diff --git a/combined/config.yaml.example b/combined/config.yaml.example index dce658d89..3c479bcf6 100644 --- a/combined/config.yaml.example +++ b/combined/config.yaml.example @@ -86,6 +86,9 @@ server: issuer: "https://example.com/oauth2" localAuthDisabled: false signKeyRefreshEnabled: false + # MFA session settings (applies when TOTP is enabled for an account) + # mfaSessionMaxLifetime: "24h" # Max duration for an MFA session from creation + # mfaSessionIdleTimeout: "1h" # MFA session expires after this idle period # OAuth2 redirect URIs for dashboard dashboardRedirectURIs: - "https://app.example.com/nb-auth" @@ -93,6 +96,9 @@ server: # OAuth2 redirect URIs for CLI cliRedirectURIs: - "http://localhost:53000/" + # OAuth2 post-logout redirect URIs for dashboard (RP-initiated logout) + # dashboardPostLogoutRedirectURIs: + # - "https://app.example.com/" # Optional initial admin user # owner: # email: "admin@example.com" diff --git a/idp/dex/config.go b/idp/dex/config.go index 988c6a8c6..9e03f259e 100644 --- a/idp/dex/config.go +++ b/idp/dex/config.go @@ -83,9 +83,9 @@ type MFAConfig struct { } type MFAAuthenticator struct { - ID string `yaml:"id" json:"id"` - Type string `yaml:"type" json:"type"` - Config json.RawMessage `yaml:"config" json:"config"` + ID string `yaml:"id" json:"id"` + Type string `yaml:"type" json:"type"` + Config map[string]interface{} `yaml:"config" json:"config"` ConnectorTypes []string `yaml:"connectorTypes" json:"connectorTypes"` } @@ -495,8 +495,13 @@ func (c *YAMLConfig) Validate() error { } func buildTotpConfig(auth MFAAuthenticator) (*server.TOTPProvider, error) { + data, err := json.Marshal(auth.Config) + if err != nil { + return nil, fmt.Errorf("failed to marshal TOTP config id: %s - %w", auth.ID, err) + } + var cfg TOTPConfig - if err := json.Unmarshal(auth.Config, &cfg); err != nil { + if err := json.Unmarshal(data, &cfg); err != nil { return nil, fmt.Errorf("failed to parse TOTP config id: %s - %w", auth.ID, err) } @@ -504,8 +509,13 @@ func buildTotpConfig(auth MFAAuthenticator) (*server.TOTPProvider, error) { } func buildWebAuthnConfig(auth MFAAuthenticator, issuerURL string) (*server.WebAuthnProvider, error) { + data, err := json.Marshal(auth.Config) + if err != nil { + return nil, fmt.Errorf("failed to marshal WebAuthn config id: %s - %w", auth.ID, err) + } + var cfg WebAuthnConfig - if err := json.Unmarshal(auth.Config, &cfg); err != nil { + if err := json.Unmarshal(data, &cfg); err != nil { return nil, fmt.Errorf("failed to parse WebAuthn config id: %s - %w", auth.ID, err) } diff --git a/management/server/idp/embedded.go b/management/server/idp/embedded.go index 905fee3f3..7194bc363 100644 --- a/management/server/idp/embedded.go +++ b/management/server/idp/embedded.go @@ -2,7 +2,6 @@ package idp import ( "context" - "encoding/json" "errors" "fmt" "net/http" @@ -227,20 +226,13 @@ func sanitizePostLogoutRedirectURIs(uris []string) []string { } func configureMFA(cfg *dex.YAMLConfig, sessionMaxLifetime, sessionIdleTimeout string) error { - totpConfig := dex.TOTPConfig{ - Issuer: "NetBird", - } - - rawTotpConfig, err := json.Marshal(totpConfig) - if err != nil { - return fmt.Errorf("failed to marshal TOTP config: %v", err) - } - cfg.MFA.Authenticators = []dex.MFAAuthenticator{{ ID: "default-totp", // Has to be caps otherwise it will fail - Type: "TOTP", - Config: rawTotpConfig, + Type: "TOTP", + Config: map[string]interface{}{ + "issuer": "NetBird", + }, ConnectorTypes: []string{"local"}, }}