Self-registered user in self-hosted environment (with Zitadel idP) not being properly identified

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.

https://netbird.io

BSD 3-Clause "New" or "Revised" License

10.75k stars 484 forks source link

Self-registered user in self-hosted environment (with Zitadel idP) not being properly identified #2620

Open mikee2 opened 1 week ago

mikee2 commented 1 week ago

When a user register himself, the user entry in Netbird does not show his name but his Zitadel ID. This happen when you create a new organization in Zitadel and grant access to Netbird to that organization and then configure the netbird request to use that organization instead the main one.

I have added the urn:zitadel:iam:org:id:{organization id} in the scope of key PKCEAuthorizationFlow in management.json and now connecting users need to belong to this organization. But new users that register themselves are created inside that organization in Netbird not with their names, but with their Zitadel IDs (and there is no Name field that you can edit). The user's name is correct in Zitadel, by the way.

No other changes have been made to any configuration file. All is as the install script configured from the first time.

How can I solve this?.

Thanks in advance.

bcmmbaga commented 1 week ago

Hello @mikee2, To make sure users info appear correctly in Netbird, please follow the steps in the documentation Netbird Self-Hosted Identity Providers - Zitadel.

This will guide you through properly configuring Netbird to pull the correct user attributes, like their names and emails, from Zitadel

mikee2 commented 1 week ago

Hi Bethuel. Thanks for your reply.

As I used the provided script to install the system I assumed that integration was right and looked no further. After revision of the document the https://localhost:53000 redirect is missing in the dashboard app definition but what is written in text does not show in the screen capture just below so I do not know if it is necessary or not. My screen fits with the manual screenshot in this part. Grant type 'Device code' was also missing.

Anyway, if I remove the urn part and register a new user, then all work fine. The user is shown in netbird with his name, email, and all attributes as it should be. So the problem looks like it is not in the definition of the apps within the idP but with the fact that the netbird project is granted to this other organization. Perhaps granting needs something else that I have not done. I have only gone and granted the project to the org as it is written in the manuals.

Kind regards. Miguel.

mikee2 commented 5 days ago

Any other ideas?

bcmmbaga commented 5 days ago

Just to clarify, the https://localhost:53000 redirect is required and is used when adding a new peer.

Did you deploy using Quick selfhosting or with https://docs.netbird.io/selfhosted/identity-providers#zitadel ?

mikee2 commented 2 days ago

Thanks for the clarification. I have updated the config and added that redirect entry.

I made the deployment using the Quick selfhosting.