From 7c996ac9b5dab662b3ed1e37f70c3ec7b05535a3 Mon Sep 17 00:00:00 2001 From: mlsmaycon Date: Mon, 9 Feb 2026 01:18:49 +0100 Subject: [PATCH] add AuthCallbackURL --- management/cmd/management.go | 3 +++ management/internals/server/boot.go | 10 +--------- management/internals/server/config/config.go | 2 ++ 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/management/cmd/management.go b/management/cmd/management.go index 511168823..cfc00b6bd 100644 --- a/management/cmd/management.go +++ b/management/cmd/management.go @@ -213,11 +213,14 @@ func applyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error { // Set HttpConfig values from EmbeddedIdP cfg.HttpConfig.AuthIssuer = issuer cfg.HttpConfig.AuthAudience = "netbird-dashboard" + cfg.HttpConfig.AuthClientID = cfg.HttpConfig.AuthAudience cfg.HttpConfig.CLIAuthAudience = "netbird-cli" cfg.HttpConfig.AuthUserIDClaim = "sub" cfg.HttpConfig.AuthKeysLocation = issuer + "/keys" cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration" cfg.HttpConfig.IdpSignKeyRefreshEnabled = true + callbackURL := strings.TrimSuffix(cfg.HttpConfig.AuthIssuer, "/oauth2") + cfg.HttpConfig.AuthCallbackURL = callbackURL + "/api/oauth/callback" return nil } diff --git a/management/internals/server/boot.go b/management/internals/server/boot.go index 66d651c69..7de4591d0 100644 --- a/management/internals/server/boot.go +++ b/management/internals/server/boot.go @@ -8,7 +8,6 @@ import ( "net/http" "net/netip" "slices" - "strings" "time" grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware/v2" @@ -174,19 +173,12 @@ func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer { func (s *BaseServer) proxyOIDCConfig() nbgrpc.ProxyOIDCConfig { return Create(s, func() nbgrpc.ProxyOIDCConfig { - // TODO: this is weird, double check - // Build callback URL - this should be the management server's callback endpoint - // For embedded IdP, derive from issuer. For external, use a configured value or derive from issuer. - // The callback URL should be registered in the IdP's allowed redirect URIs for the dashboard client. - callbackURL := strings.TrimSuffix(s.Config.HttpConfig.AuthIssuer, "/oauth2") - callbackURL = callbackURL + "/api/oauth/callback" - return nbgrpc.ProxyOIDCConfig{ Issuer: s.Config.HttpConfig.AuthIssuer, // todo: double check auth clientID value ClientID: s.Config.HttpConfig.AuthClientID, // Reuse dashboard client Scopes: []string{"openid", "profile", "email"}, - CallbackURL: callbackURL, + CallbackURL: s.Config.HttpConfig.AuthCallbackURL, HMACKey: []byte(s.Config.DataStoreEncryptionKey), // Use the datastore encryption key for OIDC state HMACs, this should ensure all management instances are using the same key. Audience: s.Config.HttpConfig.AuthAudience, KeysLocation: s.Config.HttpConfig.AuthKeysLocation, diff --git a/management/internals/server/config/config.go b/management/internals/server/config/config.go index 884d243c7..5ed1c3ede 100644 --- a/management/internals/server/config/config.go +++ b/management/internals/server/config/config.go @@ -119,6 +119,8 @@ type HttpServerConfig struct { IdpSignKeyRefreshEnabled bool // Extra audience ExtraAuthAudience string + // AuthCallbackDomain contains the callback domain + AuthCallbackURL string } // Host represents a Netbird host (e.g. STUN, TURN, Signal)