From f14f34cf2bc6041030372c817dc797207edc7006 Mon Sep 17 00:00:00 2001
From: Maycon Santos <mlsmaycon@gmail.com>
Date: Tue, 4 Apr 2023 15:56:02 +0200
Subject: [PATCH] Add token source and device flow audience variables (#780)

Supporting new dashboard option to configure a source token.

Adding configuration support for setting
a different audience for device authorization flow.

fix custom id claim variable
---
 .github/workflows/test-docker-compose-linux.yml | 8 ++++++++
 infrastructure_files/base.setup.env             | 5 +++++
 infrastructure_files/docker-compose.yml.tmpl    | 3 ++-
 infrastructure_files/management.json.tmpl       | 2 +-
 infrastructure_files/setup.env.example          | 7 ++++++-
 infrastructure_files/tests/setup.env            | 6 +++++-
 6 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test-docker-compose-linux.yml b/.github/workflows/test-docker-compose-linux.yml
index d681dd89c..c28e94a4f 100644
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@@ -59,6 +59,10 @@ jobs:
           CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
           CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
           CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
+          CI_NETBIRD_TOKEN_SOURCE: "idToken"
+          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+
         run: |
           grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
           grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
@@ -68,6 +72,10 @@ jobs:
           grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
           grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
           grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
+          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
+          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
+          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
+          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
 
       - name: run docker compose up
         working-directory: infrastructure_files
diff --git a/infrastructure_files/base.setup.env b/infrastructure_files/base.setup.env
index e62b02a08..521c0d332 100644
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -36,6 +36,8 @@ LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 
 NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
+NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
 
 # exports
 export NETBIRD_DOMAIN
@@ -68,3 +70,6 @@ export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN
 export NETBIRD_MGMT_DNS_DOMAIN
 export NETBIRD_SIGNAL_PROTOCOL
 export NETBIRD_SIGNAL_PORT
+export NETBIRD_AUTH_USER_ID_CLAIM
+export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+export NETBIRD_TOKEN_SOURCE
\ No newline at end of file
diff --git a/infrastructure_files/docker-compose.yml.tmpl b/infrastructure_files/docker-compose.yml.tmpl
index c8febdea7..af7f1af00 100644
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -19,6 +19,7 @@ services:
       - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
       - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
       - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
+      - NETBIRD_TOKEN_SOURCE=$NETBIRD_TOKEN_SOURCE
       # SSL
       - NGINX_SSL_PORT=443
       # Letsencrypt
@@ -60,7 +61,7 @@ services:
       "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
       "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
       ]
-  
+
   # Coturn
   coturn:
     image: coturn/coturn
diff --git a/infrastructure_files/management.json.tmpl b/infrastructure_files/management.json.tmpl
index cb02c8f24..19dcff898 100644
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -43,7 +43,7 @@
     "DeviceAuthorizationFlow": {
         "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
         "ProviderConfig": {
-          "Audience": "$NETBIRD_AUTH_AUDIENCE",
+          "Audience": "$NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE",
           "Domain": "$NETBIRD_AUTH0_DOMAIN",
           "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
           "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
diff --git a/infrastructure_files/setup.env.example b/infrastructure_files/setup.env.example
index 9703d3e4c..324174757 100644
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -17,11 +17,16 @@ NETBIRD_AUTH_CLIENT_ID=""
 NETBIRD_USE_AUTH0="false"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
+# Some IDPs requires different audience for device authorization flow, you can customize here
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
 
 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
 # NETBIRD_AUTH_REDIRECT_URI="/peers"
 # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
+# Updates the preference to use id tokens instead of access token on dashboard
+# Okta and Gitlab IDPs can benefit from this
+# NETBIRD_TOKEN_SOURCE="idToken"
 
 # -------------------------------------------
 # Letsencrypt
@@ -35,4 +40,4 @@ NETBIRD_LETSENCRYPT_EMAIL=""
 # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
-NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
+NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
\ No newline at end of file
diff --git a/infrastructure_files/tests/setup.env b/infrastructure_files/tests/setup.env
index cdb5e5c6b..09164a135 100644
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@@ -11,4 +11,8 @@ NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
 NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
-NETBIRD_AUTH_REDIRECT_URI="/peers"
\ No newline at end of file
+NETBIRD_AUTH_REDIRECT_URI="/peers"
+NETBIRD_DISABLE_LETSENCRYPT=true
+NETBIRD_TOKEN_SOURCE="idToken"
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
+NETBIRD_AUTH_USER_ID_CLAIM="email"
\ No newline at end of file