Review docs for broken links and updates

src/pages/how-to/routing-traffic-to-private-networks.mdx

@@ -15,7 +15,7 @@ NetBird provides fast and reliable end-to-end encryption between peers in your n
 In these cases, you can configure network routes assigning routing peers to connect existing infrastructure. Routing peers will forward packets between your NetBird peers and your other networks; they can masquerade traffic going to your data centers or embedded devices, reducing the need for external route configuration and agent installation.
 
 <p>
- <img src="/docs-static/img/how-to-guides/netbird-network-routes.png" alt="high-level-dia"  />
+ <img src="/docs-static/img/how-to-guides/netbird-network-routes.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
 <Note>
@@ -73,7 +73,7 @@ In the example below, we are creating a route with the following information:
 - Distribution Groups: `All`
 
 <p>
- <img src="/docs-static/img/how-to-guides/netbird-network-routes-create.png" alt="high-level-dia" width="300" className="imagewrapper"/>
+ <img src="/docs-static/img/how-to-guides/netbird-network-routes-create.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
 Once you fill in the route information, you can click on the `Save` button to save your new route.
@@ -88,29 +88,42 @@ However, you still want to ensure a reliable connection to your private network
 NetBird Network Routes feature has a High Availability (HA) mode,
 allowing one or more NetBird peers to serve as routing peers for the same private network.
 
-To enable high-available mode, you can click on `Configure` and select a new peer in the `Add additional routing peer` field, then select the distribution groups and click on `Save`.
+To enable high-available mode, click on `Configure` in the table and select a new peer in the `Routing Peer` field, then select the distribution groups and click on `Add Route`.
 
-In the following screenshot, we are adding the peer `aws-nb-europe-router-az-b` to the `aws-eu-central-1-vpc` route:
+In the following example, we are adding the peer `aws-nb-europe-router-az-b` to the `aws-eu-central-1-vpc` route:
 
 <p>
- <img src="/docs-static/img/how-to-guides/netbird-network-routes-create-ha.png" alt="high-level-dia" width="300" className="imagewrapper"/>
+ <img src="/docs-static/img/how-to-guides/netbird-network-routes-create-ha.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
-This way, nodes connected to both peer `aws-nb-europe-router-az-a` and peer `aws-nb-europe-router-az-b` would have a highly available connection with the network `172.31.0.0/16`.
+This way, peers connected to `aws-nb-europe-router-az-a` and `aws-nb-europe-router-az-b` will have highly available access to the `172.31.0.0/16` network.
 
 <p>
  <img src="/docs-static/img/how-to-guides/netbird-network-routes-saved-new-ha.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
 <Note>
- Currently, there is no limitation in the number of routes that form a highly available route. Each connected peer will pick one routing peer to use as the router for a network; this decision is based on metric prioritization and connection attributes like direct or relayed connections.
+ The number of routes that form a highly available route is unlimited.
+ Each connected peer will pick one routing peer to use as the router for a network.
+ NetBird agent bases this decision on metric prioritization (lower the metric, higher the priority) and connection attributes like direct or relayed connections.
 </Note>
 
-### Filtering routes distribution with groups
-You can select as many distribution groups as you want for your network route. You can update them at the routing peer or high-availability group level. Keep in mind to link them to peers and, if required, to add access control rules ensuring connectivity between these peers and the routing peers of your route
+### Apply different routes to peers with group attribution
+You can select as many distribution groups as you want for your network route.
+Peers that belong to the specified group will use the route automatically to connect to the underlying network.
+
+Remember to link groups to peers that need to access the route and, if required,
+add access control rules ensuring connectivity between these peers and the routing peers.
+
+In the following example (see column `Groups`), peers that belong to group `berlin-office` will use `aws-nb-europe-router-az-a` routing peer to access the `aws-eu-central-1-vpc` network. While peers that belong to group `london-office` will use `aws-nb-europe-router-az-b` routing peer.
+
+<p>
+ <img src="/docs-static/img/how-to-guides/netbird-network-routes-groups-attribution.png" alt="high-level-dia" className="imagewrapper"/>
+</p>
+
 ### Routes without masquerading
 If you want more transparency and would like to manage your external network routers, you may choose to disable masquerade for your network routes.
-In this case, the routing peer won't hide any NetBird peer  IP and will forward the packets to the target network transparently.
+In this case, the routing peer won't hide any NetBird peer IP and will forward the packets to the target network transparently.
 
