search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.03k stars 440 forks source link

AzureAD SSO setup: no SSO provider returned from management #1159

Open qdrop17 opened 10 months ago

qdrop17 commented 10 months ago

We're trying to login to our self-hosted Netbird instance but get the following errors

Client (Fedora 38):

[qdrop@qdrop-fedora-pro9i ~]$ netbird login
2023-09-22T13:19:06+02:00 WARN client/cmd/root.go:187: retrying Login to the Management service in 1.156027938s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys

Server (Ubuntu 22.04):

2023-09-22T11:12:37Z WARN management/server/grpcserver.go:326: failed logging in peer WUpiVR7smx3DOgDShdM5Zc/P1GA3w4f0uoNANu4f9wg=

-> What's interesting: Logging in with the Windows Netbird client works flawlessly. Also the dashboard operates without issues.

We followed the documentation for AzureAD-SSO integration: https://docs.netbird.io/selfhosted/identity-providers#azure-ad

setup.env

## example file, you can copy this file to setup.env and update its values
##
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird-test.devinite.com"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="97ac46bc-2dea-4b74-a6b2-60f3255c9b8f"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="97ac46bc-2dea-4b74-a6b2-60f3255c9b8f"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://97ac46bc-2dea-4b74-a6b2-60f3255c9b8f/api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
NETBIRD_AUTH_USER_ID_CLAIM="oid"
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
#NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="none"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
#NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
#NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
#NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="azure"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID="97ac46bc-2dea-4b74-a6b2-60f3255c9b8f"
NETBIRD_IDP_MGMT_CLIENT_SECRET="xxx"
NETBIRD_IDP_MGMT_EXTRA_OBJECT_ID="c4dfb176-608d-4936-8ab1-9e541963f122"
NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://graph.microsoft.com/v1.0"
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL="xxx"
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

Expected behavior We expect that we're getting at least some login URL to self-trigger the login flow inside the browser.

Any help is highly appreciated.

pascal-fischer commented 9 months ago

Hi, which version of management and client are you running? We introduced PKCE with version 0.23.0 which had a bug that fallback for devices without a graphical interface (or the possibility to launch a browser) e.g. via ssh was not working. Please make sure you are running the newest version and please let me know if the issue persists