Support new properties for OIDC auth (#426)

This PR updates infrastructure_scripts to support
self-hosted setup with a generic OIDC provider.

.github/workflows/test-docker-compose-linux.yml

@@ -28,20 +28,28 @@ jobs:
         working-directory: infrastructure_files
         run: bash -x configure.sh
         env:
-          CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }}
-          CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }}
-          CI_NETBIRD_AUTH0_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_AUTHORITY: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}
+          CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }}
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_JWT_CERTS:  ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}.well-known/jwks.json
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: openid
+          CI_NETBIRD_USE_AUTH0: true
 
       - name: check values
         working-directory: infrastructure_files
         env:
-          CI_NETBIRD_AUTH0_DOMAIN: ${{ secrets.CI_NETBIRD_AUTH0_DOMAIN }}
-          CI_NETBIRD_AUTH0_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH0_CLIENT_ID }}
-          CI_NETBIRD_AUTH0_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_AUTHORITY: ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}
+          CI_NETBIRD_AUTH_CLIENT_ID: ${{ secrets.CI_NETBIRD_AUTH_CLIENT_ID }}
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_JWT_CERTS:  ${{ secrets.CI_NETBIRD_AUTH_AUTHORITY }}.well-known/jwks.json
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: openid
+          CI_NETBIRD_USE_AUTH0: true
         run: |
-          grep AUTH0_DOMAIN docker-compose.yml | grep $CI_NETBIRD_AUTH0_DOMAIN
-          grep AUTH0_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH0_CLIENT_ID
-          grep AUTH0_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH0_AUDIENCE
+          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
+          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
+          grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep $CI_NETBIRD_AUTH_SUPPORTED_SCOPES
+          grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0
           grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "http://localhost:33073"  
           
       - name: run docker compose up

infrastructure_files/base.setup.env

@@ -29,9 +29,12 @@ LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
 
 # exports
 export NETBIRD_DOMAIN
-export NETBIRD_AUTH0_DOMAIN
-export NETBIRD_AUTH0_CLIENT_ID
-export NETBIRD_AUTH0_AUDIENCE
+export NETBIRD_AUTH_CLIENT_ID
+export NETBIRD_AUTH_AUDIENCE
+export NETBIRD_AUTH_AUTHORITY
+export NETBIRD_USE_AUTH0
+export NETBIRD_AUTH_SUPPORTED_SCOPES
+export NETBIRD_AUTH_JWT_CERTS
 export NETBIRD_LETSENCRYPT_EMAIL
 export NETBIRD_MGMT_API_PORT
 export NETBIRD_MGMT_API_ENDPOINT

infrastructure_files/configure.sh

@@ -63,6 +63,21 @@ export MGMT_VOLUMENAME
 export SIGNAL_VOLUMENAME
 export LETSENCRYPT_VOLUMENAME
 
+#backwards compatibility after migrating to generic OIDC
+if [[ -z "${NETBIRD_AUTH_AUTHORITY}" ]]; then
+    echo "It seems like you provided an old setup.env file."
+    echo "Since the release of v0.8.8, we introduced a new set of properties."
+    echo "The script is backward compatible and will continue automatically."
+    echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
+
+    export NETBIRD_AUTH_AUTHORITY="https://${NETBIRD_AUTH0_DOMAIN}/"
+    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
+    export NETBIRD_USE_AUTH0="true"
+    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
+    export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
+    export NETBIRD_AUTH_JWT_CERTS="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/jwks.json"
+fi
+
 envsubst < docker-compose.yml.tmpl > docker-compose.yml
 envsubst < management.json.tmpl > management.json
 envsubst < turnserver.conf.tmpl > turnserver.conf

infrastructure_files/docker-compose.yml.tmpl

@@ -8,9 +8,11 @@ services:
       - 80:80
       - 443:443
     environment:
-      - AUTH0_DOMAIN=$NETBIRD_AUTH0_DOMAIN
-      - AUTH0_CLIENT_ID=$NETBIRD_AUTH0_CLIENT_ID
-      - AUTH0_AUDIENCE=$NETBIRD_AUTH0_AUDIENCE
+      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
+      - USE_AUTH0=$NETBIRD_USE_AUTH0
+      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
       - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
       - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
       - NGINX_SSL_PORT=443

infrastructure_files/management.json.tmpl

@@ -29,9 +29,9 @@
     "Datadir": "",
     "HttpConfig": {
         "Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
-        "AuthIssuer": "https://$NETBIRD_AUTH0_DOMAIN/",
-        "AuthAudience": "$NETBIRD_AUTH0_AUDIENCE",
-        "AuthKeysLocation": "https://$NETBIRD_AUTH0_DOMAIN/.well-known/jwks.json",
+        "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
+        "AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
+        "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
         "CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
         "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE"
     },

infrastructure_files/setup.env.example

@@ -1,16 +1,17 @@
 ## example file, you can copy this file to setup.env and update its values
 ##
-# Dashboard domain and auth0 configuration
-
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN=""
-# e.g. dev-24vkclam.us.auth0.com
-NETBIRD_AUTH0_DOMAIN=""
-# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-NETBIRD_AUTH0_CLIENT_ID=""
-# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
-# Make sure you used the exact same value for Identifier
-# you used when creating your Auth0 API
-NETBIRD_AUTH0_AUDIENCE=""
+# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
+NETBIRD_AUTH_AUTHORITY=""
+# e.g. netbird-client
+NETBIRD_AUTH_CLIENT_ID=""
+# indicates whether to use Auth0 or not: true or false
+NETBIRD_USE_AUTH0="false"
+# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
+NETBIRD_AUTH_SUPPORTED_SCOPES=""
+NETBIRD_AUTH_AUDIENCE=""
+# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
+NETBIRD_AUTH_JWT_CERTS=""
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""

infrastructure_files/tests/setup.env

@@ -1,16 +1,17 @@
 ## example file, you can copy this file to setup.env and update its values
 ##
-# Dashboard domain and auth0 configuration
-
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN="localhost"
-# e.g. dev-24vkclam.us.auth0.com
-NETBIRD_AUTH0_DOMAIN=$CI_NETBIRD_AUTH0_DOMAIN
-# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-NETBIRD_AUTH0_CLIENT_ID=$CI_NETBIRD_AUTH0_CLIENT_ID
-# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
-# Make sure you used the exact same value for Identifier
-# you used when creating your Auth0 API
-NETBIRD_AUTH0_AUDIENCE=$CI_NETBIRD_AUTH0_AUDIENCE
+# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
+NETBIRD_AUTH_AUTHORITY=$CI_NETBIRD_AUTH_AUTHORITY
+# e.g. netbird-client
+NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID
+# indicates whether to use Auth0 or not: true or false
+NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
+# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
+NETBIRD_AUTH_SUPPORTED_SCOPES=$CI_NETBIRD_AUTH_SUPPORTED_SCOPES
+NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
+# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
+NETBIRD_AUTH_JWT_CERTS=$CI_NETBIRD_AUTH_JWT_CERTS
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""