Docker compose local connection to authentication layer

[rmoreRojoli]

Describe the problem

I am trying to run Netbird in its own docker compose stack, that also has access to the authentication stack (Authentik). My Authentik is available to the internet at authentik.example.com but due to firewall loopback issues it is not available to the inside of the network with the public IP. Is there a way to change the authentik.example.com URIs in the configs to keep authentik.example.com for those connection that are coming from the Internet (like user redirection) but use authentik-server as the URI for connection from Netbird stack to the IDP?

To Reproduce

Authentik docker-compose.yml important sections

services:
  authentik-server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
    container_name: authentik-server
    restart: unless-stopped
    command: server
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
    networks:
      - authentik
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.authentik.entrypoints=https"
      - "traefik.http.routers.authentik.rule=Host(`authentik.example.com`)"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"

volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  authentik:
  traefik:
    external: true

Netbird docker-compose.yml

services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    networks:
      - netbird
      - traefik
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.com:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.com:33073
      # OIDC
      - AUTH_AUDIENCE=<authentik-id>
      - AUTH_CLIENT_ID=<authentik-id>
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=http://authentik.example.com:9000/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.netbird-dashboard.entrypoints=https"
      - "traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.com`)"
      - "traefik.http.services.netbird-dashboard.loadbalancer.server.port=80"

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    networks:
      - netbird
      - traefik
    volumes:
      - netbird-signal:/var/lib/netbird
    #ports:
    #  - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "netbird.example.com", "--log-file", "console"]
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.netbird-signal.entrypoints=https"
      - "traefik.http.routers.netbird-signal.rule=Host(`netbird.example.com`) && PathPrefix(`/signalexchange.SignalExchange/`)"
      - "traefik.http.services.netbird-signal.loadbalancer.server.port=80"
      - "traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    networks:
      - netbird
      - traefik
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    #ports:
    #  - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "netbird.example.com", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--disable-anonymous-metrics=false",
      "--disable-single-account-mode",
      "--single-account-mode-domain=netbird.example.com",
      "--dns-domain=netbird.selfhosted"
      ]
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.netbird-api.entrypoints=https"
      - "traefik.http.routers.netbird-api.rule=Host(`netbird.example.com`) && PathPrefix(`/api`)"
      - "traefik.http.routers.netbird-api.service=netbird-api"
      - "traefik.http.services.netbird-api.loadbalancer.server.port=443"

      - "traefik.http.routers.netbird-management.rule=Host(`netbird.example.com`) && PathPrefix(`/management.ManagementService/`)"
      - "traefik.http.routers.netbird-management.service=netbird-management"
      - "traefik.http.services.netbird-management.loadbalancer.server.port=443"
      - "traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c"

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
#    networks:
#      - netbird
    domainname: netbird.example.com
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

networks:
  netbird:
  traefik:
    external: true

The config json files were generated from the following setup

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.example.com"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN="netbird.example.com"

# TURN server public IP address
NETBIRD_TURN_EXTERNAL_IP="<PUBLICIP>"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="http://authentik.example.com/application/o/netbird/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="<authentik-id>"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="<authentik-id>"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
#NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<authentik-id>"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
#NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<authentik-id>"
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="authentik"
# Some IDPs requires different client id and client secret for management api
#NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<authentik-netbirduser-pw>"
NETBIRD_IDP_MGMT_CLIENT_ID="<authentik-id>"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

Expected behavior

Be able to define external URI for IDP and local-only URI to reach the IDP

Are you using NetBird Cloud?

No

NetBird version

NA

NetBird status -d output:

INA

Screenshots

NA

Additional context

Add any other context about the problem here.