search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.77k stars 485 forks source link

Cannot login with Google Workspaces as IDP #1619

Open kamikazechaser opened 7 months ago

kamikazechaser commented 7 months ago

Describe the problem

I have setup a self-hosted server as per the guide. I can login with my Google Workspace account to the dashboard. However, the netbird up --management-url $DOMAIN fails with:

2024-02-23T19:07:00+03:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.427649012s due to error rpc error: code = Unknown desc = the management server, $DOMAIN:443, does not support SSO providers, please update your server or use Setup Keys to login

I also attempted to use the android app, it prompted me for a Setup Key which I created and pasted into the app. App returned:

Error setup key address

On the server, I saw these logs from the dashboard container in both instances:

dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:19 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:20 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:29 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:31 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:33 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:36 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:40 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:48 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:52 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:06:58 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:06:59 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:00 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:02 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:02 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:03 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:06 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"

To Reproduce

Attempt to add a device using Debain CLI or Android App on a self hosted instance using Google IDP.

Expected behavior

Successfully add a device.

Are you using NetBird Cloud?

Self-hosted

NetBird version

netbird version

Additional context

Dashboard env:

NETBIRD_MGMT_API_ENDPOINT=$DOMAIN
NETBIRD_MGMT_GRPC_API_ENDPOINT=$DOMAIN
AUTH_AUDIENCE=xxx.apps.googleusercontent.com
AUTH_CLIENT_ID=xxx.apps.googleusercontent.com
AUTH_CLIENT_SECRET=xxx
AUTH_AUTHORITY=https://accounts.google.com
USE_AUTH0=false
AUTH_SUPPORTED_SCOPES=openid profile email
AUTH_REDIRECT_URI=/auth
AUTH_SILENT_REDIRECT_URI=/silent-auth
NETBIRD_TOKEN_SOURCE=idToken

management.json

{
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:$DOMAIN:3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:$DOMAIN:3478",
        "Username": "self",
        "Password": "xxx"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Signal": {
    "Proto": "http",
    "URI": "$DOMAIN",
    "Username": "",
    "Password": null
  },
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "jsonfile"
  },
  "HttpConfig": {
    "Address": "0.0.0.0",
    "AuthIssuer": "https://accounts.google.com",
    "AuthAudience": "xxx.apps.googleusercontent.com",
    "AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs",
    "AuthUserIDClaim": "",
    "IdpSignKeyRefreshEnabled": false,
    "OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "ManagerType": "google",
    "ClientConfig": {
      "Issuer": "https://accounts.google.com",
      "TokenEndpoint": "https://oauth2.googleapis.com/token",
      "ClientID": "xxx.apps.googleusercontent.com",
      "ClientSecret": "",
      "GrantType": "client_credentials"
    },
    "ExtraConfig": {
      "CustomerId": "xxx",
      "ServiceAccountKey": "base64-encoded-xxx"
    },
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "KeycloakClientCredentials": null,
    "ZitadelClientCredentials": null
  },
  "DeviceAuthorizationFlow": {
    "Provider": "none",
    "ProviderConfig": {
      "Audience": "xxx.apps.googleusercontent.com",
      "AuthorizationEndpoint": "",
      "Domain": "",
      "ClientID": "",
      "ClientSecret": "",
      "TokenEndpoint": "https://oauth2.googleapis.com/token",
      "DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code",
      "Scope": "openid",
      "UseIDToken": false,
      "RedirectURLs": null
    }
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "xxx.apps.googleusercontent.com",
      "ClientID": "xxx.apps.googleusercontent.com",
      "ClientSecret": "xxx",
      "Domain": "",
      "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
      "TokenEndpoint": "https://oauth2.googleapis.com/token",
      "Scope": "openid profile email",
      "RedirectURLs": [
        "https://$DOMAIN/auth",
        "https://$DOMAIN/silent-auth",
        "http://localhost:53000"
      ],
      "UseIDToken": true
    }
  }
}

openid-configuration.json:

