Loading loop after connection with IDP Azure

Kipsz commented 1 month ago

I set up the setup.env file as described in the documentation, but I get an error in the management container logs:

Error: failed retrieving a new idp manager with err: azure IdP configuration is incomplete, GraphAPIEndpoint is missing.

I've double-checked the doc and the problems reported here several times, but I can't seem to make any progress....

here is my setup.env :

robdeweese commented 1 month ago

I think on mine, I hade to change my mgmt idp to "none"

florian-obradovic commented 1 month ago

No idea whats missing but here is my config to compare:

openid-configuration.json: openid-configuration.json {"token_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/TENANT-ID/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/TENANT-ID/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/TENANT-ID/kerberos","tenant_region_scope":"EU","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}

docker-compose.yml:

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.MY-DOMAIN.com:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.MY-DOMAIN.com:33073
      # OIDC
      - AUTH_AUDIENCE=APPLICATION-ID
      - AUTH_CLIENT_ID=APPLICATION-ID
      - AUTH_CLIENT_SECRET= # NOT SURE WHY THIS IS EMPTY ON MINE > The secret is in management.json 
      - AUTH_AUTHORITY=https://login.microsoftonline.com/TENANT-ID/v2.0
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access User.Read api://APPLICATION-ID/api
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=idToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=netbird.MY-DOMAIN.com
      - LETSENCRYPT_EMAIL=me@MY-DOMAIN.com

management.json:

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.MYDOMAIN.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.MYDOMAIN.com:3478",
                "Username": "self",
                "Password": "PASSWORD
            }
        ]
    },
    "Signal": {
        "Proto": "http",
        "URI": "netbird.MYDOMAIN.com:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "Encryption-KEY",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "/etc/letsencrypt/live/netbird.MYDOMAIN.com/fullchain.pem",
        "CertKey": "/etc/letsencrypt/live/netbird.MYDOMAIN.com/privkey.pem",
        "AuthAudience": "APPLICATION-ID",
        "AuthIssuer": "https://login.microsoftonline.com/TENANT-ID/v2.0",
        "AuthUserIDClaim": "oid",
        "AuthKeysLocation": "https://login.microsoftonline.com/TENANT-ID/discovery/v2.0/keys",
        "OIDCConfigEndpoint": "https://login.microsoftonline.com/TENANT-ID/v2.0/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false
    },
    "IdpManagerConfig": {
        "ManagerType": "azure",
        "ClientConfig": {
            "Issuer": "https://login.microsoftonline.com/TENANT-ID/v2.0",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token",
            "ClientID": "APPLICATION-ID",
            "ClientSecret": "MY-Entra-ID-SECRET",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "GraphApiEndpoint": "https://graph.microsoft.com/v1.0",
            "ObjectId": "Object-ID-Of-Entra-ID-AppRegistration"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "ClientID": "",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "APPLICATION-ID",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token",
            "DeviceAuthEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/devicecode",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "APPLICATION-ID",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "APPLICATION-ID",
            "TokenEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/authorize",
            "Scope": "openid profile email offline_access User.Read api://APPLICATION-ID/api",
            "UseIDToken": true,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}%

Kipsz commented 1 month ago

Thank you for sharing your conf @florian-obradovic

It works! The content of the Scope line was empty in the PKCEAuthorizationFlow block in the management.json file.

Netbird displays a UserID that is impossible to remember. How can I retrieve the first name, surname and email?

EDIT : Without any change on my part and from one second to the next, I can no longer access the interface with the following error :

florian-obradovic commented 1 month ago

I would suggest to follow the steps of https://docs.netbird.io/selfhosted/identity-providers#azure-ad-microsoft-entra-id Looks like you don't submit the names, etc but only the object id.

Kipsz commented 1 month ago

I would suggest to follow the steps of https://docs.netbird.io/selfhosted/identity-providers#azure-ad-microsoft-entra-id Looks like you don't submit the names, etc but only the object id.

I found my problem, I was not redoing a ./configure.sh when I changed my setup.env So now I access the netbird interface with NETBIRD_MGMT_IDP=‘none’ in my setup.env (thank you @robdeweese )

However, I don't have admin rights to configure NetBird, is there anything I can do on the Azure side for that?

netbirdio / netbird

Loading loop after connection with IDP Azure #2329