By Simon

SSO in Netbox behind reverse proxy (feat. Authentik)

Are you using Netbox? Did you know that Netbox supports SSO? I've got it set up and will guide you through how to do it.

SSO in Netbox behind reverse proxy (feat. Authentik)

I'm running Netbox in my Homelab. I'm also using a Reverse Proxy (Nginx) to access Netbox using an internal DNS name.
When I found out that Netbox supports SSO via OIDC I immediately headed to configure it on my Authentik instance.

The good thing is that the official Authentik website already provides a guide on how to set up SSO in Netbox in combination with Authentik - if that guide was up to date!

Following their guide, I kept getting "invalid redirect URI" or weird Django errors when trying to log in. Turned out: their configuration simply does not play well with reverse proxys in front of Netbox.

In my Netbox configuration.py I simply added or modified these flags:

ALLOWED_HOSTS = ['netbox.internaldomain.com', 'IP.OF.REVERSE.PROXY']

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
REMOTE_AUTH_HEADER = 'HTTP_X_AUTHENTIK_USERNAME'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = 'https://authentik.yourdomain.com/application/o/netbox/'
SOCIAL_AUTH_OIDC_KEY = 'authentik_key'
SOCIAL_AUTH_OIDC_SECRET = 'authentik_secret'
SOCIAL_AUTH_OIDC_SCOPE = ['openid', 'profile', 'email', 'roles']
SOCIAL_AUTH_PROTECTED_USER_FIELDS = ['groups']
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS = ['netbox.internaldomain.com', 'IP.OF.REVERSE.PROXY']
SOCIAL_AUTH_LOGIN_REDIRECT_URL = True

# Optional
#LOGOUT_REDIRECT_URL = 'https://authentik.yourdomain.com/application/o/netbox/end-session/'

Note that ALLOWED_HOSTS and SOCIAL_AUTH_ALLOWED_REDIRECT_HOSTS need to be set to the DNS name that you're accessing Netbox with. Leaving either of those unset or at "*", Netbox will just use its own IP address as redirect URI and will result in the whole authentication process failing.

You would of course need to adjust above flags to your domain names and liking.
This config will tell Netbox to use the correct domain (netbox.internaldomain.com) using HTTPS with allowed hosts "netbox.internaldomain.com" and the IP address of your reverse proxy.

If login via Authentik works now: Awesome!
If not: I might have got you covered!

Another issue I was running into with my Netbox/Authentik config: When trying to sign in to Netbox via Authentik, Netbox would throw a "DecodeError: Invalid Payload Padding". After pulling my hair out on trying to fix this, I found out that a simple setting in Authentik causes this.

In the settings of your OIDC provider for Netbox, make sure you do not have "Encryption Key" set. For some reason this would cause Netbox to fail decoding the payload it receives from Authentik.

After I unset that setting, I was able to log into Netbox via Authentik SSO just fine!