Remove duplicate authorization data from Zitadel IdP. NetBird now stores
all authorization data (account membership, invite status, roles) locally,
while Zitadel only stores identity information (email, name, credentials).
Changes:
- Add PendingInvite field to User struct to track invite status locally
- Simplify IdP Manager interface: remove metadata methods, add GetAllUsers
- Update cache warming to match IdP users against NetBird DB
- Remove addAccountIDToIDPAppMeta and all wt_* metadata writes
- Delete legacy IdP managers (Auth0, Azure, Keycloak, Okta, Google
Workspace, JumpCloud, Authentik, PocketId) - only Zitadel supported
This pull request fixes a bug where the HTTP/WebSocket proxy server was not using custom TLS certificates when provided via --cert-file and --cert-key flags. Previously, only the gRPC server had TLS enabled with custom certificates, while the HTTP/WebSocket proxy ran without TLS.
This update adds new relay integration for NetBird clients. The new relay is based on web sockets and listens on a single port.
- Adds new relay implementation with websocket with single port relaying mechanism
- refactor peer connection logic, allowing upgrade and downgrade from/to P2P connection
- peer connections are faster since it connects first to relay and then upgrades to P2P
- maintains compatibility with old clients by not using the new relay
- updates infrastructure scripts with new relay service
removed domainname for coturn service as it is needed only for SSL configs
Added log configuration for each service with a rotation and max size
ensure ZITADEL_DATABASE=postgres works
This PR aims to organize a little the files within `infrastructure_files` folder and adds some new ENV vars to the process.
1. It creates the `artifacts` folder within the `infrastructure_files` folder, the idea behind it is to split templates from artifacts created after running `./configure.sh`. It makes it easier to cp/rsync only `artifacts` content to the final server/destination.
2. Creates `NETBIRD_TURN_DOMAIN` and `TURN_DOMAIN` ENV vars. The idea behind it is to make it possible to split the management/signal server from TURN server. If `NETBIRD_TURN_DOMAIN` is not set, then, `TURN_DOMAIN` will be set as `NETBIRD_DOMAIN`.
3. Creates `*_TAG` ENVs for each component. The idea behind it is to give the users the choice to use `latest` tag as default or tie it to specific versions of each component in the stack.
added intergration with JumpCloud User API. Use the steps in setup.md for configuration.
Additional changes:
- Enhance compatibility for providers that lack audience support in the Authorization Code Flow and the Authorization - - Code Flow with Proof Key for Code Exchange (PKCE) using NETBIRD_DASH_AUTH_USE_AUDIENCE=falseenv
- Verify tokens by utilizing the client ID when audience support is absent in providers
Use NETBIRD_SIGNAL_PORT variable instead of the static port for signal
container in the docker-compose template to make setting of custom
signal port working
Signed-off-by: Fabio Fantoni <fabio.fantoni@m2r.biz>
Supporting new dashboard option to configure a source token.
Adding configuration support for setting
a different audience for device authorization flow.
fix custom id claim variable
This feature allows using the custom claim in the JWT token as a user ID.
Refactor claims extractor with options support
Add is_current to the user API response
This will help us understand usage on self-hosted deployments
The collection may be disabled by using the flag --disable-anonymous-metrics or
NETBIRD_DISABLE_ANONYMOUS_METRICS in setup.env
Right now Signal Service runs the Let'sEncrypt manager on port 80
and a gRPC server on port 10000. There are two separate listeners.
This PR combines these listeners into one with a cmux lib.
The gRPC server runs on either 443 with TLS or 80 without TLS.
Let's Encrypt manager always runs on port 80.
split setup.env with example and base
add setup.env to .gitignore to avoid overwrite from new versions
Added test workflow for docker-compose
and validated configure.sh generated variables
* rename wiretrustee-signal to netbird-signal
* Rename Signal repositories and source bin
* Adjust docker-compose with signal volume [skip ci]
Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>
Rename documentation and goreleaser build names
Added a migration function for when the old path exists and the new one doesn't
updated the configure.sh to generate the docker-compose with a new path only
if no pre-existing volume with old name exists
* Updated self-hosted scripts and documentation
Added more variables to setup.env and
Updated the documentation.
We are now configuring turn server
with template as well.
* Updated self-hosted scripts and documentation
Added more variables to setup.env and
Updated the documentation.
We are now configuring turn server
with template as well.
* Updated self-hosted scripts and documentation
Added more variables to setup.env and
Updated the documentation.
We are now configuring turn server
with template as well.
* Updated self-hosted scripts and documentation
Added more variables to setup.env and
Updated the documentation.
We are now configuring turn server
with template as well.
