netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Azure Auth failing - 404 on /auth after redirect back from Azure

Open karstennilsen opened this issue 1 year ago • 2 comments

Describe the problem

Created a new setup and used the latest manual on the website: https://docs.netbird.io/selfhosted/identity-providers#azure-ad

The config I ended up with is:

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="tunnel.xxxx.nl"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.microsoftonline.com/bca71bac-28f4-401d-b0c6-xxxxxxxxxxx/v2.0/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="ac72324a-c386-45d1-a738-6f0df47f696b"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="ac72324a-c386-45d1-a738-6f0df47f696b"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://ac72324a-c386-45d1-a738-6f0df47f696b/api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
NETBIRD_AUTH_USER_ID_CLAIM="oid"
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="ac72324a-c386-45d1-a738-6f0df47f696b"
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="azure"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID="ac72324a-c386-45d1-a738-6f0df47f696b"
NETBIRD_IDP_MGMT_CLIENT_SECRET="xxxx"
NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://graph.microsoft.com/v1.0"
NETBIRD_IDP_MGMT_EXTRA_OBJECT_ID="c55bbfe6-b61c-4287-8d8d-xxxxxxxxxx"

# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. [email protected]
NETBIRD_LETSENCRYPT_EMAIL="xxxxx"
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

Like in the manual I run ./configure.sh and in the artifacts folder I bring docker compose up. All containers start without any problem:

docker compose ps
NAME                     IMAGE                         COMMAND                  SERVICE      CREATED          STATUS          PORTS
artifacts-coturn-1       coturn/coturn:latest          "docker-entrypoint.s…"   coturn       36 minutes ago   Up 36 minutes
artifacts-dashboard-1    netbirdio/dashboard:latest    "/usr/bin/supervisor…"   dashboard    36 minutes ago   Up 36 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp
artifacts-management-1   netbirdio/management:latest   "/go/bin/netbird-mgm…"   management   26 minutes ago   Up 26 minutes   0.0.0.0:33073->443/tcp, :::33073->443/tcp
artifacts-signal-1       netbirdio/signal:latest       "/go/bin/netbird-sig…"   signal       36 minutes ago   Up 36 minutes   0.0.0.0:10000->80/tcp, :::10000->80/tcp

After this I can navigate to the endpoint url and it redirects to Microsoft for authentication. After I authenticate it redirects back to /auth in my endpoint but it gives a 404 response.

image

After this all requests to Microsoft fail: image

Expected behavior

After login Netbird uses the authentication information to authenticate the user.

Are you using NetBird Cloud?

No self-hosted

NetBird version

{
  "Id": "sha256:601694d507636b624155f3a72e14eec2e1d2b12b80cd84fbf5e95849a9977c9f",
  "Digest": null,
  "RepoDigests": [
    "netbirdio/management@sha256:ead72f552b9f3ec622db6a1c8b018dea20d95575b997af9cfb0bfd9196ec8877"
  ],
  "Labels": {
    "maintainer": "[email protected]",
    "org.opencontainers.image.created": "2024-02-07T15:17:49Z",
    "org.opencontainers.image.ref.name": "ubuntu",
    "org.opencontainers.image.revision": "a7547b999001536902d70c226384b505be12431d",
    "org.opencontainers.image.title": "netbird",
    "org.opencontainers.image.version": "0.25.7"
  }
}

NetBird status -d output:

No client app yet involved

karstennilsen avatar Feb 11 '24 16:02 karstennilsen

Also having this same issue. Fresh install from today.

JPT62089 avatar Feb 20 '24 17:02 JPT62089

Ok, I think I resolved my issue at least. I needed to set NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=true in the setup.env. This seems to have resolved my issue instantly. We'll see if it continues to work tho :)

JPT62089 avatar Feb 20 '24 17:02 JPT62089