Support new properties for OIDC auth (#426)

This PR updates infrastructure_scripts to support
self-hosted setup with a generic OIDC provider.

infrastructure_files/base.setup.env

@@ -29,9 +29,12 @@ LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
 
 # exports
 export NETBIRD_DOMAIN
-export NETBIRD_AUTH0_DOMAIN
-export NETBIRD_AUTH0_CLIENT_ID
-export NETBIRD_AUTH0_AUDIENCE
+export NETBIRD_AUTH_CLIENT_ID
+export NETBIRD_AUTH_AUDIENCE
+export NETBIRD_AUTH_AUTHORITY
+export NETBIRD_USE_AUTH0
+export NETBIRD_AUTH_SUPPORTED_SCOPES
+export NETBIRD_AUTH_JWT_CERTS
 export NETBIRD_LETSENCRYPT_EMAIL
 export NETBIRD_MGMT_API_PORT
 export NETBIRD_MGMT_API_ENDPOINT

infrastructure_files/configure.sh

@@ -63,6 +63,21 @@ export MGMT_VOLUMENAME
 export SIGNAL_VOLUMENAME
 export LETSENCRYPT_VOLUMENAME
 
+#backwards compatibility after migrating to generic OIDC
+if [[ -z "${NETBIRD_AUTH_AUTHORITY}" ]]; then
+    echo "It seems like you provided an old setup.env file."
+    echo "Since the release of v0.8.8, we introduced a new set of properties."
+    echo "The script is backward compatible and will continue automatically."
+    echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
+
+    export NETBIRD_AUTH_AUTHORITY="https://${NETBIRD_AUTH0_DOMAIN}/"
+    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
+    export NETBIRD_USE_AUTH0="true"
+    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
+    export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
+    export NETBIRD_AUTH_JWT_CERTS="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/jwks.json"
+fi
+
 envsubst < docker-compose.yml.tmpl > docker-compose.yml
 envsubst < management.json.tmpl > management.json
 envsubst < turnserver.conf.tmpl > turnserver.conf

infrastructure_files/docker-compose.yml.tmpl

@@ -8,9 +8,11 @@ services:
       - 80:80
       - 443:443
     environment:
-      - AUTH0_DOMAIN=$NETBIRD_AUTH0_DOMAIN
-      - AUTH0_CLIENT_ID=$NETBIRD_AUTH0_CLIENT_ID
-      - AUTH0_AUDIENCE=$NETBIRD_AUTH0_AUDIENCE
+      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
+      - USE_AUTH0=$NETBIRD_USE_AUTH0
+      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
       - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
       - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
       - NGINX_SSL_PORT=443

infrastructure_files/management.json.tmpl

@@ -29,9 +29,9 @@
     "Datadir": "",
     "HttpConfig": {
         "Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
-        "AuthIssuer": "https://$NETBIRD_AUTH0_DOMAIN/",
-        "AuthAudience": "$NETBIRD_AUTH0_AUDIENCE",
-        "AuthKeysLocation": "https://$NETBIRD_AUTH0_DOMAIN/.well-known/jwks.json",
+        "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
+        "AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
+        "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
         "CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
         "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE"
     },

infrastructure_files/setup.env.example

@@ -1,16 +1,17 @@
 ## example file, you can copy this file to setup.env and update its values
 ##
-# Dashboard domain and auth0 configuration
-
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN=""
-# e.g. dev-24vkclam.us.auth0.com
-NETBIRD_AUTH0_DOMAIN=""
-# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-NETBIRD_AUTH0_CLIENT_ID=""
-# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
-# Make sure you used the exact same value for Identifier
-# you used when creating your Auth0 API
-NETBIRD_AUTH0_AUDIENCE=""
+# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
+NETBIRD_AUTH_AUTHORITY=""
+# e.g. netbird-client
+NETBIRD_AUTH_CLIENT_ID=""
+# indicates whether to use Auth0 or not: true or false
+NETBIRD_USE_AUTH0="false"
+# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
+NETBIRD_AUTH_SUPPORTED_SCOPES=""
+NETBIRD_AUTH_AUDIENCE=""
+# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
+NETBIRD_AUTH_JWT_CERTS=""
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""

infrastructure_files/tests/setup.env

@@ -1,16 +1,17 @@
 ## example file, you can copy this file to setup.env and update its values
 ##
-# Dashboard domain and auth0 configuration
-
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN="localhost"
-# e.g. dev-24vkclam.us.auth0.com
-NETBIRD_AUTH0_DOMAIN=$CI_NETBIRD_AUTH0_DOMAIN
-# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
-NETBIRD_AUTH0_CLIENT_ID=$CI_NETBIRD_AUTH0_CLIENT_ID
-# e.g. https://app.mydomain.com/ or https://app.mydomain.com,
-# Make sure you used the exact same value for Identifier
-# you used when creating your Auth0 API
-NETBIRD_AUTH0_AUDIENCE=$CI_NETBIRD_AUTH0_AUDIENCE
+# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
+NETBIRD_AUTH_AUTHORITY=$CI_NETBIRD_AUTH_AUTHORITY
+# e.g. netbird-client
+NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID
+# indicates whether to use Auth0 or not: true or false
+NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
+# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
+NETBIRD_AUTH_SUPPORTED_SCOPES=$CI_NETBIRD_AUTH_SUPPORTED_SCOPES
+NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
+# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
+NETBIRD_AUTH_JWT_CERTS=$CI_NETBIRD_AUTH_JWT_CERTS
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""