search

netbirdio / netbird

Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
9.81k stars 425 forks source link

Google Auth Failing As 404 After Redirect from /auth #2121

Closed majordwarf closed 1 week ago

majordwarf commented 3 weeks ago

Describe the problem

I have setup a self-hosted server as per the guide on AWS using ALB as reverse proxy. But after the consent screen it fails after the callback request from accounts.google.com to $DOMAIN/auth as 404.

Screenshot 2024-06-12 at 12 21 53 PM

$DOMAIN = Sub domain I use xxx = redacted sensitive information

setup.env File 
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_DOMAIN="$DOMAIN"

NETBIRD_TURN_DOMAIN=""
NETBIRD_TURN_EXTERNAL_IP=""

NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://accounts.google.com/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="xxx.apps.googleusercontent.com"
NETBIRD_AUTH_CLIENT_ID="xxx.apps.googleusercontent.com"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email"
NETBIRD_AUTH_CLIENT_SECRET="xxx"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
NETBIRD_TOKEN_SOURCE="idToken"

NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false

NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"

NETBIRD_MGMT_IDP="google"
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=true
NETBIRD_IDP_MGMT_EXTRA_SERVICE_ACCOUNT_KEY="xxx"
NETBIRD_IDP_MGMT_EXTRA_CUSTOMER_ID="xxx"

NETBIRD_DISABLE_LETSENCRYPT=true
NETBIRD_LETSENCRYPT_EMAIL=""

NETBIRD_DISABLE_ANONYMOUS_METRICS=false
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

NETBIRD_MGMT_API_PORT="33073"
NETBIRD_SIGNAL_PORT="10000"

I run ./configure.sh and in the artifacts folder I bring docker compose up. All containers start without any problem.

Generated management.json 
{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:$DOMAIN:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:$DOMAIN:3478",
                "Username": "self",
                "Password": "xxx"
            }
        ]
    },
    "Signal": {
        "Proto": "https",
        "URI": "$DOMAIN:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "xxx",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "xxx.apps.googleusercontent.com",
        "AuthIssuer": "https://accounts.google.com",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs",
        "OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": true
    },
    "IdpManagerConfig": {
        "ManagerType": "google",
        "ClientConfig": {
            "Issuer": "https://accounts.google.com",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "ClientID": "xxx.apps.googleusercontent.com",
            "ClientSecret": "xxx",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "CustomerId": "xxx",
            "ServiceAccountKey": "xxx"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "ClientID": "xxx.apps.googleusercontent.com",
            "ClientSecret": "xxx",
            "Domain": "",
            "Audience": "xxx.apps.googleusercontent.com",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "xxx.apps.googleusercontent.com",
            "ClientSecret": "xxx",
            "Domain": "",
            "Audience": "xxx.apps.googleusercontent.com",
            "TokenEndpoint": "https://oauth2.googleapis.com/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "Scope": "openid profile email",
            "UseIDToken": true,
            "RedirectURLs": [
        "https://$DOMAIN/auth",
        "https://$DOMAIN/silent-auth",
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}

Expected behavior

After login Netbird uses the authentication information to authenticate the user.

Are you using NetBird Cloud?

No, self-hosted.

NetBird version

Using latest docker image, which is version v0.27.10

NetBird status -d output:

No client app yet involved

ergleb78 commented 1 week ago

I'm having the same issue after latest update: Logs of the dashboard container:

"GET /silent-auth HTTP/1.1" 404 1663 "https:///peers?state=......

RadeJR commented 1 week ago

I have the same problem, couldnt get more info

majordwarf commented 1 week ago

I resolved the issue by exposing the service on ALB Listener port 33073 for Management instead of adjusting the Target Group's resolution port.

Ps: I'm on AWS.