add management oidc configuration for proxies

2026-04-16 15:26:40 +00:00 · 2026-02-03 12:39:16 +00:00
parent 5243481316
commit 146774860b
3 changed files with 20 additions and 5 deletions
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -398,7 +398,7 @@ func (p *Provider) Stop(ctx context.Context) error {

 // EnsureDefaultClients creates dashboard and CLI OAuth clients
 // Uses Dex's storage.Client directly - no custom wrappers
-func (p *Provider) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs []string) error {
+func (p *Provider) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs, proxyURIs []string) error {
 	clients := []storage.Client{
 		{
 			ID:           "netbird-dashboard",
@@ -412,6 +412,12 @@ func (p *Provider) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliU
 			RedirectURIs: cliURIs,
 			Public:       true,
 		},
+		{
+			ID:           "netbird-proxy",
+			Name:         "NetBird Proxy",
+			RedirectURIs: proxyURIs,
+			Public:       true,
+		},
 	}

 	for _, client := range clients {
--- a/idp/sdk/sdk.go
+++ b/idp/sdk/sdk.go
@@ -95,8 +95,8 @@ func (d *DexIdP) Stop(ctx context.Context) error {
 }

 // EnsureDefaultClients creates the default NetBird OAuth clients
-func (d *DexIdP) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs []string) error {
-	return d.provider.EnsureDefaultClients(ctx, dashboardURIs, cliURIs)
+func (d *DexIdP) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs, proxyURIs []string) error {
+	return d.provider.EnsureDefaultClients(ctx, dashboardURIs, cliURIs, proxyURIs)
 }

 // Storage exposes Dex storage for direct user/client/connector management
--- a/management/server/idp/embedded.go
+++ b/management/server/idp/embedded.go
@@ -18,6 +18,7 @@ import (
 const (
 	staticClientDashboard  = "netbird-dashboard"
 	staticClientCLI        = "netbird-cli"
+	staticClientProxy      = "netbird-proxy"
 	defaultCLIRedirectURL1 = "http://localhost:53000/"
 	defaultCLIRedirectURL2 = "http://localhost:54000/"
 	defaultScopes          = "openid profile email groups"
@@ -37,8 +38,10 @@ type EmbeddedIdPConfig struct {
 	Storage EmbeddedStorageConfig
 	// DashboardRedirectURIs are the OAuth2 redirect URIs for the dashboard client
 	DashboardRedirectURIs []string
-	// DashboardRedirectURIs are the OAuth2 redirect URIs for the dashboard client
+	// CLIRedirectURIs are the OAuth2 redirect URIs for the CLI client
 	CLIRedirectURIs []string
+	// ProxyRedirectURIs are the OAuth2 redirect URIs for the Proxy client
+	ProxyRedirectURIs []string
 	// Owner is the initial owner/admin user (optional, can be nil)
 	Owner *OwnerConfig
 	// SignKeyRefreshEnabled enables automatic key rotation for signing keys
@@ -119,6 +122,12 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
 				Public:       true,
 				RedirectURIs: cliRedirectURIs,
 			},
+			{
+				ID:           staticClientProxy,
+				Name:         "NetBird Proxy",
+				Public:       true,
+				RedirectURIs: c.ProxyRedirectURIs,
+			},
 		},
 	}

@@ -546,7 +555,7 @@ func (m *EmbeddedIdPManager) GetLocalKeysLocation() string {

 // GetClientIDs returns the OAuth2 client IDs configured for this provider.
 func (m *EmbeddedIdPManager) GetClientIDs() []string {
-	return []string{staticClientDashboard, staticClientCLI}
+	return []string{staticClientDashboard, staticClientCLI, staticClientProxy}
 }

 // GetUserIDClaim returns the JWT claim name used for user identification.