[management] Legacy to embedded IdP migration tool (#5586)

2026-04-18 08:16:39 +00:00 · 2026-04-01 12:53:19 +01:00
parent 4d3e2f8ad3
commit 940f530ac2
24 changed files with 4023 additions and 31 deletions
--- a/management/internals/server/controllers.go
+++ b/management/internals/server/controllers.go
@@ -20,6 +20,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
 )

 func (s *BaseServer) PeersUpdateManager() network_map.PeersUpdateManager {
@@ -71,6 +72,7 @@ func (s *BaseServer) AuthManager() auth.Manager {
 	signingKeyRefreshEnabled := s.Config.HttpConfig.IdpSignKeyRefreshEnabled
 	issuer := s.Config.HttpConfig.AuthIssuer
 	userIDClaim := s.Config.HttpConfig.AuthUserIDClaim
+	var keyFetcher nbjwt.KeyFetcher

 	// Use embedded IdP configuration if available
 	if oauthProvider := s.OAuthConfigProvider(); oauthProvider != nil {
@@ -78,8 +80,11 @@ func (s *BaseServer) AuthManager() auth.Manager {
 		if len(audiences) > 0 {
 			audience = audiences[0] // Use the first client ID as the primary audience
 		}
-		// Use localhost keys location for internal validation (management has embedded Dex)
-		keysLocation = oauthProvider.GetLocalKeysLocation()
+		keyFetcher = oauthProvider.GetKeyFetcher()
+		// Fall back to default keys location if direct key fetching is not available
+		if keyFetcher == nil {
+			keysLocation = oauthProvider.GetLocalKeysLocation()
+		}
 		signingKeyRefreshEnabled = true
 		issuer = oauthProvider.GetIssuer()
 		userIDClaim = oauthProvider.GetUserIDClaim()
@@ -92,7 +97,8 @@ func (s *BaseServer) AuthManager() auth.Manager {
 			keysLocation,
 			userIDClaim,
 			audiences,
-			signingKeyRefreshEnabled)
+			signingKeyRefreshEnabled,
+			keyFetcher)
 	})
 }

--- a/management/internals/server/modules.go
+++ b/management/internals/server/modules.go
@@ -117,9 +117,11 @@ func (s *BaseServer) IdpManager() idp.Manager {
 	return Create(s, func() idp.Manager {
 		var idpManager idp.Manager
 		var err error
+
 		// Use embedded IdP service if embedded Dex is configured and enabled.
 		// Legacy IdpManager won't be used anymore even if configured.
-		if s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled {
+		embeddedEnabled := s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled
+		if embeddedEnabled {
 			idpManager, err = idp.NewEmbeddedIdPManager(context.Background(), s.Config.EmbeddedIdP, s.Metrics())
 			if err != nil {
 				log.Fatalf("failed to create embedded IDP service: %v", err)