netbirdio
failed to login after self-hosting netbird deployed with ip address
Describe the problem
I deployed latest self-hosting Netbird in self-hosting mode, we have a public IP address but it's behind the firewall NAT, so I'm trying to install it with internal ip address and 80 port instead of domain name. I set NETBIRD_DOMAIN into 'use-ip' and installed successfully.
When I login the ip+port with init admin cred, it'll pending in seconds and return the error 'Login Error: User state: Unauthenticated'.
Checked in developer tools and notice that the POST request to 'http://addr/oauth/v2/token' was returned HTTP Code = 400 bad request error, version = HTTP/1.1, the resp body is:
{"error":"invalid_request","error_description":"code_challenge required"}
- Request payload
grant_type=authorization_code&client_id=239527187013767172%40netbird&redirect_uri=http%3A%2F%2F{deleted_ip}%2Fnb-auth&code=Fv2xUQPGBsUFHdY7a8Yif5A6n13y0txtJXNQ-eaafSP_TQ
- resp of
.well-known/openid-configurationapi request
{
"issuer": "http://deleted_ip",
"authorization_endpoint": "http://deleted_ip/oauth/v2/authorize",
"token_endpoint": "http://deleted_ip/oauth/v2/token",
"introspection_endpoint": "http://deleted_ip/oauth/v2/introspect",
"userinfo_endpoint": "http://deleted_ip/oidc/v1/userinfo",
"revocation_endpoint": "http://deleted_ip/oauth/v2/revoke",
"end_session_endpoint": "http://deleted_ip/oidc/v1/end_session",
"device_authorization_endpoint": "http://deleted_ip/oauth/v2/device_authorization",
"jwks_uri": "http://deleted_ip/oauth/v2/keys",
"scopes_supported": [
"openid",
"profile",
"email",
"phone",
"address",
"offline_access"
],
"response_types_supported": [
"code",
"id_token",
"id_token token"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"client_credentials",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"urn:ietf:params:oauth:grant-type:device_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"request_object_signing_alg_values_supported": [
"RS256"
],
"token_endpoint_auth_methods_supported": [
"none",
"client_secret_basic",
"client_secret_post",
"private_key_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256"
],
"revocation_endpoint_auth_methods_supported": [
"none",
"client_secret_basic",
"client_secret_post",
"private_key_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"RS256"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_basic",
"private_key_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"RS256"
],
"claims_supported": [
"sub",
"aud",
"exp",
"iat",
"iss",
"auth_time",
"nonce",
"acr",
"amr",
"c_hash",
"at_hash",
"act",
"scopes",
"client_id",
"azp",
"preferred_username",
"name",
"family_name",
"given_name",
"locale",
"email",
"email_verified",
"phone_number",
"phone_number_verified"
],
"code_challenge_methods_supported": [
"S256"
],
"ui_locales_supported": [
"bg",
"de",
"en",
"es",
"fr",
"it",
"ja",
"mk",
"pl",
"pt",
"zh"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": false
}
To Reproduce Steps to reproduce the behavior:
- deploy self-hosting Netbird with IP address, instead of domain name
- visit in web site
Expected behavior I should login to the Netbird dashboard after change the init password of admin account.
NetBird status -d output:
If applicable, add the output of the netbird status -d command
Screenshots
-
Error msg
-
resp body
Additional context
- dashboard.env
# Endpoints
NETBIRD_MGMT_API_ENDPOINT=http://deleted_ip:80
NETBIRD_MGMT_GRPC_API_ENDPOINT=http://deleted_ip:80
# OIDC
AUTH_AUDIENCE=239527187013767172@netbird
AUTH_CLIENT_ID=239527187013767172@netbird
AUTH_AUTHORITY=http://deleted_ip:80
USE_AUTH0=false
AUTH_SUPPORTED_SCOPES="openid profile email offline_access"
AUTH_REDIRECT_URI=/nb-auth
AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
# SSL
NGINX_SSL_PORT=443
# Letsencrypt
LETSENCRYPT_DOMAIN=none
- management.json
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:deleted_ip:3478",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "0s",
"Secret": "",
"Turns": [
{
"Proto": "udp",
"URI": "turn:deleted_ip:3478",
"Username": "self",
"Password": "SG+pSvzA6benRg4ISr3yMUa8al4mV2rohG0b4T82nKM"
}
]
},
"Signal": {
"Proto": "http",
"URI": "deleted_ip:80",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "DfsnZOx7evaQewL/8ggZRY9CbEZCXuyqzfDQv1683vY=",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "239527187013767172@netbird",
"AuthIssuer": "http://deleted_ip",
"AuthUserIDClaim": "",
"AuthKeysLocation": "http://deleted_ip/oauth/v2/keys",
"OIDCConfigEndpoint": "http://deleted_ip/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": true
},
"IdpManagerConfig": {
"ManagerType": "zitadel",
"ClientConfig": {
"Issuer": "http://deleted_ip:80",
"TokenEndpoint": "http://deleted_ip:80/oauth/v2/token",
"ClientID": "netbird-service-account",
"ClientSecret": "FrJqRgyExhLnR5oBh3A2VAO1RtV3zWXXIfBGcX0nIZFja8M66YQXl54DZElgPKRm",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"ManagementEndpoint": "http://deleted_ip:80/management/v1"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": null,
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "239527189060587524@netbird",
"ClientSecret": "",
"Domain": "",
"Audience": "239527189060587524@netbird",
"TokenEndpoint": "http://deleted_ip/oauth/v2/token",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "http://deleted_ip/oauth/v2/authorize",
"Scope": "openid profile email offline_access",
"UseIDToken": false,
"RedirectURLs": [
"http://localhost:53000/",
"http://localhost:54000/"
]
}
},
"StoreConfig": {
"Engine": ""
}
}
Same issue for the login.
Please note that the Console Login is working fine.
Hello,
Due to a limitation with our oidc lib this is not possible. The only URL without an SSL certificate it accepts is http://localhost.
See issue at https://github.com/AxaFrance/oidc-client/issues/1028
