search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.53k stars 472 forks source link

OIDC: wrong host for .well-known/openid-configuration #2442

Open Cheezzhead opened 3 weeks ago

Cheezzhead commented 3 weeks ago

Describe the problem

I get an Error: Unauthenticated message upon opening the dashboard homepage. Checking the browser's development console, it is attempting to fetch the OIDC configuration from http://localhost/.well-known/openid-configuration which is obviously wrong. I can't find the (environment?) variable to change this.

Additionally (not sure if related), but the setup script generates an openid-configuration.json file which is never used in the generated compose file. Is this intentional?

To Reproduce

Relevant part from docker-compose.yml:

services:
  dashboard:
    image: netbirdio/dashboard:latest
    # ...
    environment:
      # ...
      # OIDC
      - AUTH_AUDIENCE=netbird
      - AUTH_CLIENT_ID=clientId
      - AUTH_CLIENT_SECRET=clientSecret
      - AUTH_AUTHORITY=https://auth.domain.tld
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api groups
      - NETBIRD_TOKEN_SOURCE=accessToken
      # ...

  management:
    image: netbirdio/management:latest
    // ...
    ports:
      - 33073:443
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=net.doman.tld",
      "--dns-domain=netbird.selfhosted",
      # Only if dashboard doesn't exist/enable letsencrypt
      "--letsencrypt-domain", "net.domain.tld", 
    ]
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json

management.json:

{
    "Stuns": [
      {
        "Proto": "udp",
        "URI": "stun:net.domain.tld:3478",
        "Username": "",
        "Password": null
      }
    ],
    "TURNConfig": {
      "Turns": [
        {
          "Proto": "udp",
          "URI": "turn:net.domain.tld:3478",
          "Username": "self",
          "Password": "ZTgDOSevQghQDn6ZMgVYKld4vB0hXQ5dZ23cYM5pG0M"
        }
      ],
      "CredentialsTTL": "12h",
      "Secret": "secret",
      "TimeBasedCredentials": false
    },
    "Signal": {
      "Proto": "https",
      "URI": "net.domain.tld:10000",
      "Username": "",
      "Password": null
    },
    "ReverseProxy": {
      "TrustedHTTPProxies": [],
      "TrustedHTTPProxiesCount": 0,
      "TrustedPeers": [
        "0.0.0.0/0"
      ]
    },
    "Datadir": "",
    "DataStoreEncryptionKey": "",
    "StoreConfig": {
      "Engine": "sqlite"
    },
    "HttpConfig": {
      "Address": "0.0.0.0:33073",
      "AuthIssuer": "https://auth.domain.tld",
      "AuthAudience": "netbird",
      "AuthKeysLocation": "https://auth.domain.tld/jwks.json",
      "AuthUserIDClaim": "preferred_username",
      "CertFile": "",
      "CertKey": "",
      "IdpSignKeyRefreshEnabled": false,
      "OIDCConfigEndpoint": "https://auth.domain.tld/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
      "ManagerType": "",
      "ClientConfig": {
        "Issuer": "https://auth.domain.tld",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "ClientID": "",
        "ClientSecret": "",
        "GrantType": "client_credentials"
      },
      "ExtraConfig": {},
      "Auth0ClientCredentials": null,
      "AzureClientCredentials": null,
      "KeycloakClientCredentials": null,
      "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
      "Provider": "none",
      "ProviderConfig": {
        "Audience": "netbird",
        "AuthorizationEndpoint": "",
        "Domain": "",
        "ClientID": "",
        "ClientSecret": "",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "DeviceAuthEndpoint": "null",
        "Scope": "openid",
        "UseIDToken": false,
        "RedirectURLs": null
      }
    },
    "PKCEAuthorizationFlow": {
      "ProviderConfig": {
        "Audience": "netbird",
        "ClientID": "mMZH_ychgEKCMF73v0gFvy1~aSL7uCzS6oBJu8qVJrik4Kr.g_zQtonWEioCXRl746yFO.eC",
        "ClientSecret": "G1wY.vEQTCrMaHuPhnhCzR~Vc~LONL_Y.3UNBRRR5sy-vpgd36xSjRPetNrApOEe3i~p5bNg",
        "Domain": "",
        "AuthorizationEndpoint": "https://auth.domain.tld/api/oidc/authorization",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "Scope": "openid profile email offline_access api groups",
        "RedirectURLs": [
          "http://localhost:53000"
        ],
        "UseIDToken": false
      }
    }
  }

Expected behavior

The configuration should be retrieved from https://auth.domain.tld/.well-known/oidc-configuration.

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.28.7

collse commented 3 weeks ago

it should be in your management.json https:///application/o/netbird/.well-known/openid-configuration",

the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

manju-rn commented 3 weeks ago

Actually I have the similar issue. I am using Zitadel - I was wondering what is the use of below which is setup in the management.json . I am using zitadel and I am not using this redirect URL. Even if I setup this up, where would this point to since myzitadel server is seperate from say netbird server?

        "RedirectURLs": [
          "http://localhost:53000"
Cheezzhead commented 3 weeks ago

it should be in your management.json https:///application/o/netbird/.well-known/openid-configuration",

the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

Yes, I modified my original post to include the netbird management service config. the management.json is indeed mounted as a volume, but I'm still getting the wrong redirect localhost.

The only property in management.json that would seemingly be relevant to this is OIDCConfigEndpoint, which in my setup is definitely pointing towards the right domain, and changing that doesn't seem to do anything. I don't really see what else would/could be responsible for this, but maybe you can point me in the right direction.

@manju-rn I believe that destination is for OIDC device authorization flow (Specifically PKCE flow), which I'm not well-versed about but should be localhost in most cases. The port is specified in netbird's provided setup.env script:

# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
sabya-oneassure commented 2 days ago

Facing the same issue