netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.03k stars 508 forks source link

Request failed with status code 401. Please refresh the page if the issue continues. token invalid #1657

Open jkirkcaldy opened 8 months ago

jkirkcaldy commented 8 months ago

Using authentik as auth provider. and Traefik as the reverse proxy.

These lines appear in the management logs:

2024-03-02T18:37:27Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-02T18:37:27Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2291633713: GET /api/users status 401
2024-03-02T18:37:27Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-02T18:37:27Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400

I have a red box with a warning message

Request failed with status code 401. Please refresh the page if the issue continues.
token invalid

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.example.co.uk:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.example.co.uk:3478",
                "Username": "self",
                "Password": "xxxx"
            }
        ]
    },
    "Signal": {
        "Proto": "http",
        "URI": "netbird.example.co.uk:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "H9HtkneUWN6/KdVlnOBo+9MtqHz9BliKx0Kuc3KbJJc=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "AuthAudience": "xxxx",
        "AuthIssuer": "https://authentik.example.co.uk/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://authentik.example.co.uk/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": true
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://authentik.example.co.uk/application/o/netbird",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "ClientID": "xxxx",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "xxxxx",
            "Username": "Netbird"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "xxxx",
            "ClientSecret": "",
            "Domain": "authentik.example.co.uk",
            "Audience": "xxxx",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "DeviceAuthEndpoint": "https://authentik.example.co.uk/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "xxxx",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "xxxx",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://authentik.example.co.uk/application/o/authorize/",
            "Scope": "openid profile email offline_access api groups",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": null,
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": null
    }
}    

Compose file

version: "3"
services:
  #UI dashboard
  dashboard:
    image: wiretrustee/dashboard:latest
    restart: unless-stopped
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.co.uk:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.co.uk:443
      # OIDC
      - AUTH_AUDIENCE=xxxxx
      - AUTH_CLIENT_ID=xxxxx
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://authentik.example.co.uk/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.co.uk`)
    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - /mnt/user/appdata/netbird/signal:/var/lib/netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-signal.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=80
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - /mnt/user/appdata/netbird/management:/var/lib/netbird
      - /mnt/user/appdata/netbird/management/management.json:/etc/netbird/management.json
    command: [
      "--port", "443",
      "--log-file", "console",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.example.co.uk",
      "--dns-domain=netbird.selfhosted"
      ]
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-api.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/api`)
    - traefik.http.routers.netbird-api.service=netbird-api
    - traefik.http.services.netbird-api.loadbalancer.server.port=443

    - traefik.http.routers.netbird-management.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/management.ManagementService/`)
    - traefik.http.routers.netbird-management.service=netbird-management
    - traefik.http.services.netbird-management.loadbalancer.server.port=443
    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: netbird.example.co.uk
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

jkirkcaldy commented 8 months ago

I believe this is related to Authentik requiring the "offline access" request.

image

If I select offline access in the netbird provider/scopes in authentik, I get this error in the console in netbird: image

Deselecting it in authentik results in the invalid token message.

sgtaziz commented 8 months ago

Can confirm the same behavior on my side on Authentik 2024.2.1. It was working fine before the update. My existing authenticated clients continue to work, but I cannot authenticate any new ones. https://github.com/netbirdio/netbird/issues/1531 seems to be related, I tried the suggested fix there as well but unfortunately the issue still exists.

EDIT: Looks like it's an upstream authentik issue. Fix was applied 5 days ago but still hasn't been released, should be fixed in 2024.2.2 (See https://github.com/goauthentik/authentik/pull/8731 and https://github.com/goauthentik/authentik/issues/8660).

mlsmaycon commented 7 months ago

2024.2.2 has been released, did you have the chance to test it?

jkirkcaldy commented 7 months ago

Yes, still not working for me. image

In the iOS app I am getting an authentik, invalid redirect URI error also. the redirect URI are set as: image

mlsmaycon commented 7 months ago

@sgtaziz can you share the logs from your management service container?

sgtaziz commented 7 months ago

@mlsmaycon Everything is working from my side now. For me, it was 2 seperate issues:

  1. I had offline_access scope enabled, which was not working correctly in Authentik 2024.2.1. This issue was resolved in 2024.2.2
  2. When I disabled offline_access scope in 2024.2.1 (and in 2024.2.2), I still had the 401 error. This was actually completely unrelated, and was caused by incorrect credentials to my netbird service account. I deleted the account and recreated it, and it was working perfectly after. I suggest you try the same @jkirkcaldy!
mlsmaycon commented 7 months ago

thanks for confirming @sgtaziz.

