From fbce6b95fd553c50af3e51c1c5ca6ba2eb9e59da Mon Sep 17 00:00:00 2001
From: twothatit <s.lustenberger@x26.ch>
Date: Sun, 8 Feb 2026 21:33:59 +0100
Subject: [PATCH] Fix Unauthenticated: use local OIDCConfigEndpoint for
 embedded IdP

The management container was trying to fetch its own OIDC config via
the external URL (https://domain/oauth2/.well-known/...), which creates
a circular dependency: management -> DNS -> NPM -> Caddy -> management.
This fails because the management container can't reach itself through
the external network during startup.

Changed OIDCConfigEndpoint to http://127.0.0.1:80/oauth2/... (same as
LocalAddress) so the management server accesses its own embedded IdP
directly without going through DNS/NPM/Caddy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 templates/management.json.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/management.json.j2 b/templates/management.json.j2
index 71f0ba6..deae3a4 100644
--- a/templates/management.json.j2
+++ b/templates/management.json.j2
@@ -36,7 +36,7 @@
   "HttpConfig": {
     "AuthIssuer": "{{ external_url }}/oauth2",
     "AuthAudience": "netbird-dashboard",
-    "OIDCConfigEndpoint": "{{ external_url }}/oauth2/.well-known/openid-configuration"
+    "OIDCConfigEndpoint": "http://127.0.0.1:80/oauth2/.well-known/openid-configuration"
   },
   "EmbeddedIdP": {
     "Enabled": true,