NetBox系列之（三）通过OIDC方式对接Authentik 实现统一认证

对接官方文档

https://version-2025-4.goauthentik.io/integrations/services/netbox/#what-is-netbox

authentik创建应用程序和提供程序

创建netbox用户组，在创建提供程序和应用程序时可直接绑定

按正常流程创建OIDC的程序即可

## Tips: 1、应用的回调netbox地址的格式：https://xxxx.xxx.com/oauth/complete/oidc/
## Tips: 2、高级协议设置》Subject 模式》选择基于 用户名

netbox配置调整

调整主配置文件，加入远程OIDC认证

## 在主配置文件最后面，添加如下内容，注意认证这两句上文有配置，去修改或者注释下就行
    vi /opt/netbox/netbox/netbox/configuration.py

from os import environ
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'

# python-social-auth configuration
# 修改登录显示按钮内容
SOCIAL_AUTH_BACKEND_ATTRS = {
    'oidc': ("使用 统一SSO认证登录", "login"),
}
SOCIAL_AUTH_OIDC_ENDPOINT = 'https://sso.wsfnk.com/application/o/netbox/'
SOCIAL_AUTH_OIDC_KEY = 'client_id'
SOCIAL_AUTH_OIDC_SECRET = 'client_Secret'
LOGOUT_REDIRECT_URL = 'https://sso.wsfnk.com/application/o/netbox/end-session/'

# 防止覆盖本地用户组
SOCIAL_AUTH_PROTECTED_USER_FIELDS = ['groups']
# 若使用反向代理 HTTPS(强制 认证回调时使用https)
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

创建自定义pipeline配置文件

## 写入两部分内容到该文件中
    vi /opt/netbox/netbox/netbox/custom_pipeline.py

## 第一部分，自定义社交身份验证管道
# from django.contrib.auth.models import Group # For Netbox < 4.0.0
from netbox.authentication import Group # For Netbox >= 4.0.0

class AuthFailed(Exception):
    pass

def add_groups(response, user, backend, *args, **kwargs):
    try:
        groups = response['groups']
    except KeyError:
        pass

    # Add all groups from oAuth token
    for group in groups:
        group, created = Group.objects.get_or_create(name=group)
        # group.user_set.add(user) # For Netbox < 4.0.0
        user.groups.add(group) # For Netbox >= 4.0.0

def remove_groups(response, user, backend, *args, **kwargs):
    try:
        groups = response['groups']
    except KeyError:
        # Remove all groups if no groups in oAuth token
        user.groups.clear()
        pass

    # Get all groups of user
    user_groups = [item.name for item in user.groups.all()]
    # Get groups of user which are not part of oAuth token
    delete_groups = list(set(user_groups) - set(groups))

    # Delete non oAuth token groups
    for delete_group in delete_groups:
        group = Group.objects.get(name=delete_group)
        # group.user_set.remove(user) # For Netbox < 4.0.0
        user.groups.remove(group) # For Netbox >= 4.0.0

def set_roles(response, user, backend, *args, **kwargs):
    # Remove Roles temporary
    user.is_superuser = False
    user.is_staff = False
    try:
        groups = response['groups']
    except KeyError:
        # When no groups are set
        # save the user without Roles
        user.save()
        pass

    # Set roles is role (superuser or staff) is in groups
    user.is_superuser = True if 'superusers' in groups else False
    user.is_staff = True if 'staff' in groups else False
    user.save()

## 第二部分，要启用管道
SOCIAL_AUTH_PIPELINE = (
    ###################
    # Default pipelines
    ###################

    # Get the information we can about the user and return it in a simple
    # format to create the user instance later. In some cases the details are
    # already part of the auth response from the provider, but sometimes this
    # could hit a provider API.
    'social_core.pipeline.social_auth.social_details',

    # Get the social uid from whichever service we're authing thru. The uid is
    # the unique identifier of the given user in the provider.
    'social_core.pipeline.social_auth.social_uid',

    # Verifies that the current auth process is valid within the current
    # project, this is where emails and domains whitelists are applied (if
    # defined).
    'social_core.pipeline.social_auth.auth_allowed',

    # Checks if the current social-account is already associated in the site.
    'social_core.pipeline.social_auth.social_user',

    # Make up a username for this person, appends a random string at the end if
    # there's any collision.
    'social_core.pipeline.user.get_username',

    # Send a validation email to the user to verify its email address.
    # Disabled by default.
    # 'social_core.pipeline.mail.mail_validation',

    # Associates the current social details with another user account with
    # a similar email address. Disabled by default.
    # 'social_core.pipeline.social_auth.associate_by_email',

    # Create a user account if we haven't found one yet.
    'social_core.pipeline.user.create_user',

    # Create the record that associates the social account with the user.
    'social_core.pipeline.social_auth.associate_user',

    # Populate the extra_data field in the social record with the values
    # specified by settings (and the default ones like access_token, etc).
    'social_core.pipeline.social_auth.load_extra_data',

    # Update the user record with any changed info from the auth service.
    'social_core.pipeline.user.user_details',

    ###################
    # Custom pipelines
    ###################
    # Set authentik Groups
    'netbox.custom_pipeline.add_groups',
    'netbox.custom_pipeline.remove_groups',
    # Set Roles
    'netbox.custom_pipeline.set_roles'
)

重启netbox服务

    sudo systemctl restart netbox netbox-rq