sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 08:16:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

add dashboard post logout redirect uri to embedded config

Browse Source
This commit is contained in:
jnfrati
2026-04-15 17:04:45 +02:00
parent 4a49f9e00b
commit b54e46cd48
2 changed files with 46 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
combined/cmd/config.go
View File

@@ -133,14 +133,15 @@ type ManagementConfig struct {
// AuthConfig contains authentication/identity provider settings // AuthConfig contains authentication/identity provider settings
type AuthConfig struct { type AuthConfig struct {
Issuer string `yaml:"issuer"` Issuer string `yaml:"issuer"`
LocalAuthDisabled bool `yaml:"localAuthDisabled"` LocalAuthDisabled bool `yaml:"localAuthDisabled"`
EnableLocalMFA bool `yaml:"enableLocalMFA"` EnableLocalMFA bool `yaml:"enableLocalMFA"`
SignKeyRefreshEnabled bool `yaml:"signKeyRefreshEnabled"` SignKeyRefreshEnabled bool `yaml:"signKeyRefreshEnabled"`
Storage AuthStorageConfig `yaml:"storage"` Storage AuthStorageConfig `yaml:"storage"`
DashboardRedirectURIs []string `yaml:"dashboardRedirectURIs"` DashboardRedirectURIs []string `yaml:"dashboardRedirectURIs"`
CLIRedirectURIs []string `yaml:"cliRedirectURIs"` CLIRedirectURIs []string `yaml:"cliRedirectURIs"`
Owner *AuthOwnerConfig `yaml:"owner,omitempty"` Owner *AuthOwnerConfig `yaml:"owner,omitempty"`
DashboardPostLogoutRedirectURIs []string `yaml:"dashboardPostLogoutRedirectURIs"`
} }
// AuthStorageConfig contains auth storage settings // AuthStorageConfig contains auth storage settings
@@ -592,8 +593,9 @@ func (c *CombinedConfig) buildEmbeddedIdPConfig(mgmt ManagementConfig) (*idp.Emb
DSN: authStorageDSN, DSN: authStorageDSN,
}, },
}, },
DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs, DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs,
CLIRedirectURIs: mgmt.Auth.CLIRedirectURIs, CLIRedirectURIs: mgmt.Auth.CLIRedirectURIs,
DashboardPostLogoutRedirectURIs: mgmt.Auth.DashboardPostLogoutRedirectURIs,
} }
if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" { if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" {

47
management/server/idp/embedded.go
View File

@@ -53,6 +53,12 @@ type EmbeddedIdPConfig struct {
LocalAuthDisabled bool LocalAuthDisabled bool
// EnableMFA will enforce TOTP multi factor authentication for local users // EnableMFA will enforce TOTP multi factor authentication for local users
EnableMFA bool EnableMFA bool
// Dashboard Post logout redirect URIs, these are required to tell
// Dex what to allow when an RP-Initiated logout is started by the frontend
// at least one of these must match the dashboard base URL or the dashboard
// DASHBOARD_POST_LOGOUT_URL environment variable
// WARNING: Dex only uses exact match, not wildcards
DashboardPostLogoutRedirectURIs []string
// StaticConnectors are additional connectors to seed during initialization // StaticConnectors are additional connectors to seed during initialization
StaticConnectors []dex.Connector StaticConnectors []dex.Connector
} }
@@ -127,10 +133,14 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
// Build dashboard redirect URIs including the OAuth callback for proxy authentication // Build dashboard redirect URIs including the OAuth callback for proxy authentication
dashboardRedirectURIs := c.DashboardRedirectURIs dashboardRedirectURIs := c.DashboardRedirectURIs
baseURL := strings.TrimSuffix(c.Issuer, "/oauth2") baseURL := strings.TrimSuffix(c.Issuer, "/oauth2")
logoutURL := strings.TrimRight(baseURL, "/") + "/"
// todo: resolve import cycle // todo: resolve import cycle
dashboardRedirectURIs = append(dashboardRedirectURIs, baseURL+"/api/reverse-proxy/callback") dashboardRedirectURIs = append(dashboardRedirectURIs, baseURL+"/api/reverse-proxy/callback")
dashboardPostLogoutRedirectURIs := c.DashboardPostLogoutRedirectURIs
// It is safe to assume that most installations will share the location of the
// MGMT api and the dashboard, adding baseURL means less configuration for the instance admin
dashboardPostLogoutRedirectURIs = append(dashboardPostLogoutRedirectURIs, baseURL)
cfg := &dex.YAMLConfig{ cfg := &dex.YAMLConfig{
Issuer: c.Issuer, Issuer: c.Issuer,
Storage: dex.Storage{ Storage: dex.Storage{
@@ -153,24 +163,17 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
EnablePasswordDB: true, EnablePasswordDB: true,
StaticClients: []storage.Client{ StaticClients: []storage.Client{
{ {
ID: staticClientDashboard, ID: staticClientDashboard,
Name: "NetBird Dashboard", Name: "NetBird Dashboard",
Public: true, Public: true,
RedirectURIs: dashboardRedirectURIs, RedirectURIs: dashboardRedirectURIs,
PostLogoutRedirectURIs: []string{ PostLogoutRedirectURIs: sanitizePostLogoutRedirectURIs(dashboardPostLogoutRedirectURIs),
c.Issuer,
logoutURL,
},
}, },
{ {
ID: staticClientCLI, ID: staticClientCLI,
Name: "NetBird CLI", Name: "NetBird CLI",
Public: true, Public: true,
RedirectURIs: cliRedirectURIs, RedirectURIs: cliRedirectURIs,
PostLogoutRedirectURIs: []string{
c.Issuer,
logoutURL,
},
}, },
}, },
StaticConnectors: c.StaticConnectors, StaticConnectors: c.StaticConnectors,
@@ -201,6 +204,24 @@ func (c *EmbeddedIdPConfig) ToYAMLConfig() (*dex.YAMLConfig, error) {
return cfg, nil return cfg, nil
} }
// Due to how the frontend generates the logout, sometimes it appends a trailing slash
// and because Dex only allows exact matches, we need to make sure we always have both
// versions of each provided uri
func sanitizePostLogoutRedirectURIs(uris []string) []string {
result := make([]string, 0)
for _, uri := range uris {
if strings.HasSuffix(uri, "/") {
result = append(result, uri)
result = append(result, strings.TrimSuffix(uri, "/"))
} else {
result = append(result, uri)
result = append(result, uri+"/")
}
}
return result
}
func configureMFA(cfg *dex.YAMLConfig) error { func configureMFA(cfg *dex.YAMLConfig) error {
totpConfig := dex.TOTPConfig{ totpConfig := dex.TOTPConfig{
Issuer: "NetBird", Issuer: "NetBird",