Add scope and id token environment variables (#785)

2024-11-07 08:44:07 +01:00 · 2023-04-05 21:57:47 +02:00 · 2023-04-05 21:57:47 +02:00 · 1057cd211d
commit 1057cd211d
parent 32b345991a
5 changed files with 19 additions and 5 deletions
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@ -62,6 +62,7 @@ jobs:
          CI_NETBIRD_TOKEN_SOURCE: "idToken"
          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"

        run: |
          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
@ -76,6 +77,8 @@ jobs:
          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
+          grep UseIDToken management.json | grep false

      - name: run docker compose up
        working-directory: infrastructure_files
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@ -34,9 +34,12 @@ SIGNAL_VOLUMESUFFIX="signal"
 LETSENCRYPT_VOLUMESUFFIX="letsencrypt"

 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE=${NETBIRD_AUTH_DEVICE_AUTH_SCOPE:-openid}
+NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
+

 NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
 NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}

 # exports
@ -72,4 +75,6 @@ export NETBIRD_SIGNAL_PROTOCOL
 export NETBIRD_SIGNAL_PORT
 export NETBIRD_AUTH_USER_ID_CLAIM
 export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
-export NETBIRD_TOKEN_SOURCE
+export NETBIRD_TOKEN_SOURCE
+export NETBIRD_AUTH_DEVICE_AUTH_SCOPE
+export NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@ -47,7 +47,9 @@
          "Domain": "$NETBIRD_AUTH0_DOMAIN",
          "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
          "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
-          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"
+          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT",
+          "Scope": "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE",
+          "UseIDToken": $NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
         }
    }
 }
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@ -17,8 +17,11 @@ NETBIRD_AUTH_CLIENT_ID=""
 NETBIRD_USE_AUTH0="false"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience for device authorization flow, you can customize here
+# Some IDPs requires different audience, scopes and to use id token for device authorization flow
+# you can customize here:
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
+NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false

 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@ -15,4 +15,5 @@ NETBIRD_AUTH_REDIRECT_URI="/peers"
 NETBIRD_DISABLE_LETSENCRYPT=true
 NETBIRD_TOKEN_SOURCE="idToken"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
-NETBIRD_AUTH_USER_ID_CLAIM="email"
+NETBIRD_AUTH_USER_ID_CLAIM="email"
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"