sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 16:26:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Feature/resolve local jwks keys (#5073)

Browse Source
This commit is contained in:
Misha Bragin
2026-01-09 09:41:27 -05:00
committed by GitHub
parent 684fc0d2a2
commit f7967f9ae3
6 changed files with 217 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
management/server/idp/embedded.go
View File

@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"net/http"
"strings"
"github.com/dexidp/dex/storage"
"github.com/google/uuid"
@@ -27,8 +28,11 @@ const (
type EmbeddedIdPConfig struct {
// Enabled indicates whether the embedded IDP is enabled
Enabled bool
// Issuer is the OIDC issuer URL (e.g., "http://localhost:3002/oauth2")
// Issuer is the OIDC issuer URL (e.g., "https://management.netbird.io/oauth2")
Issuer string
// LocalAddress is the management server's local listen address (e.g., ":8080" or "localhost:8080")
// Used for internal JWT validation to avoid external network calls
LocalAddress string
// Storage configuration for the IdP database
Storage EmbeddedStorageConfig
// DashboardRedirectURIs are the OAuth2 redirect URIs for the dashboard client
@@ -146,7 +150,12 @@ var _ OAuthConfigProvider = (*EmbeddedIdPManager)(nil)
// OAuthConfigProvider defines the interface for OAuth configuration needed by auth flows.
type OAuthConfigProvider interface {
GetIssuer() string
// GetKeysLocation returns the public JWKS endpoint URL (uses external issuer URL)
GetKeysLocation() string
// GetLocalKeysLocation returns the localhost JWKS endpoint URL for internal use.
// Management server has embedded Dex and can validate tokens via localhost,
// avoiding external network calls and DNS resolution issues during startup.
GetLocalKeysLocation() string
GetClientIDs() []string
GetUserIDClaim() string
GetTokenEndpoint() string
@@ -500,6 +509,22 @@ func (m *EmbeddedIdPManager) GetKeysLocation() string {
return m.provider.GetKeysLocation()
}
// GetLocalKeysLocation returns the localhost JWKS endpoint URL for internal token validation.
// Uses the LocalAddress from config (management server's listen address) since embedded Dex
// is served by the management HTTP server, not a standalone Dex server.
func (m *EmbeddedIdPManager) GetLocalKeysLocation() string {
addr := m.config.LocalAddress
if addr == "" {
return ""
}
// Construct localhost URL from listen address
// addr is in format ":port" or "host:port" or "localhost:port"
if strings.HasPrefix(addr, ":") {
return fmt.Sprintf("http://localhost%s/oauth2/keys", addr)
}
return fmt.Sprintf("http://%s/oauth2/keys", addr)
}
// GetClientIDs returns the OAuth2 client IDs configured for this provider.
func (m *EmbeddedIdPManager) GetClientIDs() []string {
return []string{staticClientDashboard, staticClientCLI}