{
 "issuer": "https://accounts.google.com",
 "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
 "device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
 "token_endpoint": "https://oauth2.googleapis.com/token",
 "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
 "revocation_endpoint": "https://oauth2.googleapis.com/revoke",
 "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
 "response_types_supported": [
  "code",
  "token",
  "id_token",
  "code token",
  "code id_token",
  "token id_token",
  "code token id_token",
  "none"
 ],
 "subject_types_supported": [
  "public"
 ],
 "id_token_signing_alg_values_supported": [
  "RS256"
 ],
 "scopes_supported": [
  "openid",
  "email",
  "profile"
 ],
 "token_endpoint_auth_methods_supported": [
  "client_secret_post",
  "client_secret_basic"
 ],
 "claims_supported": [
  "aud",
  "email",
  "email_verified",
  "exp",
  "family_name",
  "given_name",
  "iat",
  "iss",
  "name",
  "picture",
  "sub"
 ],
 "code_challenge_methods_supported": [
  "plain",
  "S256"
 ],
 "grant_types_supported": [
  "authorization_code",
  "refresh_token",
  "urn:ietf:params:oauth:grant-type:device_code",
  "urn:ietf:params:oauth:grant-type:jwt-bearer"
 ]
}
joshuahigginson1 commented 7 months ago

Hi KamikazeChaser, we've successfully integrated Google SSO by following our guide. Give me 5 minutes, and I'll dig out our management.json config for you.

joshuahigginson1 commented 7 months ago

It is worth noting that we use Terraform for our deployment of Netbird, so if you see any unusual syntax, give me a shout. 

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:******:443",
            "Username": "*******",
            "Password": "*******"
        },
        {
            "Proto": "tcp",
            "URI": "stun:*********:443",
            "Username": "*******",
            "Password": "********"
        }
    ],
    "TURNConfig": {
        "Turns": [
            {
                "Proto": "dtls",
                "URI": "turns:******:5349",
                "Username": "******",
                "Password": "******"
            }
        ],
        "CredentialsTTL": "12h",
        "Secret": "********",
        "TimeBasedCredentials": false
    },
    "Signal": {
        "Proto": "https",
        "URI": "access.${data.aws_route53_zone.netbird_hosted_zone.name}:443",
        "Username": "",
        "Password": null
    },
    "StoreConfig": {
        "Engine": "jsonfile"
    },
    "HttpConfig": {
        "Address": "0.0.0.0:443",
        "AuthAudience": "$OIDC_CLIENT_ID",
        "AuthUserIDClaim": "sub",
        "OIDCConfigEndpoint": "${var.oidc_configuration_endpoint}"
    },
    "IdpManagerConfig": {
        "ManagerType": "${var.netbird_management_idp}",
        "ClientConfig": {
            "Issuer": "${local.oidc_openid_configuration.issuer}",
            "TokenEndpoint": "${local.oidc_openid_configuration.token_endpoint}",
            "ClientID": "$OIDC_CLIENT_ID",
            "ClientSecret": "$OIDC_CLIENT_SECRET",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "CustomerId": "$GOOGLE_WORKSPACE_CUSTOMER_ID",
            "ServiceAccountKey": "$GOOGLE_WORKSPACE_SA_KEY"
        }
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "Audience": "$OIDC_CLIENT_ID",
            "ClientID": "$OIDC_CLIENT_ID",
            "ClientSecret": "$OIDC_CLIENT_SECRET",
            "Scope": "${local.oidc_supported_scopes}",
            "UseIDToken": true
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "Audience": "$OIDC_CLIENT_ID",
            "ClientID": "$OIDC_CLIENT_ID",
            "ClientSecret": "$OIDC_CLIENT_SECRET",
            "DeviceAuthEndpoint": "${local.oidc_openid_configuration.device_authorization_endpoint}",
            "Scope": "${local.oidc_supported_scopes}",
            "RedirectURLs": [
                "http://localhost:53000/"
            ],
            "UseIDToken": true
        }
    }
}