search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.71k stars 480 forks source link

Authentik login not working: Login Error: User state: Unauthenticated #1250

Closed chrisguen closed 10 months ago

chrisguen commented 11 months ago

After following the advanced guide in the docs with a traefik reverse proxy and Authentik as the IdP, it just shows "Login Error: User state: Unauthenticated" on the Webpage and no errors are shown in the container logs.

Running latest version 0.24.0

Management logs show this: 2023-10-25T12:53:19Z INFO management/cmd/management.go:419: loading OIDC configuration from the provided IDP configuration endpoint https://auth.xy/application/o/netbird/.well-known/openid-configuration 2023-10-25T12:53:19Z INFO management/cmd/management.go:424: loaded OIDC configuration from the provided IDP configuration endpoint: https://auth.xy/application/o/netbird/.well-known/openid-configuration 2023-10-25T12:53:19Z INFO management/cmd/management.go:426: overriding HttpConfig.AuthIssuer with a new value https://auth.xy/application/o/netbird/, previously configured value: https://auth..x.de/application/o/netbird/ 2023-10-25T12:53:19Z INFO management/cmd/management.go:430: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.xy/application/o/netbird/jwks/, previously configured value: https://auth.xy/application/o/netbird/jwks/ 2023-10-25T12:53:19Z INFO management/cmd/management.go:435: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.xy/application/o/token/, previously configured value: https://auth.xy/application/o/token/ 2023-10-25T12:53:19Z INFO management/cmd/management.go:438: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.xy/application/o/device/, previously configured value: https://auth.xy/application/o/device/ 2023-10-25T12:53:19Z INFO management/cmd/management.go:446: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth..x.de, previously configured value: auth..x.de 2023-10-25T12:53:19Z INFO management/cmd/management.go:456: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth..x.de/application/o/token/, previously configured value: https://auth..x.de/application/o/token/ 2023-10-25T12:53:19Z INFO management/cmd/management.go:459: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth..x.de/application/o/authorize/, previously configured value: https://auth..x.de/application/o/authorize/ 2023-10-25T12:53:19Z INFO management/server/telemetry/app_metrics.go:161: enabled application metrics and exposing on http://0.0.0.0:8081 2023-10-25T12:53:19Z INFO management/server/account.go:778: single account mode enabled, accounts number 0 2023-10-25T12:53:20Z INFO management/server/account.go:945: 1 entries received from IdP management 2023-10-25T12:53:20Z INFO management/server/account.go:974: warmed up IDP cache with 0 entries 2023-10-25T12:53:20Z INFO management/cmd/management.go:247: running gRPC backward compatibility server: [::]:33073 2023-10-25T12:53:20Z INFO management/cmd/management.go:279: running HTTP server and gRPC server on the same port: [::]:443

pascal-fischer commented 11 months ago

Hi, can you share your setup.env or management.json (with secrets hidden, only maybe first or last few digits)?

bernhardkaindl commented 11 months ago

This contains a hopefully helpful list of steps that led me to find the issue in my case!

@chrisguen I also followed the Advanced setup How-To with Authentik as IDP today and get the same error:

  1. The first check was to open the page of the Netbird user in the Authntik dashboard.
    • It showed a green bar for successful logins of the Netbird user.
  2. Next, I opened the docker container logs of the container authentik-server-1.
    • It showed a few errors: 
      INF auth_via=unauthenticated event=/application/o/token ...

      Before these, there was a warning about a CORS setup needed, which was a sign that some domain name didn't match up. I then remembered that I had to change the domain name of the Netmaker server, because letsencrypt.org was getting tired of my repeated signature requests - DOH!!! Updating the domain in Authentik Provider field "Redirect URIs/Origins (RegEx)" as per https://docs.netbird.io/selfhosted/identity-providers#authentik fixed it instantly.

As a suggestion, the error message "Login Error: User state: Unauthenticated" shown in the web browser in this case could be improved to ask the user to contact the admins of the SSO service to checkup on the error.

chrisguen commented 10 months ago

This contains a hopefully helpful list of steps that led me to find the issue in my case!

@chrisguen I also followed the Advanced setup How-To with Authentik as IDP today and get the same error:

  1. The first check was to open the page of the Netbird user in the Authntik dashboard.

    • It showed a green bar for successful logins of the Netbird user.

  2. Next, I opened the docker container logs of the container authentik-server-1.

    • It showed a few errors:

      INF auth_via=unauthenticated event=/application/o/token ...

      Before these, there was a warning about a CORS setup needed, which was a sign that some domain name didn't match up. I then remembered that I had to change the domain name of the Netmaker server, because letsencrypt.org was getting tired of my repeated signature requests - DOH!!! Updating the domain in Authentik Provider field "Redirect URIs/Origins (RegEx)" as per https://docs.netbird.io/selfhosted/identity-providers#authentik fixed it instantly.

As a suggestion, the error message "Login Error: User state: Unauthenticated" shown in the web browser in this case could be improved to ask the user to contact the admins of the SSO service to checkup on the error.

Thank you, it was a CORS issue on my side aswell. A better error message would help a lot.