Add token source and device flow audience variables (#780)

Supporting new dashboard option to configure a source token. Adding configuration support for setting a different audience for device authorization flow. fix custom id claim variable
2024-11-21 23:53:14 +01:00 · 2023-04-04 15:56:02 +02:00 · 2023-04-04 15:56:02 +02:00 · f14f34cf2b
commit f14f34cf2b
parent 109481e26d
6 changed files with 27 additions and 4 deletions
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@ -59,6 +59,10 @@ jobs:
          CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
          CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
          CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
+          CI_NETBIRD_TOKEN_SOURCE: "idToken"
+          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+
        run: |
          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
@ -68,6 +72,10 @@ jobs:
          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
          grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
          grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
+          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
+          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
+          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
+          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE

      - name: run docker compose up
        working-directory: infrastructure_files
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@ -36,6 +36,8 @@ LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"

 NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
+NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}

 # exports
 export NETBIRD_DOMAIN
@ -68,3 +70,6 @@ export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN
 export NETBIRD_MGMT_DNS_DOMAIN
 export NETBIRD_SIGNAL_PROTOCOL
 export NETBIRD_SIGNAL_PORT
+export NETBIRD_AUTH_USER_ID_CLAIM
+export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+export NETBIRD_TOKEN_SOURCE
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@ -19,6 +19,7 @@ services:
      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
      - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
      - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
+      - NETBIRD_TOKEN_SOURCE=$NETBIRD_TOKEN_SOURCE
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
@ -60,7 +61,7 @@ services:
      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
      ]
-  
+
  # Coturn
  coturn:
    image: coturn/coturn
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@ -43,7 +43,7 @@
    "DeviceAuthorizationFlow": {
        "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
        "ProviderConfig": {
-          "Audience": "$NETBIRD_AUTH_AUDIENCE",
+          "Audience": "$NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE",
          "Domain": "$NETBIRD_AUTH0_DOMAIN",
          "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
          "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@ -17,11 +17,16 @@ NETBIRD_AUTH_CLIENT_ID=""
 NETBIRD_USE_AUTH0="false"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
+# Some IDPs requires different audience for device authorization flow, you can customize here
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE

 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
 # NETBIRD_AUTH_REDIRECT_URI="/peers"
 # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
+# Updates the preference to use id tokens instead of access token on dashboard
+# Okta and Gitlab IDPs can benefit from this
+# NETBIRD_TOKEN_SOURCE="idToken"

 # -------------------------------------------
 # Letsencrypt
@ -35,4 +40,4 @@ NETBIRD_LETSENCRYPT_EMAIL=""
 # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
-NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
+NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@ -11,4 +11,8 @@ NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
 NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
-NETBIRD_AUTH_REDIRECT_URI="/peers"
+NETBIRD_AUTH_REDIRECT_URI="/peers"
+NETBIRD_DISABLE_LETSENCRYPT=true
+NETBIRD_TOKEN_SOURCE="idToken"
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
+NETBIRD_AUTH_USER_ID_CLAIM="email"