Add PKCE authorization flow (#1012)

Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL.

To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers.

infrastructure_files/base.setup.env

@@ -43,6 +43,10 @@ NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-f
 NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
 NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
 
+# PKCE authorization flow
+NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS=${NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS:-"53000"}
+NETBIRD_AUTH_PKCE_USE_ID_TOKEN=${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
+
 # exports
 export NETBIRD_DOMAIN
 export NETBIRD_AUTH_CLIENT_ID
@@ -80,4 +84,6 @@ export NETBIRD_AUTH_USER_ID_CLAIM
 export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
 export NETBIRD_TOKEN_SOURCE
 export NETBIRD_AUTH_DEVICE_AUTH_SCOPE
-export NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
+export NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
+export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
+export NETBIRD_AUTH_PKCE_USE_ID_TOKEN

infrastructure_files/configure.sh

@@ -99,12 +99,17 @@ export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' openid-configuration.json)
 export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' openid-configuration.json)
 export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' openid-configuration.json)
 export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' openid-configuration.json)
+export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' openid-configuration.json)
 
 if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
   # user enabled Device Authorization Grant feature
   export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
 fi
 
+if [ "$NETBIRD_TOKEN_SOURCE" = "idToken" ]; then
+    export NETBIRD_AUTH_PKCE_USE_ID_TOKEN=true
+fi
+
 # Check if letsencrypt was disabled
 if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
   export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
@@ -151,6 +156,14 @@ if [ -n "$NETBIRD_MGMT_IDP" ]; then
   export NETBIRD_IDP_MGMT_EXTRA_CONFIG=$EXTRA_CONFIG
 fi
 
+IFS=',' read -r -a REDIRECT_URL_PORTS <<< "$NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS"
+REDIRECT_URLS=""
+for port in "${REDIRECT_URL_PORTS[@]}"; do
+    REDIRECT_URLS+="\"http://localhost:${port}\","
+done
+
+export NETBIRD_AUTH_PKCE_REDIRECT_URLS=${REDIRECT_URLS%,}
+
 env | grep NETBIRD
 
 envsubst <docker-compose.yml.tmpl >docker-compose.yml

infrastructure_files/management.json.tmpl

@@ -59,5 +59,17 @@
           "Scope": "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE",
           "UseIDToken": $NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
          }
+    },
+    "PKCEAuthorizationFlow": {
+        "ProviderConfig": {
+            "Audience": "$NETBIRD_AUTH_AUDIENCE",
+            "ClientID": "$NETBIRD_AUTH_CLIENT_ID",
+            "ClientSecret": "$NETBIRD_AUTH_CLIENT_SECRET",
+            "AuthorizationEndpoint": "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT",
+            "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+            "Scope": "$NETBIRD_AUTH_SUPPORTED_SCOPES",
+            "RedirectURLs": [$NETBIRD_AUTH_PKCE_REDIRECT_URLS],
+            "UseIDToken": $NETBIRD_AUTH_PKCE_USE_ID_TOKEN
+        }
     }
 }

infrastructure_files/setup.env.example

@@ -37,6 +37,12 @@ NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
 NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
 NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
 # -------------------------------------------
+# OIDC PKCE Authorization Flow
+# -------------------------------------------
+# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
+# eg. 53000,54000
+NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
+# -------------------------------------------
 # IDP Management
 # -------------------------------------------
 # eg. zitadel, auth0, azure, keycloak