failed to login after self-hosting netbird deployed with ip address

[UnknowViewer]

Describe the problem

I deployed latest self-hosting Netbird in self-hosting mode, we have a public IP address but it's behind the firewall NAT, so I'm trying to install it with internal ip address and 80 port instead of domain name. I set NETBIRD_DOMAIN into 'use-ip' and installed successfully.

When I login the ip+port with init admin cred, it'll pending in seconds and return the error 'Login Error: User state: Unauthenticated'.

Checked in developer tools and notice that the POST request to 'http://addr/oauth/v2/token' was returned HTTP Code = 400 bad request error, version = HTTP/1.1, the resp body is:

{"error":"invalid_request","error_description":"code_challenge required"}

• Request payload

  grant_type=authorization_code&client_id=239527187013767172%40netbird&redirect_uri=http%3A%2F%2F{deleted_ip}%2Fnb-auth&code=Fv2xUQPGBsUFHdY7a8Yif5A6n13y0txtJXNQ-eaafSP_TQ

• resp of .well-known/openid-configuration api request

  {
  "issuer": "http://deleted_ip",
  "authorization_endpoint": "http://deleted_ip/oauth/v2/authorize",
  "token_endpoint": "http://deleted_ip/oauth/v2/token",
  "introspection_endpoint": "http://deleted_ip/oauth/v2/introspect",
  "userinfo_endpoint": "http://deleted_ip/oidc/v1/userinfo",
  "revocation_endpoint": "http://deleted_ip/oauth/v2/revoke",
  "end_session_endpoint": "http://deleted_ip/oidc/v1/end_session",
  "device_authorization_endpoint": "http://deleted_ip/oauth/v2/device_authorization",
  "jwks_uri": "http://deleted_ip/oauth/v2/keys",
  "scopes_supported": [
  "openid",
  "profile",
  "email",
  "phone",
  "address",
  "offline_access"
  ],
  "response_types_supported": [
  "code",
  "id_token",
  "id_token token"
  ],
  "grant_types_supported": [
  "authorization_code",
  "implicit",
  "refresh_token",
  "client_credentials",
  "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "subject_types_supported": [
  "public"
  ],
  "id_token_signing_alg_values_supported": [
  "RS256"
  ],
  "request_object_signing_alg_values_supported": [
  "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
  "none",
  "client_secret_basic",
  "client_secret_post",
  "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
  "RS256"
  ],
  "revocation_endpoint_auth_methods_supported": [
  "none",
  "client_secret_basic",
  "client_secret_post",
  "private_key_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
  "RS256"
  ],
  "introspection_endpoint_auth_methods_supported": [
  "client_secret_basic",
  "private_key_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
  "RS256"
  ],
  "claims_supported": [
  "sub",
  "aud",
  "exp",
  "iat",
  "iss",
  "auth_time",
  "nonce",
  "acr",
  "amr",
  "c_hash",
  "at_hash",
  "act",
  "scopes",
  "client_id",
  "azp",
  "preferred_username",
  "name",
  "family_name",
  "given_name",
  "locale",
  "email",
  "email_verified",
  "phone_number",
  "phone_number_verified"
  ],
  "code_challenge_methods_supported": [
  "S256"
  ],
  "ui_locales_supported": [
  "bg",
  "de",
  "en",
  "es",
  "fr",
  "it",
  "ja",
  "mk",
  "pl",
  "pt",
  "zh"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false
  }

To Reproduce Steps to reproduce the behavior:

1. deploy self-hosting Netbird with IP address, instead of domain name
2. visit in web site

Expected behavior I should login to the Netbird dashboard after change the init password of admin account.

