netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.01k stars 501 forks source link

Auth0 Login / Admin Account #2420

Open Thermaltech opened 2 months ago

Thermaltech commented 2 months ago

I installed NetBird self hosted server (latest version from Github) on to both Debian 12 and Ubuntu 22.04 / 24.04 DigitalOcean droplets. Followed the advanced self hosting documentation to the letter, and for the life of me, can't get authentication to work. When accessing Netbird from the public URL, I get redirected to Auth0 correctly, and if I create a user, the user gets authenticated, but I only have access to the /peers page. I get the following errors upon login:

I can logout without error.

I have a couple of questions: 1) What could be causing the above errors? 2) With Auth0, there is no "admin" user configured during the Netbird install / initialization / first run.

I am sure I am missing something with regards to #2, but documentation has no information regarding adding an admin user or associating admin roles to any other user. I thought there might be a script to kick off a onboarding / admin configuration but, so far I am stumped.

Any help would be appreciated. Happy to provide admin access to the server if needed. This is just a testbed for now.

Configuration files are below. This is currently running on a fresh Debian 12 install on DigitalOcean. 1 core 2GB ram,

Thanks in advance. Rob.

My Auth0 "setup.env" config is below:

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="vpn1.ttscontrols.com"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://ttscontrols.us.auth0.com/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
NETBIRD_AUTH_AUDIENCE="https://netbird/api"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="4QUNNXJFLPacuO5rDJfUBE5rXzmWST4k"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="true"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="wFTz2jpgLZq37iNUHamA8YtSiAbJwaO2"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="auth0"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID="beAPMCneTjOGiQbEsKbFhTrlleL7ucIy"
NETBIRD_IDP_MGMT_CLIENT_SECRET="05Ckxm-1yHDgb9SA2lep6PbrNY7jsIQYKqLFHtK8Hrv1gxlgGpt5AWhEWHmwSrAZ"
NETBIRD_IDP_MGMT_EXTRA_AUDIENCE="https://ttscontrols.us.auth0.com/api/v2/"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL="webmaster@ttscontrols.com"
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=iot.ttscontrols.com

docker-compose.yml:

version: "3"
services:
  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://vpn1.ttscontrols.com:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://vpn1.ttscontrols.com:33073
      # OIDC
      - AUTH_AUDIENCE=https://netbird/api
      - AUTH_CLIENT_ID=4QUNNXJFLPacuO5rDJfUBE5rXzmWST4k
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://ttscontrols.us.auth0.com/
      - USE_AUTH0=true
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api email_verified
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=vpn1.ttscontrols.com
      - LETSENCRYPT_EMAIL=webmaster@ttscontrols.com
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "vpn1.ttscontrols.com", "--log-file", "console"]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "vpn1.ttscontrols.com", "--log-file", "console"]
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=vpn1.ttscontrols.com",
      "--dns-domain=iot.ttscontrols.com"
      ]
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    #domainname: vpn1.ttscontrols.com # only needed when TLS is enabled
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:

management.json:

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:vpn1.ttscontrols.com:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:vpn1.ttscontrols.com:3478",
                "Username": "self",
                "Password": "Jx9WK9UT8YTwcBGZoIMj1IA6/5/yVlVyBXwcXjWzrWQ"
            }
        ]
    },
    "Signal": {
        "Proto": "http",
        "URI": "vpn1.ttscontrols.com:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "ZA1b5EEbvnByq8hHYZkKtB54VJ9iNs652HGV1ny0W4k=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "/etc/letsencrypt/live/vpn1.ttscontrols.com/fullchain.pem",
        "CertKey": "/etc/letsencrypt/live/vpn1.ttscontrols.com/privkey.pem",
        "AuthAudience": "https://netbird/api",
        "AuthIssuer": "https://ttscontrols.us.auth0.com/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://ttscontrols.us.auth0.com/.well-known/jwks.json",
        "OIDCConfigEndpoint": "https://ttscontrols.us.auth0.com/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "auth0",
        "ClientConfig": {
            "Issuer": "https://ttscontrols.us.auth0.com",
            "TokenEndpoint": "https://ttscontrols.us.auth0.com/oauth/token",
            "ClientID": "beAPMCneTjOGiQbEsKbFhTrlleL7ucIy",
            "ClientSecret": "05Ckxm-1yHDgb9SA2lep6PbrNY7jsIQYKqLFHtK8Hrv1gxlgGpt5AWhEWHmwSrAZ",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Audience": "https://ttscontrols.us.auth0.com/api/v2/"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "wFTz2jpgLZq37iNUHamA8YtSiAbJwaO2",
            "ClientSecret": "",
            "Domain": "ttscontrols.us.auth0.com",
            "Audience": "https://netbird/api",
            "TokenEndpoint": "https://ttscontrols.us.auth0.com/oauth/token",
            "DeviceAuthEndpoint": "https://ttscontrols.us.auth0.com/oauth/device/code",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "4QUNNXJFLPacuO5rDJfUBE5rXzmWST4k",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "https://netbird/api",
            "TokenEndpoint": "https://ttscontrols.us.auth0.com/oauth/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://ttscontrols.us.auth0.com/authorize",
            "Scope": "openid profile email offline_access api email_verified",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    }
}
Silex commented 2 months ago

I also suffer from this.