search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.74k stars 484 forks source link

Google Workspace login not working on devices #2536

Open kinafu opened 3 weeks ago

kinafu commented 3 weeks ago

Describe the problem browser login: ✅ I can login in the web browser using google OIDC. windows netbird client login: ❌
I have a freshly installed windows netbird client with my self-hosted netbird url configured. I cannot login after clicking [Connect] for the first time: netbird windows client error

When playing around with the management.json file (I tried manually setting different urls etc.) I get different errors on the client and I can see nginx logging my requests. Hence I assume the connections etc. are working.

See nginx logs and another error while playing around ``` web-1 | 192.168.2.19 - - [04/Sep/2024:15:28:16 +0000] "POST /management.ManagementService/Login HTTP/1.1" 200 114 "-" "grpc-go/1.64.1" "88.79.157.71" web-1 | 192.168.2.19 - - [04/Sep/2024:15:28:16 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 200 88 "-" "grpc-go/1.64.1" "88.79.157.71" web-1 | 192.168.2.19 - - [04/Sep/2024:15:28:16 +0000] "POST /management.ManagementService/GetPKCEAuthorizationFlow HTTP/1.1" 200 404 "-" "grpc-go/1.64.1" "88.79.157.71" web-1 | 192.168.2.19 - - [04/Sep/2024:15:28:16 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 200 88 "-" "grpc-go/1.64.1" "88.79.157.71" web-1 | 192.168.2.19 - - [04/Sep/2024:15:28:16 +0000] "POST /management.ManagementService/GetDeviceAuthorizationFlow HTTP/1.1" 200 398 "-" "grpc-go/1.64.1" "88.79.157.71" ``` ![different windows netbird error](https://github.com/user-attachments/assets/bc6747d0-2728-443c-97ef-9535866d031b)

To Reproduce

Steps to reproduce the behavior:

  1. Follow Self-Hosted advanced installation guide
  2. Follow Google Workspace IdP installation guide (https://docs.netbird.io/selfhosted/identity-providers#google-workspace)
  3. Follow instructions to set up a new windows peer (Install netbird client on windows, set custom management url)
  4. Netbird windows client tray icon right-click "connect"
  5. See error

Expected behavior

Google login screen opens uo

Are you using NetBird Cloud?

self-hosted

NetBird version

0.28.9

View NetBird status -dA output ```txt Daemon status: LoginFailed Run UP command to log in with SSO (interactive login): netbird up If you are running a self-hosted version and no SSO provider has been configured in your Management Server, you can use a setup-key: netbird up --management-url --setup-key More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys ```

Do you face any (non-mobile) client issues?

not tried

Screenshots

see collapsed sections in my description

Additional context

Anonymized management.json ```txt { "Stuns": [ { "Proto": "udp", "URI": "stun:example.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:example.com:3478", "Username": "self", "Password": "myPassword" } ] }, "Signal": { "Proto": "https", "URI": "example.com:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "randomKey", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "anAccount.apps.googleusercontent.com", "AuthIssuer": "https://accounts.google.com", "AuthUserIDClaim": "", "AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs", "OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "google", "ClientConfig": { "Issuer": "https://accounts.google.com", "TokenEndpoint": "https://oauth2.googleapis.com/token", "ClientID": "anAccount.apps.googleusercontent.com", "ClientSecret": "theSecret", "GrantType": "client_credentials" }, "ExtraConfig": { "CustomerId": "myCustomerId", "ServiceAccountKey": "someBase64=" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "ClientID": "", "ClientSecret": "", "Domain": "", "Audience": "anAccount.apps.googleusercontent.com", "TokenEndpoint": "https://oauth2.googleapis.com/token", "DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "anAccount.apps.googleusercontent.com", "ClientSecret": "", "Domain": "", "Audience": "anAccount.apps.googleusercontent.com", "TokenEndpoint": "https://oauth2.googleapis.com/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth", "Scope": "openid profile email", "UseIDToken": true, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] } } ```
kinafu commented 1 week ago

I finally circumvented the problem by hosting authentik and adding Google there as a source. Now NetBird connects to Authentik and not to Google directly.