 That will require a routing configuration on your external network router pointing your NetBird network back to your routing peer.
 This way, devices that don't have the agent installed can communicate with your NetBird peers.

src/pages/selfhosted/identity-providers.mdx

@@ -132,10 +132,11 @@ This application will be used to authorize access to Auth0 Management API.
 </p>
 
 - Set properties in the `setup.env` file:
-```json
+```shell
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<DOMAIN>/.well-known/openid-configuration"
 NETBIRD_USE_AUTH0=true
 NETBIRD_AUTH_CLIENT_ID="<Client_ID>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
 NETBIRD_AUTH_AUDIENCE="<IDENTIFIER>"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<INTERACTIVE_CLIENT_ID>"
 
@@ -145,7 +146,9 @@ NETBIRD_IDP_MGMT_CLIENT_SECRET="<NETBIRD_API_CLIENT_SECRET>"
 NETBIRD_IDP_MGMT_EXTRA_AUDIENCE="https://<DOMAIN>/api/v2/"
 ```
 
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-3-configure-identity-provider).
+
+### Step 6: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Auth0. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
 
 ## Keycloak
 
@@ -380,10 +383,11 @@ https://< YOUR_KEYCLOAK_HOST_AND_PORT >/realms/netbird/.well-known/openid-config
 </Note>
 
 - Set properties in the `setup.env` file:
-```json
+```shell
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=`https://<YOUR_KEYCLOAK_HOST_AND_PORT>/realms/netbird/.well-known/openid-configuration`.
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_CLIENT_ID=`netbird-client`
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
 NETBIRD_AUTH_AUDIENCE=`netbird-client`
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=`netbird-client`. Optional,
 it enables the [Interactive SSO Login feature](/how-to/getting-started#running-net-bird-with-sso-login) (Oauth 2.0 Device Authorization Flow)
@@ -394,13 +398,13 @@ NETBIRD_IDP_MGMT_CLIENT_SECRET="<NETBIRD_BACKEND_CLIENT_SECRET>"
 NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT="https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
 
 ```
-
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-5-run-configuration-script).
-
 <Note>
  Make sure that your Keycloak instance use HTTPS. Otherwise, the setup won't work.
 </Note>
 
+### Step 10: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Keycloak. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
+
 ## Azure AD
 
 This guide is a part of the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide) and explains how to integrate **self-hosted** NetBird with [Azure AD](https://azure.microsoft.com/en-us/products/active-directory/).
@@ -531,15 +535,17 @@ https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configurat
 </Note>
 
 - Set properties in the `setup.env` file:
-```json
+```shell
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration"
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_CLIENT_ID="<APPLICATION_ID>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://<APPLICATION_ID>/api"
 NETBIRD_AUTH_AUDIENCE="<APPLICATION_ID>"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<APPLICATION_ID>"
 NETBIRD_AUTH_REDIRECT_URI="/auth"
 NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
 NETBIRD_AUTH_USER_ID_CLAIM="oid"
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid api://<APPLICATION_ID>/api"
 
 NETBIRD_MGMT_IDP="azure"
 NETBIRD_IDP_MGMT_CLIENT_ID="<APPLICATION_ID>"
@@ -549,20 +555,17 @@ NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://graph.microsoft.com/v1.0"
 
 ```
 
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-5-run-configuration-script).
-
-- Modify the value of the `AUTH_SUPPORTED_SCOPES` environment variable for the dashboard service in the docker-compose.yml file to `openid profile email offline_access api://<APPLICATION_ID>/api`.
-
-- Modify `Scope` value in `DeviceAuthorizationFlow` within the `management.json` to `api://<APPLICATION_ID>/api`.
+### Step 7: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Azure AD. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
 
 ## Zitadel
 
 This guide is a part of the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide) and explains how to integrate
 **self-hosted** NetBird with [Zitadel](https://zitadel.com).
 
 <Note>
- If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like
- [Auth0](/integrations/identity-providers/self-hosted/using-netbird-with-auth0).
+ If you prefer not to self-host an Identity and Access Management solution, then you could use the managed alternative
+ [Zitadel Cloud](https://zitadel.cloud/).
 </Note>
 
 ### Step 1. Create and configure Zitadel application
@@ -598,7 +601,8 @@ Create new zitadel application
 
 - Fill in the form with the following values and click `Continue`
 - Redirect URIs: `https://<domain>/auth` and click `+`
-- Post Logout URIs: `https://<domain>/silent-auth` and click `+`
+- Redirect URIs: `https://<domain>/silent-auth` and click `+`
+- Post Logout URIs: `https://<domain>/` and click `+`
 
 <p>
  <img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-new-application-uri.png" alt="high-level-dia" className="imagewrapper"/>
@@ -631,9 +635,9 @@ To configure `netbird` application token you need to:
 
 ### Step 3: Application Redirect Configuration
 
-:::caution
-This step is intended for setup running in development mode with no SSL
-:::
+<Note>
+ This step is intended for setup running in development mode with no SSL
+</Note>
 
 To configure `netbird` application redirect you need to:
 
@@ -704,6 +708,7 @@ Double-check if the endpoint returns a JSON response by calling it from your bro
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR_ZITADEL_HOST_AND_PORT>/.well-known/openid-configuration"
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_CLIENT_ID="<CLIENT_ID>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
 NETBIRD_AUTH_AUDIENCE="<CLIENT_ID>"
 NETBIRD_AUTH_REDIRECT_URI="/auth"
 NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
@@ -720,7 +725,8 @@ NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="https://<YOUR_ZITADEL_HOST_AND_PORT>
 
 ```
 
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-5-run-configuration-script).
+### Step 6: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Zitadel. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
 
 ## Authentik
 
@@ -821,10 +827,11 @@ Double-check if the endpoint returns a JSON response by calling it from your bro
 </Note>
 
