Open Kipsz opened 1 month ago
I think on mine, I hade to change my mgmt idp to "none"
No idea whats missing but here is my config to compare:
openid-configuration.json:
openid-configuration.json {"token_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/TENANT-ID/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/TENANT-ID/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/TENANT-ID/kerberos","tenant_region_scope":"EU","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}
docker-compose.yml:
version: "3"
services:
#UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
ports:
- 80:80
- 443:443
environment:
# Endpoints
- NETBIRD_MGMT_API_ENDPOINT=https://netbird.MY-DOMAIN.com:33073
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.MY-DOMAIN.com:33073
# OIDC
- AUTH_AUDIENCE=APPLICATION-ID
- AUTH_CLIENT_ID=APPLICATION-ID
- AUTH_CLIENT_SECRET= # NOT SURE WHY THIS IS EMPTY ON MINE > The secret is in management.json
- AUTH_AUTHORITY=https://login.microsoftonline.com/TENANT-ID/v2.0
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email offline_access User.Read api://APPLICATION-ID/api
- AUTH_REDIRECT_URI=/auth
- AUTH_SILENT_REDIRECT_URI=/silent-auth
- NETBIRD_TOKEN_SOURCE=idToken
# SSL
- NGINX_SSL_PORT=443
# Letsencrypt
- LETSENCRYPT_DOMAIN=netbird.MY-DOMAIN.com
- LETSENCRYPT_EMAIL=me@MY-DOMAIN.com
management.json:
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:netbird.MYDOMAIN.com:3478",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "turn:netbird.MYDOMAIN.com:3478",
"Username": "self",
"Password": "PASSWORD
}
]
},
"Signal": {
"Proto": "http",
"URI": "netbird.MYDOMAIN.com:10000",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "Encryption-KEY",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "/etc/letsencrypt/live/netbird.MYDOMAIN.com/fullchain.pem",
"CertKey": "/etc/letsencrypt/live/netbird.MYDOMAIN.com/privkey.pem",
"AuthAudience": "APPLICATION-ID",
"AuthIssuer": "https://login.microsoftonline.com/TENANT-ID/v2.0",
"AuthUserIDClaim": "oid",
"AuthKeysLocation": "https://login.microsoftonline.com/TENANT-ID/discovery/v2.0/keys",
"OIDCConfigEndpoint": "https://login.microsoftonline.com/TENANT-ID/v2.0/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false
},
"IdpManagerConfig": {
"ManagerType": "azure",
"ClientConfig": {
"Issuer": "https://login.microsoftonline.com/TENANT-ID/v2.0",
"TokenEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token",
"ClientID": "APPLICATION-ID",
"ClientSecret": "MY-Entra-ID-SECRET",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"GraphApiEndpoint": "https://graph.microsoft.com/v1.0",
"ObjectId": "Object-ID-Of-Entra-ID-AppRegistration"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "none",
"ProviderConfig": {
"ClientID": "",
"ClientSecret": "",
"Domain": "",
"Audience": "APPLICATION-ID",
"TokenEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token",
"DeviceAuthEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/devicecode",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "APPLICATION-ID",
"ClientSecret": "",
"Domain": "",
"Audience": "APPLICATION-ID",
"TokenEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/authorize",
"Scope": "openid profile email offline_access User.Read api://APPLICATION-ID/api",
"UseIDToken": true,
"RedirectURLs": [
"http://localhost:53000"
]
}
},
"StoreConfig": {
"Engine": "sqlite"
},
"ReverseProxy": {
"TrustedHTTPProxies": [],
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": [
"0.0.0.0/0"
]
}
}%
Thank you for sharing your conf @florian-obradovic
It works! The content of the Scope line was empty in the PKCEAuthorizationFlow block in the management.json file.
Netbird displays a UserID that is impossible to remember. How can I retrieve the first name, surname and email?
EDIT : Without any change on my part and from one second to the next, I can no longer access the interface with the following error :
I would suggest to follow the steps of https://docs.netbird.io/selfhosted/identity-providers#azure-ad-microsoft-entra-id Looks like you don't submit the names, etc but only the object id.
I would suggest to follow the steps of https://docs.netbird.io/selfhosted/identity-providers#azure-ad-microsoft-entra-id Looks like you don't submit the names, etc but only the object id.
I found my problem, I was not redoing a ./configure.sh when I changed my setup.env So now I access the netbird interface with NETBIRD_MGMT_IDP=‘none’ in my setup.env (thank you @robdeweese )
However, I don't have admin rights to configure NetBird, is there anything I can do on the Azure side for that?
I set up the setup.env file as described in the documentation, but I get an error in the management container logs:
Error: failed retrieving a new idp manager with err: azure IdP configuration is incomplete, GraphAPIEndpoint is missing.
I've double-checked the doc and the problems reported here several times, but I can't seem to make any progress....
here is my setup.env :