diff --git a/README.md b/README.md index ebf108cdb..28b53d5b6 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird **Infrastructure requirements:** - A Linux VM with at least **1CPU** and **2GB** of memory. -- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**. +- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**. - **Public domain** name pointing to the VM. **Software requirements:** @@ -98,7 +98,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird **Steps** - Download and run the installation script: ```bash -export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash +export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash ``` - Once finished, you can manage the resources via `docker-compose` diff --git a/management/cmd/management.go b/management/cmd/management.go index 81a154510..557cf45f8 100644 --- a/management/cmd/management.go +++ b/management/cmd/management.go @@ -215,6 +215,11 @@ func applyEmbeddedIdPConfig(cfg *nbconfig.Config) error { cfg.HttpConfig.AuthAudience = "netbird-dashboard" } + // Set CLIAuthAudience to the client app client ID + if cfg.HttpConfig.CLIAuthAudience == "" { + cfg.HttpConfig.CLIAuthAudience = "netbird-cli" + } + // Set AuthUserIDClaim to "sub" (standard OIDC claim) if cfg.HttpConfig.AuthUserIDClaim == "" { cfg.HttpConfig.AuthUserIDClaim = "sub" diff --git a/management/internals/server/config/config.go b/management/internals/server/config/config.go index 0ffc43044..7b8783943 100644 --- a/management/internals/server/config/config.go +++ b/management/internals/server/config/config.go @@ -102,6 +102,9 @@ type HttpServerConfig struct { CertKey string // AuthAudience identifies the recipients that the JWT is intended for (aud in JWT) AuthAudience string + // CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT) + // Used only in conjunction with EmbeddedIdP + CLIAuthAudience string // AuthIssuer identifies principal that issued the JWT AuthIssuer string // AuthUserIDClaim is the name of the claim that used as user ID diff --git a/management/internals/shared/grpc/conversion.go b/management/internals/shared/grpc/conversion.go index f984c73df..455e6bd58 100644 --- a/management/internals/shared/grpc/conversion.go +++ b/management/internals/shared/grpc/conversion.go @@ -428,9 +428,13 @@ func buildJWTConfig(config *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfi keysLocation = strings.TrimSuffix(issuer, "/") + "/.well-known/jwks.json" } + audience := config.AuthAudience + if config.CLIAuthAudience != "" { + audience = config.CLIAuthAudience + } return &proto.JWTConfig{ Issuer: issuer, - Audience: config.AuthAudience, + Audience: audience, KeysLocation: keysLocation, } } diff --git a/management/server/store/sql_store.go b/management/server/store/sql_store.go index 3a9f8d188..f407a35e6 100644 --- a/management/server/store/sql_store.go +++ b/management/server/store/sql_store.go @@ -3029,8 +3029,9 @@ func (s *SqlStore) ExecuteInTransaction(ctx context.Context, operation func(stor func (s *SqlStore) withTx(tx *gorm.DB) Store { return &SqlStore{ - db: tx, - storeEngine: s.storeEngine, + db: tx, + storeEngine: s.storeEngine, + fieldEncrypt: s.fieldEncrypt, } }