netbird
netbird copied to clipboard
Published
20 hours ago •
netbirdio
netbirdio
Netbird Auth Error: Valid OIDC Setup with Invalid Logout Redirect
I installed Netbird according to the documentation at https://docs.netbird.io/selfhosted/selfhosted-quickstart. I’m encountering an authentication error during login, specifically an incorrect redirect after logout. When I click the logout button, the request is sent to: http://localhost/.well-known/openid-configuration but it should be sent to: http://DOMAIN/.well-known/openid-configuration Despite this, the management service logs show that the initial OIDC connection was successful.
version: 0.49.0
managment.json
"Stuns": [
{
"Proto": "udp",
"URI": "stun:<DOMAIN>:3478",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "0s",
"Secret": "",
"Turns": [
{
"Proto": "udp",
"URI": "turn:<DOMAIN>:3478",
"Username": "self",
"Password": "PASSWORD"
}
]
},
"Relay": {
"Addresses": [
"rels://<DOMAIN>:443"
],
"CredentialsTTL": "24h0m0s",
"Secret": "TOP SECRET"
},
"Signal": {
"Proto": "https",
"URI": "<DOMAIN>:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "TOP SECRET",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "326230217330851844",
"AuthIssuer": "https://<DOMAIN>",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://<DOMAIN>/oauth/v2/keys",
"OIDCConfigEndpoint": "https://<DOMAIN>/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": true,
"ExtraAuthAudience": ""
},
"IdpManagerConfig": {
"ManagerType": "zitadel",
"ClientConfig": {
"Issuer": "https://<DOMAIN>",
"TokenEndpoint": "https://<DOMAIN>/oauth/v2/token",
"ClientID": "netbird-service-account",
"ClientSecret": "TOP SECRET",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"ManagementEndpoint": "https://<DOMAIN>/management/v1"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "ClientID",
"ClientSecret": "",
"Domain": "<DOMAIN>",
"Audience": "ClientID",
"TokenEndpoint": "https://<DOMAIN>/oauth/v2/token",
"DeviceAuthEndpoint": "https://<DOMAIN>/oauth/v2/device_authorization",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null,
"DisablePromptLogin": false,
"LoginFlag": 0
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "ClientID",
"ClientSecret": "",
"Domain": "",
"Audience": "Audience",
"TokenEndpoint": "https://<DOMAIN>/oauth/v2/token",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://<DOMAIN>/oauth/v2/authorize",
"Scope": "openid profile email offline_access",
"UseIDToken": false,
"RedirectURLs": [
"http://localhost:53000/",
"http://localhost:54000/"
],
"DisablePromptLogin": false,
"LoginFlag": 0
}
},
"StoreConfig": {
"Engine": ""
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
docker-compose.yaml
services:
# Caddy reverse proxy
caddy:
image: caddy
restart: unless-stopped
networks: [ netbird ]
ports:
- '443:443'
- '443:443/udp'
- '80:80'
- '8080:8080'
volumes:
- netbird_caddy_data:/data
- ./Caddyfile:/etc/caddy/Caddyfile
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# UI dashboard
dashboard:
image: netbirdio/dashboard:latest
restart: unless-stopped
networks: [netbird]
env_file:
- ./dashboard.env
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Signal
signal:
image: netbirdio/signal:latest
restart: unless-stopped
networks: [netbird]
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Relay
relay:
image: netbirdio/relay:latest
restart: unless-stopped
networks: [netbird]
env_file:
- ./relay.env
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Management
management:
image: netbirdio/management:latest
restart: unless-stopped
networks: [netbird]
volumes:
- netbird_management:/var/lib/netbird
- ./management.json:/etc/netbird/management.json
command: [
"--port", "80",
"--log-file", "console",
"--log-level", "info",
"--disable-anonymous-metrics=false",
"--single-account-mode-domain=netbird.selfhosted",
"--dns-domain=netbird.selfhosted",
"--idp-sign-key-refresh-enabled",
]
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Coturn, AKA relay server
coturn:
image: coturn/coturn
restart: unless-stopped
#domainname: netbird.relay.selfhosted
volumes:
- ./turnserver.conf:/etc/turnserver.conf:ro
network_mode: host
command:
- -c /etc/turnserver.conf
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Zitadel - identity provider
zitadel:
restart: 'always'
networks: [netbird]
image: 'ghcr.io/zitadel/zitadel:v2.64.1'
command: 'start-from-init --masterkeyFromEnv --tlsMode external'
env_file:
- ./zitadel.env
depends_on:
zdb:
condition: 'service_healthy'
volumes:
- ./machinekey:/machinekey
- netbird_zitadel_certs:/zdb-certs:ro
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
# Postgres for Zitadel
zdb:
restart: 'always'
networks: [netbird]
image: 'postgres:16-alpine'
env_file:
- ./zdb.env
volumes:
- netbird_zdb_data:/var/lib/postgresql/data:rw
healthcheck:
test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
interval: 5s
timeout: 60s
retries: 10
start_period: 5s
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
volumes:
netbird_zdb_data:
netbird_management:
netbird_caddy_data:
netbird_zitadel_certs:
networks:
netbird:
