4.39.195.9 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://netbird.{{< sitevar name="domain" nojs="example.com" >}}/
    • This option determines the redirect URI in the format of https://netbird.{{< sitevar name="domain" nojs="example.com" >}}/login. This means if you change this value, you need to update the redirect URI.
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: netbird
  • Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

The following YAML configuration is an example Authelia client configuration for use with NetBird which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    cors:
      allowed_origins_from_client_redirect_uris: true
      endpoints:
        - 'userinfo'
        - 'authorization'
        - 'token'
        - 'revocation'
        - 'introspection'
    clients:
      - client_id: 'netbird'
        client_name: 'NetBird'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://netbird.{{< sitevar name="domain" nojs="example.com" >}}/peers'
          - 'https://netbird.{{< sitevar name="domain" nojs="example.com" >}}/add-peers'
          - 'http://localhost'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

Application

To configure NetBird to utilize Authelia as an OpenID Connect 1.0 Provider you have to update a number of areas to configure it for Authelia.

NetBird Dashboard

To configure NetBird Dashboard to utilize Authelia as an OpenID Connect 1.0 Provider, use the following environment variables:

Standard
shell
NETBIRD_MGMT_API_ENDPOINT=https://netbird.{{< sitevar name="domain" nojs="example.com" >}}
NETBIRD_MGMT_GRPC_API=https://netbird.{{< sitevar name="domain" nojs="example.com" >}}
AUTH_AUDIENCE=none
AUTH_CLIENT_ID=netbird
AUTH_CLIENT_SECRET=insecure_secret
AUTH_AUTHORITY=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}
USE_AUTH0=false
AUTH_SUPPORTED_SCOPES=openid email profile
AUTH_REDIRECT_URI=/peers
AUTH_SILENT_REDIRECT_URI=/add-peers
NETBIRD_TOKEN_SOURCE=idToken
Docker Compose
yaml
services:
  netbird-dashboard:
    environment:
      NETBIRD_MGMT_API_ENDPOINT: 'https://netbird.{{< sitevar name="domain" nojs="example.com" >}}'
      NETBIRD_MGMT_GRPC_API: 'https://netbird.{{< sitevar name="domain" nojs="example.com" >}}'
      AUTH_AUDIENCE: 'none'
      AUTH_CLIENT_ID: 'netbird'
      AUTH_CLIENT_SECRET: 'insecure_secret'
      AUTH_AUTHORITY: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}'
      USE_AUTH0: 'false'
      AUTH_SUPPORTED_SCOPES: 'openid email profile'
      AUTH_REDIRECT_URI: '/peers'
      AUTH_SILENT_REDIRECT_URI: '/add-peers'
      NETBIRD_TOKEN_SOURCE: 'idToken'

NetBird Management

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} Generally the configuration file is named management.json. {{< /callout >}}

To configure NetBird Management to utilize Authelia as an OpenID Connect 1.0 Provider, use the following configuration:

json
{
  "HttpConfig": {
    "AuthIssuer": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}",
    "AuthAudience": "netbird",
    "AuthKeysLocation": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/jwks.json",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
    "OIDCConfigEndpoint": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {},
  "DeviceAuthorizationFlow": {},
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "netbird",
      "ClientID": "netbird",
      "ClientSecret": "insecure_secret",
      "Domain": "",
      "AuthorizationEndpoint": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/authorization",
      "TokenEndpoint": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/api/oidc/token",
      "Scope": "openid email profile",
      "RedirectURLs": [
        "http://localhost:53000"
      ],
      "UseIDToken": true
    }
  }
}

See Also