NetBird status -d output: If applicable, add the output of the netbird status -d command

Screenshots

• Error msg

  

• resp body

Additional context

• dashboard.env

  # Endpoints
  NETBIRD_MGMT_API_ENDPOINT=http://deleted_ip:80
  NETBIRD_MGMT_GRPC_API_ENDPOINT=http://deleted_ip:80
  # OIDC
  AUTH_AUDIENCE=239527187013767172@netbird
  AUTH_CLIENT_ID=239527187013767172@netbird
  AUTH_AUTHORITY=http://deleted_ip:80
  USE_AUTH0=false
  AUTH_SUPPORTED_SCOPES="openid profile email offline_access"
  AUTH_REDIRECT_URI=/nb-auth
  AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
  # SSL
  NGINX_SSL_PORT=443
  # Letsencrypt
  LETSENCRYPT_DOMAIN=none

• management.json

  {
  "Stuns": [
      {
          "Proto": "udp",
          "URI": "stun:deleted_ip:3478",
          "Username": "",
          "Password": ""
      }
  ],
  "TURNConfig": {
      "TimeBasedCredentials": false,
      "CredentialsTTL": "0s",
      "Secret": "",
      "Turns": [
          {
              "Proto": "udp",
              "URI": "turn:deleted_ip:3478",
              "Username": "self",
              "Password": "SG+pSvzA6benRg4ISr3yMUa8al4mV2rohG0b4T82nKM"
          }
      ]
  },
  "Signal": {
      "Proto": "http",
      "URI": "deleted_ip:80",
      "Username": "",
      "Password": ""
  },
  "Datadir": "/var/lib/netbird/",
  "DataStoreEncryptionKey": "DfsnZOx7evaQewL/8ggZRY9CbEZCXuyqzfDQv1683vY=",
  "HttpConfig": {
      "LetsEncryptDomain": "",
      "CertFile": "",
      "CertKey": "",
      "AuthAudience": "239527187013767172@netbird",
      "AuthIssuer": "http://deleted_ip",
      "AuthUserIDClaim": "",
      "AuthKeysLocation": "http://deleted_ip/oauth/v2/keys",
      "OIDCConfigEndpoint": "http://deleted_ip/.well-known/openid-configuration",
      "IdpSignKeyRefreshEnabled": true
  },
  "IdpManagerConfig": {
      "ManagerType": "zitadel",
      "ClientConfig": {
          "Issuer": "http://deleted_ip:80",
          "TokenEndpoint": "http://deleted_ip:80/oauth/v2/token",
          "ClientID": "netbird-service-account",
          "ClientSecret": "FrJqRgyExhLnR5oBh3A2VAO1RtV3zWXXIfBGcX0nIZFja8M66YQXl54DZElgPKRm",
          "GrantType": "client_credentials"
      },
      "ExtraConfig": {
          "ManagementEndpoint": "http://deleted_ip:80/management/v1"
      },
      "Auth0ClientCredentials": null,
      "AzureClientCredentials": null,
      "KeycloakClientCredentials": null,
      "ZitadelClientCredentials": null
  },
  "DeviceAuthorizationFlow": null,
  "PKCEAuthorizationFlow": {
      "ProviderConfig": {
          "ClientID": "239527189060587524@netbird",
          "ClientSecret": "",
          "Domain": "",
          "Audience": "239527189060587524@netbird",
          "TokenEndpoint": "http://deleted_ip/oauth/v2/token",
          "DeviceAuthEndpoint": "",
          "AuthorizationEndpoint": "http://deleted_ip/oauth/v2/authorize",
          "Scope": "openid profile email offline_access",
          "UseIDToken": false,
          "RedirectURLs": [
              "http://localhost:53000/",
              "http://localhost:54000/"
          ]
      }
  },
  "StoreConfig": {
      "Engine": ""
  }
  }

[0FiRE0]

Same issue for the login. Please note that the Console Login is working fine.

[mlsmaycon]

Hello,

Due to a limitation with our oidc lib this is not possible. The only URL without an SSL certificate it accepts is http://localhost.

See issue at https://github.com/AxaFrance/oidc-client/issues/1028