search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.19k stars 515 forks source link

OIDC: wrong host for .well-known/openid-configuration #2442

Open Cheezzhead opened 3 months ago

Cheezzhead commented 3 months ago

Describe the problem

I get an Error: Unauthenticated message upon opening the dashboard homepage. Checking the browser's development console, it is attempting to fetch the OIDC configuration from http://localhost/.well-known/openid-configuration which is obviously wrong. I can't find the (environment?) variable to change this.

Additionally (not sure if related), but the setup script generates an openid-configuration.json file which is never used in the generated compose file. Is this intentional?

To Reproduce

Relevant part from docker-compose.yml:

services:
  dashboard:
    image: netbirdio/dashboard:latest
    # ...
    environment:
      # ...
      # OIDC
      - AUTH_AUDIENCE=netbird
      - AUTH_CLIENT_ID=clientId
      - AUTH_CLIENT_SECRET=clientSecret
      - AUTH_AUTHORITY=https://auth.domain.tld
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api groups
      - NETBIRD_TOKEN_SOURCE=accessToken
      # ...

  management:
    image: netbirdio/management:latest
    // ...
    ports:
      - 33073:443
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=net.doman.tld",
      "--dns-domain=netbird.selfhosted",
      # Only if dashboard doesn't exist/enable letsencrypt
      "--letsencrypt-domain", "net.domain.tld", 
    ]
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json

management.json:

{
    "Stuns": [
      {
        "Proto": "udp",
        "URI": "stun:net.domain.tld:3478",
        "Username": "",
        "Password": null
      }
    ],
    "TURNConfig": {
      "Turns": [
        {
          "Proto": "udp",
          "URI": "turn:net.domain.tld:3478",
          "Username": "self",
          "Password": "ZTgDOSevQghQDn6ZMgVYKld4vB0hXQ5dZ23cYM5pG0M"
        }
      ],
      "CredentialsTTL": "12h",
      "Secret": "secret",
      "TimeBasedCredentials": false
    },
    "Signal": {
      "Proto": "https",
      "URI": "net.domain.tld:10000",
      "Username": "",
      "Password": null
    },
    "ReverseProxy": {
      "TrustedHTTPProxies": [],
      "TrustedHTTPProxiesCount": 0,
      "TrustedPeers": [
        "0.0.0.0/0"
      ]
    },
    "Datadir": "",
    "DataStoreEncryptionKey": "",
    "StoreConfig": {
      "Engine": "sqlite"
    },
    "HttpConfig": {
      "Address": "0.0.0.0:33073",
      "AuthIssuer": "https://auth.domain.tld",
      "AuthAudience": "netbird",
      "AuthKeysLocation": "https://auth.domain.tld/jwks.json",
      "AuthUserIDClaim": "preferred_username",
      "CertFile": "",
      "CertKey": "",
      "IdpSignKeyRefreshEnabled": false,
      "OIDCConfigEndpoint": "https://auth.domain.tld/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
      "ManagerType": "",
      "ClientConfig": {
        "Issuer": "https://auth.domain.tld",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "ClientID": "",
        "ClientSecret": "",
        "GrantType": "client_credentials"
      },
      "ExtraConfig": {},
      "Auth0ClientCredentials": null,
      "AzureClientCredentials": null,
      "KeycloakClientCredentials": null,
      "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
      "Provider": "none",
      "ProviderConfig": {
        "Audience": "netbird",
        "AuthorizationEndpoint": "",
        "Domain": "",
        "ClientID": "",
        "ClientSecret": "",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "DeviceAuthEndpoint": "null",
        "Scope": "openid",
        "UseIDToken": false,
        "RedirectURLs": null
      }
    },
    "PKCEAuthorizationFlow": {
      "ProviderConfig": {
        "Audience": "netbird",
        "ClientID": "mMZH_ychgEKCMF73v0gFvy1~aSL7uCzS6oBJu8qVJrik4Kr.g_zQtonWEioCXRl746yFO.eC",
        "ClientSecret": "G1wY.vEQTCrMaHuPhnhCzR~Vc~LONL_Y.3UNBRRR5sy-vpgd36xSjRPetNrApOEe3i~p5bNg",
        "Domain": "",
        "AuthorizationEndpoint": "https://auth.domain.tld/api/oidc/authorization",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "Scope": "openid profile email offline_access api groups",
        "RedirectURLs": [
          "http://localhost:53000"
        ],
        "UseIDToken": false
      }
    }
  }

Expected behavior

The configuration should be retrieved from https://auth.domain.tld/.well-known/oidc-configuration.

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.28.7

collse commented 3 months ago

it should be in your management.json https:///application/o/netbird/.well-known/openid-configuration",

the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

manju-rn commented 3 months ago

Actually I have the similar issue. I am using Zitadel - I was wondering what is the use of below which is setup in the management.json . I am using zitadel and I am not using this redirect URL. Even if I setup this up, where would this point to since myzitadel server is seperate from say netbird server?

        "RedirectURLs": [
          "http://localhost:53000"
Cheezzhead commented 3 months ago

it should be in your management.json https:///application/o/netbird/.well-known/openid-configuration",

the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

Yes, I modified my original post to include the netbird management service config. the management.json is indeed mounted as a volume, but I'm still getting the wrong redirect localhost.

The only property in management.json that would seemingly be relevant to this is OIDCConfigEndpoint, which in my setup is definitely pointing towards the right domain, and changing that doesn't seem to do anything. I don't really see what else would/could be responsible for this, but maybe you can point me in the right direction.

@manju-rn I believe that destination is for OIDC device authorization flow (Specifically PKCE flow), which I'm not well-versed about but should be localhost in most cases. The port is specified in netbird's provided setup.env script:

# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
sabya-oneassure commented 2 months ago

Facing the same issue

wiiun commented 1 month ago

Facing the same issue

ennbou commented 1 month ago

after finishing all required setups and run docker compose logs management I got :

ennbou commented 1 month ago

I tried using curl to get the JSON response directly from my local terminal, and it worked perfectly. However, on my VPS, it didn't work due to Cloudflare security. The HTTP request worked in the browser but not with curl. I fixed the issue by whitelisting my VPS's IPv4/IPv6 in Cloudflare's WAF.