No error-information when auth succeeded in dashboard, but failed in backend

[Ruakij]

Describe the problem
When auth was setup in a way that allows the dashboard to accept it, but the backend does not, no useful error-information is logged.
(Why auth fails is still beyond me, unfortunately the auth-docs for other auth-providers is still sparse)

The dashboard is easily satisfied as it assumes auth was perfectly fine as soon as it comes back with a token (of any kind!).

To Reproduce
Steps to reproduce the behavior:

1. Setup application in IdP (i chose Zitadel)

2. Configuration:
   
   
   Also mind the Auth Token Type which is, by-default, "Bearer" which the Dashboard doesnt like: TypeError: e.split(...)[1] is undefined (add docs about requiring JWT!)
   
   Also add docs about the redirect-uri being like this, some IdPs require this and only allow auth, when its set correctly.

3. Open netbird, login with IdP

4. See error
   

Management logs:

netbird-management-1  | 2023-03-21T10:32:17Z ERRO management/server/telemetry/http_api_metrics.go:150: HTTP response 1083634288: GET /api/users status 500
netbird-management-1  | 2023-03-21T10:32:18Z ERRO management/server/telemetry/http_api_metrics.go:150: HTTP response 2813638850: GET /api/peers status 500
netbird-management-1  | 2023-03-21T10:32:18Z ERRO management/server/telemetry/http_api_metrics.go:150: HTTP response 1697663107: GET /api/groups status 500
netbird-management-1  | 2023-03-21T10:32:18Z ERRO management/server/telemetry/http_api_metrics.go:150: HTTP response 3157473669: GET /api/routes status 500

Expected behavior
A proper error-message, both in the dashboard and the management-logs about what exactly went wrong.

---

I havent tried other IdPs yet, but switchged to Auth0 to test if thats the problem, the errors went away.
Maybe i did something wrong with my IdP setup (which is kinda badly documented), but i'd expect helpful error-logs.

I'll try the setup with Authentik as IdP next.
Once i find out what works and how i'll write some more generic docs for IdPs.

[gigovich]

@Ruakij thank you for this detailed report, could you please provide your management configuration and OpenID configuration endpoint (or content from this endpoint)?

[Ruakij]

Sure.

I assume this is the part you need:

setup.env:

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://auth.ruekov.eu/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="https://netbird.ruekov.eu"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="206188055046988264@media"
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""

Dont think Auth audience is necessary for Zitadel

management.json:

{
    "HttpConfig": {
        "Address": "0.0.0.0:443",
        "AuthIssuer": "https://auth.ruekov.eu",
        "AuthAudience": "https://netbird.ruekov.eu",
        "AuthKeysLocation": "https://auth.ruekov.eu/oauth/v2/keys",
        "AuthUserIDClaim": "",
        "CertFile":"",
        "CertKey":"",
        "OIDCConfigEndpoint":"https://auth.ruekov.eu/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
        "Manager": "none"
     },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
          "Audience": "https://netbird.ruekov.eu",
          "Domain": "",
          "ClientID": "",
          "TokenEndpoint": "https://auth.ruekov.eu/oauth/v2/token",
          "DeviceAuthEndpoint": "null"
         }
    }
}

Netbird is running behind Traefik with a setup that works. (thats why no certs are in use)

Feel free to test against https://auth.ruekov.eu.
I'll also do some tests with Authentik today, maybe Zitadel is just not reacting how it should?
Or I miconfigured it. (after all, docs are very.. limited right now :D)

[mlsmaycon]

@Ruakij I've open a PR #760 that will log the JWT validation in the management service to improve the feedback.

In the next releases we will improve the errors to integrate better with the Dashboard.