Hi,
I was using Zitadel as my IdP provider for my NetBird instance and everything was working fine however I moved to Logto and can’t seem to make it work right.
I know it isn’t supported out of the box by NetBird, when searching for solutions I came upon a guide for using Authelia instead and basically just exchanged some of its values using what I’ve got on my Logto application.
The guide in question: NetBird | OpenID Connect 1.0 | Integration
So far the process of authenticating works but when I am redirected to my NetBird instance I get stuck on a loading loop with the console throwing a 401 error;
{code: 401, message: 'token expired'}
I am posting this to see if anyone can help me but I understand if no proper support can be offered.
Configuration files
- Logto application type is Third Party OIDC
- setup.env
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://logto.dom.ain/oidc/.well-known/openid-configuration"
NETBIRD_MGMT_API_ENDPOINT="https://netbird.dom.ain"
NETBIRD_MGMT_GRPC_API="https://netbird.dom.ain"
AUTH_AUDIENCE="none"
AUTH_CLIENT_ID="Generated APP ID"
AUTH_CLIENT_SECRET="Generated APP Secret"
AUTH_AUTHORITY="https://logto.dom.ain"
USE_AUTH0=false
AUTH_SUPPORTED_SCOPES="openid profile email"
AUTH_REDIRECT_URI="/peers"
AUTH_SILENT_REDIRECT_URI="/add-peers"
NETBIRD_TOKEN_SOURCE="Generated APP Secret"
- docker-compose.yml
- NETBIRD_MGMT_API_ENDPOINT=https://netbird.dom.ain:443
- NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.dom.ain:443
- AUTH_AUDIENCE=none
- AUTH_CLIENT_ID=Generated APP ID
- AUTH_CLIENT_SECRET=Generated APP Secret
- AUTH_AUTHORITY=https://logto.exvoid.net/oidc
- USE_AUTH0=false
- AUTH_SUPPORTED_SCOPES=openid profile email
- AUTH_REDIRECT_URI=/peers
- AUTH_SILENT_REDIRECT_URI=/add-peers
- NETBIRD_TOKEN_SOURCE=Generated APP Secret
- NGINX_SSL_PORT=443
- LETSENCRYPT_DOMAIN=
- LETSENCRYPT_EMAIL=
- management.json
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "Generated APP ID",
"AuthIssuer": "https://logto.dom.ain/oidc",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://logto.dom.ain/oidc/jwks",
"OIDCConfigEndpoint": "https://logto.dom.ain/oidc/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": true,
"ExtraAuthAudience": ""
},
"IdpManagerConfig": {
"ManagerType": "",
"ClientConfig": null,
"ExtraConfig": null,
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "",
"ProviderConfig": {
"ClientID": "",
"ClientSecret": "",
"Domain": "logto.dom.ain",
"Audience": "",
"TokenEndpoint": "https://logto.dom.ain/oidc/token",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null,
"DisablePromptLogin": false,
"LoginFlag": 0
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "Generated APP ID",
"ClientSecret": "Generated APP Secret",
"Domain": "",
"Audience": "Generated APP ID",
"TokenEndpoint": "https://logto.dom.ain/oidc/token",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://logto.dom.ain/oidc/auth",
"Scope": "openid profile email",
"UseIDToken": true,
"RedirectURLs": [
"http://localhost:53000"
],
"DisablePromptLogin": false,
"LoginFlag": 0
}
},