 - Set properties in the `setup.env` file:
-```json
+```shell
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR_AUTHENTIK_HOST_AND_PORT>/application/o/netbird/.well-known/openid-configuration"
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_CLIENT_ID="<PROVIDER_CLIENT_ID>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
 NETBIRD_AUTH_AUDIENCE="<PROVIDER_CLIENT_ID>"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<PROVIDER_CLIENT_ID>"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<PROVIDER_CLIENT_ID>"
@@ -835,8 +842,8 @@ NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
 NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<SERVICE_ACCOUNT_PASSWORD>"
 
 ```
-
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-5-run-configuration-script).
+### Step 5: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Authentik. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
 
 ## Okta
 
@@ -949,6 +956,7 @@ NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR_OKTA_ORGANIZATION_URL>/.
 NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_AUDIENCE="<<NETBIRD_CLIENT_ID>>"
 NETBIRD_AUTH_CLIENT_ID="<NETBIRD_CLIENT_ID>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email"
 NETBIRD_AUTH_REDIRECT_URI="/auth"
 NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
 NETBIRD_TOKEN_SOURCE="idToken"
@@ -962,10 +970,8 @@ NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true
 NETBIRD_MGMT_IDP="okta"
 NETBIRD_IDP_MGMT_EXTRA_API_TOKEN="<api_token>"
 ```
-
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-5-run-configuration-script).
-
-- Modify the value of the `AUTH_SUPPORTED_SCOPES` environment variable for the dashboard service in the docker-compose.yml file to `openid profile email`.
+### Step 4: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Okta. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).
 
 ## Google Workspace
 
@@ -1105,6 +1111,7 @@ NETBIRD_USE_AUTH0=false
 NETBIRD_AUTH_AUDIENCE="<CLIENT_ID>"
 NETBIRD_AUTH_CLIENT_ID="<CLIENT_ID>"
 NETBIRD_AUTH_CLIENT_SECRET="<CLIENT_SECRET>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email"
 NETBIRD_AUTH_REDIRECT_URI="/auth"
 NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
 NETBIRD_TOKEN_SOURCE="idToken"
@@ -1120,6 +1127,5 @@ NETBIRD_IDP_MGMT_EXTRA_SERVICE_ACCOUNT_KEY="<BASE64_SERVICE_ACCOUNT_KEY>"
 NETBIRD_IDP_MGMT_EXTRA_CUSTOMER_ID="<GOOGLE_WORKSPACE_CUSTOMER_ID>"
 ```
 
-- You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-5-run-configuration-script).
-
-- Modify the value of the `AUTH_SUPPORTED_SCOPES` environment variable for the dashboard service in the docker-compose.yml file to `openid profile email`.
+### Step 7: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Google Workspace. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).

src/pages/selfhosted/selfhosted-guide.mdx

@@ -80,13 +80,24 @@ This can be any email address. [Let's Encrypt](https://letsencrypt.org/) will cr
  If you want to setup netbird with your own reverse-Proxy and without using the integrated letsencrypt, follow [this step here instead](#advanced-running-netbird-behind-an-existing-reverse-proxy).
 </Note>
 
-## Step 3: Configure Identity Provider
+## Step 3: Configure Identity Provider (IDP)
+
+NetBird supports generic OpenID (OIDC) protocol allowing integration with any IDP following the specification.
+
+NetBird's management service integrates with some of the most popular IDP APIs, allowing the service to cache and display user names and email addresses without storing sensitive data.
 
-NetBird supports generic OpenID (OIDC) protocol allowing for the integration with any IDP that follows the specification.
 Pick the one that suits your needs, follow the steps, and continue with this guide:
 
-- Continue with [Auth0](/integrations/identity-providers/self-hosted/using-netbird-with-auth0) (managed service).
-- Continue with [Keycloak](/integrations/identity-providers/self-hosted/using-netbird-with-keycloak).
+**Self-hosted options**
+- Continue with [Zitadel](/selfhosted/identity-providers#zitadel).
+- Continue with [Keycloak](/selfhosted/identity-providers#keycloak).
+- Continue with [Authentik](/selfhosted/identity-providers#authentik).
+
+**Managed options**
+- Continue with [Azure AD](/selfhosted/identity-providers#azure-ad).
+- Continue with [Google Workspace](/selfhosted/identity-providers#google-workspace).
+- Continue with [Okta](/selfhosted/identity-providers#okta).
+- Continue with [Auth0](/selfhosted/identity-providers#auth0).
 
 ## Step 4: Disable single account mode (optional)
 
@@ -172,5 +183,5 @@ Make sure your reverse-Proxy is setup to use the HTTP2-Protocol when forwarding.
 Feel free to ping us on [Slack](https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A) if you have any questions
 
 - NetBird managed version: [https://app.netbird.io](https://app.netbird.io)
-- Make sure to [star us on GitHub](https://github.com/netbirdio/netbird) :pray:
+- Make sure to [star us on GitHub](https://github.com/netbirdio/netbird)
 - Follow us [on Twitter](https://twitter.com/netbird)