diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-api-token.png b/public/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-api-token.png new file mode 100644 index 00000000..ef2403af Binary files /dev/null and b/public/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-api-token.png differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-oidc-client.png b/public/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-oidc-client.png new file mode 100644 index 00000000..e3d6ac71 Binary files /dev/null and b/public/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-oidc-client.png differ diff --git a/src/pages/selfhosted/identity-providers.mdx b/src/pages/selfhosted/identity-providers.mdx index e5423b66..baa0dd5e 100644 --- a/src/pages/selfhosted/identity-providers.mdx +++ b/src/pages/selfhosted/identity-providers.mdx @@ -601,6 +601,99 @@ NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=true #### Step 6: Continue with the NetBird Self-hosting Guide You've configured all required resources in Authentik. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional). +### PocketID + +This guide is a part of the [NetBird Self-hosting Guide](/docs/selfhosted/selfhosted-guide) and explains how to integrate +**self-hosted** NetBird with [PocketID](https://pocket-id.org/). + + + PocketID is a simplified identity management solution designed for self hosted environments. + It is secure and effective, but makes some tradeoffs in terms of features and usability. + Notably, it does not allow scoping the access of API Tokens. + This isn't an issue per se, but it does mean that you should keep careful track of the token used by NetBird for management. + + +#### Step 1. Create and configure PocketID application +In this step, we will create and configure NetBird application in pocketid. + +Create new PocketID OIDC Client +- Navigate to pocketid console +- Click the `Administration` dropdown in the left hand bar, then select `OIDC Clients` +- Fill in the form with the following values and click `Continue` +- Name: `NetBird` +- Client Launch URL: `https://` +- Callback URL's: +- `http://localhost:53000` +- `https:///auth` +- `https:///silent-auth` +- Logout Callback URL: `https:///` +- Public Client: On +- PKCE: On +- Click `Save` + +

+ high-level-dia +

+ +- Copy `Client ID` will be used later in the `setup.env` + +#### Step 2: Application Token Configuration + +To configure the application token you need to: + +- Click `Administration` dropdown in the left hand bar, then select `API Keys` +- Click `Add API Key` +- Enter the following values and click `Save` +- Name: 'NetBird Management Token' +- Expires At: Pick a date in the future +- Description: 'NetBird Management Token' +- Click `Save` + +

+ high-level-dia +

+ +- Copy `API Key` will be used later in the `setup.env` + + +Your authority OIDC configuration will be available under: + +```bash +https:///.well-known/openid-configuration +``` + +:::caution +Double-check if the endpoint returns a JSON response by calling it from your browser. +::: + +- Set properties in the `setup.env` file: +```json +NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https:///.well-known/openid-configuration" +NETBIRD_USE_AUTH0=false +NETBIRD_AUTH_CLIENT_ID="" +NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email groups" +NETBIRD_AUTH_AUDIENCE="" +NETBIRD_AUTH_REDIRECT_URI="/auth" +NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth" +NETBIRD_TOKEN_SOURCE="idToken" + +NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" +NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" +NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="" +NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid profile email groups" +NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true + +NETBIRD_MGMT_IDP="pocketid" +NETBIRD_IDP_MGMT_CLIENT_ID="netbird" +NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="https://" +NETBIRD_IDP_MGMT_EXTRA_API_TOKEN="" + +``` + +#### Step 3: Continue with the NetBird Self-hosting Guide +You've configured all required resources in PocketID. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional). + + ## Managed IDPs ### Azure AD (Microsoft Entra ID)