Handle auth manager config

idp/dex/provider.go

@@ -902,3 +902,41 @@ func (p *Provider) GetRedirectURI() string {
 	}
 	return issuer + "/callback"
 }
+
+// GetIssuer returns the OIDC issuer URL.
+func (p *Provider) GetIssuer() string {
+	if p.config == nil {
+		return ""
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer = issuer + "/oauth2"
+	}
+	return issuer
+}
+
+// GetKeysLocation returns the JWKS endpoint URL for token validation.
+func (p *Provider) GetKeysLocation() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/keys"
+}
+
+// GetClientIDs returns the OAuth2 client IDs configured for this provider.
+func (p *Provider) GetClientIDs() []string {
+	if p.yamlConfig != nil && len(p.yamlConfig.StaticClients) > 0 {
+		clientIDs := make([]string, 0, len(p.yamlConfig.StaticClients))
+		for _, client := range p.yamlConfig.StaticClients {
+			clientIDs = append(clientIDs, client.ID)
+		}
+		return clientIDs
+	}
+	// Default client IDs if not configured via YAML
+	return []string{"netbird-dashboard", "netbird-cli"}
+}
+
+func (p *Provider) GetUserIDClaim() string {
+	return "sub"
+}

management/internals/server/controllers.go

@@ -55,14 +55,31 @@ func (s *BaseServer) SecretsManager() grpc.SecretsManager {
 }
 
 func (s *BaseServer) AuthManager() auth.Manager {
+	audiences := s.Config.GetAuthAudiences()
+	audience := s.Config.HttpConfig.AuthAudience
+	keysLocation := s.Config.HttpConfig.AuthKeysLocation
+	signingKeyRefreshEnabled := s.Config.HttpConfig.IdpSignKeyRefreshEnabled
+	issuer := s.Config.HttpConfig.AuthIssuer
+	userIDClaim := s.Config.HttpConfig.AuthUserIDClaim
+	if s.embeddedIdp != nil {
+		// Use embedded IdP provider's methods to extract configuration
+		audiences = s.embeddedIdp.GetClientIDs()
+		if len(audiences) > 0 {
+			audience = audiences[0] // Use the first client ID as the primary audience
+		}
+		keysLocation = s.embeddedIdp.GetKeysLocation()
+		signingKeyRefreshEnabled = true
+		issuer = s.embeddedIdp.GetIssuer()
+		userIDClaim = s.embeddedIdp.GetUserIDClaim()
+	}
 	return Create(s, func() auth.Manager {
 		return auth.NewManager(s.Store(),
-			s.Config.HttpConfig.AuthIssuer,
-			s.Config.HttpConfig.AuthAudience,
-			s.Config.HttpConfig.AuthKeysLocation,
-			s.Config.HttpConfig.AuthUserIDClaim,
-			s.Config.GetAuthAudiences(),
-			s.Config.HttpConfig.IdpSignKeyRefreshEnabled)
+			issuer,
+			audience,
+			keysLocation,
+			userIDClaim,
+			audiences,
+			signingKeyRefreshEnabled)
 	})
 }
 

management/server/idp/embedded.go

@@ -56,6 +56,8 @@ type EmbeddedIdPConfig struct {
 	DashboardRedirectURIs []string
 	// Owner is the initial owner/admin user (optional, can be nil)
 	Owner *OwnerConfig
+	// SignKeyRefreshEnabled enables automatic key rotation for signing keys
+	SignKeyRefreshEnabled bool
 }
 
 // DefaultCLIRedirectURIs returns the default redirect URIs for the CLI client.