Update scripts for the self-hosted Oauth 2.0 Device Auth Grant support (#439)

Support Oauth 2.0 Device Auth Grant in the self-hosted scripts.
2026-05-03 23:56:38 +00:00 · 2022-08-24 14:37:18 +02:00
parent 3def84b111
commit e8733a37af
9 changed files with 93 additions and 33 deletions
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -27,6 +27,8 @@ MGMT_VOLUMESUFFIX="mgmt"
 SIGNAL_VOLUMESUFFIX="signal"
 LETSENCRYPT_VOLUMESUFFIX="letsencrypt"

+NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+
 # exports
 export NETBIRD_DOMAIN
 export NETBIRD_AUTH_CLIENT_ID
@@ -40,6 +42,9 @@ export NETBIRD_MGMT_API_PORT
 export NETBIRD_MGMT_API_ENDPOINT
 export NETBIRD_MGMT_API_CERT_FILE
 export NETBIRD_MGMT_API_CERT_KEY_FILE
+export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER
+export NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID
+export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
 export TURN_USER
 export TURN_PASSWORD
 export TURN_MIN_PORT
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -1,5 +1,21 @@
 #!/bin/bash

+if ! which curl > /dev/null 2>&1
+then
+    echo "This script uses curl fetch OpenID configuration from IDP."
+    echo "Please install curl and re-run the script https://curl.se/"
+    echo ""
+    exit 1
+fi
+
+if ! which jq > /dev/null 2>&1
+then
+    echo "This script uses jq to load OpenID configuration from IDP."
+    echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
+    echo ""
+    exit 1
+fi
+
 source setup.env
 source base.setup.env

@@ -63,21 +79,49 @@ export MGMT_VOLUMENAME
 export SIGNAL_VOLUMENAME
 export LETSENCRYPT_VOLUMENAME

-#backwards compatibility after migrating to generic OIDC
-if [[ -z "${NETBIRD_AUTH_AUTHORITY}" ]]; then
+#backwards compatibility after migrating to generic OIDC with Auth0
+if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then
+
+    if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
+       # not a backward compatible state
+       echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
+       exit 1
+    fi
+
    echo "It seems like you provided an old setup.env file."
-    echo "Since the release of v0.8.8, we introduced a new set of properties."
+    echo "Since the release of v0.8.10, we introduced a new set of properties."
    echo "The script is backward compatible and will continue automatically."
    echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"

-    export NETBIRD_AUTH_AUTHORITY="https://${NETBIRD_AUTH0_DOMAIN}/"
-    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
+    export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
    export NETBIRD_USE_AUTH0="true"
-    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
    export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
-    export NETBIRD_AUTH_JWT_CERTS="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/jwks.json"
+    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
 fi

+echo "loading OpenID configuration from ${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT} to the openid-configuration.json file"
+curl "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" -q -o openid-configuration.json
+
+export NETBIRD_AUTH_AUTHORITY=$( jq -r  '.issuer' openid-configuration.json )
+export NETBIRD_AUTH_JWT_CERTS=$( jq -r  '.jwks_uri' openid-configuration.json )
+export NETBIRD_AUTH_SUPPORTED_SCOPES=$( jq -r '.scopes_supported | join(" ")' openid-configuration.json )
+export NETBIRD_AUTH_TOKEN_ENDPOINT=$( jq -r  '.token_endpoint' openid-configuration.json )
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$( jq -r  '.device_authorization_endpoint' openid-configuration.json )
+
+if [ $NETBIRD_USE_AUTH0 == "true" ]
+then
+    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
+else
+    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
+fi
+
+if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
+    # user enabled Device Authorization Grant feature
+    export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
+fi
+
+env | grep NETBIRD
+
 envsubst < docker-compose.yml.tmpl > docker-compose.yml
 envsubst < management.json.tmpl > management.json
 envsubst < turnserver.conf.tmpl > turnserver.conf
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -33,9 +33,20 @@
        "AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
        "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
        "CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
-        "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE"
+        "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE",
+        "OIDCConfigEndpoint":"$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
    },
    "IdpManagerConfig": {
        "Manager": "none"
-     }
+     },
+    "DeviceAuthorizationFlow": {
+        "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
+        "ProviderConfig": {
+          "Audience": "$NETBIRD_AUTH_AUDIENCE",
+          "Domain": "$NETBIRD_AUTH0_DOMAIN",
+          "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
+          "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"
+         }
+    }
 }
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -2,16 +2,14 @@
 ##
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN=""
-# e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
-NETBIRD_AUTH_AUTHORITY=""
+# OIDC configuration e.g., https://example.eu.auth0.com/.well-known/openid-configuration
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
+NETBIRD_AUTH_AUDIENCE=""
 # e.g. netbird-client
 NETBIRD_AUTH_CLIENT_ID=""
 # indicates whether to use Auth0 or not: true or false
 NETBIRD_USE_AUTH0="false"
-# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
-NETBIRD_AUTH_SUPPORTED_SCOPES=""
-NETBIRD_AUTH_AUDIENCE=""
-# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
-NETBIRD_AUTH_JWT_CERTS=""
+NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@@ -3,15 +3,11 @@
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN="localhost"
 # e.g. https://dev-24vkclam.us.auth0.com/ or https://YOUR-KEYCLOAK-HOST:8080/realms/netbird
-NETBIRD_AUTH_AUTHORITY=$CI_NETBIRD_AUTH_AUTHORITY
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://example.eu.auth0.com/.well-known/openid-configuration"
 # e.g. netbird-client
 NETBIRD_AUTH_CLIENT_ID=$CI_NETBIRD_AUTH_CLIENT_ID
 # indicates whether to use Auth0 or not: true or false
 NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
-# a list of scopes supported e.g. `openid profile email offline_access api` for keycloak or `openid profile email offline_access api email_verified` for Auth0
-NETBIRD_AUTH_SUPPORTED_SCOPES=$CI_NETBIRD_AUTH_SUPPORTED_SCOPES
 NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
-# URL of the JWT certificates e.g. https://dev-24vkclam.us.auth0.com/.well-known/jwks.json
-NETBIRD_AUTH_JWT_CERTS=$CI_NETBIRD_AUTH_JWT_CERTS
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""