@jkirkcaldy can you share the logs from your management service container?

jkirkcaldy commented 7 months ago

Same issues after re-creating the netbird user in Authentik.

These are the management logs:

2024-03-25T15:47:50Z INFO management/cmd/management.go:449: loading OIDC configuration from the provided IDP configuration endpoint https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration
2024-03-25T15:47:51Z INFO management/cmd/management.go:454: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration
2024-03-25T15:47:51Z INFO management/cmd/management.go:456: overriding HttpConfig.AuthIssuer with a new value https://authentik.example.co.uk/application/o/netbird/, previously configured value: https://authentik.example.co.uk/application/o/netbird/
2024-03-25T15:47:51Z INFO management/cmd/management.go:460: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://authentik.example.co.uk/application/o/netbird/jwks/, previously configured value: https://authentik.example.co.uk/application/o/netbird/jwks/
2024-03-25T15:47:51Z INFO management/cmd/management.go:465: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/
2024-03-25T15:47:51Z INFO management/cmd/management.go:468: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://authentik.example.co.uk/application/o/device/, previously configured value: https://authentik.example.co.uk/application/o/device/
2024-03-25T15:47:51Z INFO management/cmd/management.go:476: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: authentik.example.co.uk, previously configured value: authentik.example.co.uk
2024-03-25T15:47:51Z INFO management/cmd/management.go:486: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/
2024-03-25T15:47:51Z INFO management/cmd/management.go:489: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://authentik.example.co.uk/application/o/authorize/, previously configured value: https://authentik.example.co.uk/application/o/authorize/
2024-03-25T15:47:51Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
2024-03-25T15:47:51Z INFO management/server/store.go:92: using SQLite store engine
2024-03-25T15:47:52Z INFO management/cmd/management.go:172: geo location service has been initialized from /var/lib/netbird/
2024-03-25T15:47:52Z INFO management/server/account.go:848: single account mode enabled, accounts number 1
2024-03-25T15:47:52Z WARN management/cmd/management.go:186: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.
2024-03-25T15:47:52Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400
2024-03-25T15:47:52Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073
2024-03-25T15:47:52Z INFO management/cmd/management.go:319: management server version 0.26.3
2024-03-25T15:47:52Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443
2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:10Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:10Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:10Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2097093298: GET /api/users status 401
2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1411618969: GET /api/users status 401
2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2393209750: GET /api/groups status 401
2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3916251322: GET /api/users status 401
vincent-lg18 commented 7 months ago

I had exactly the same problem until I changed a few things:

  1. you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings. image

  2. the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the Directory > Tokens and App passwords menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the Directory > Users menu. image

jkirkcaldy commented 7 months ago

Ok, I've tried changing these settings and I'm still getting the same result:

2024-03-26T14:43:45Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400
2024-03-26T14:43:46Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073
2024-03-26T14:43:46Z INFO management/cmd/management.go:319: management server version 0.26.3
2024-03-26T14:43:46Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443
2024-03-26T14:44:12Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:12Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:12Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:12Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1102790954: GET /api/users status 401
2024-03-26T14:44:13Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:14Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:14Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:14Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:14Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3549645181: GET /api/users status 401
2024-03-26T14:44:15Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2353810366: GET /api/groups status 401
2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3963034838: GET /api/users status 401

For what it's worth, I'm getting a different error in the iOS app. I'm getting an redirect URI error error inside authentik and it doesn't return me to the app.

Codixer commented 5 months ago

I had exactly the same problem until I changed a few things:

  1. you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings. image
  2. the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the Directory > Tokens and App passwords menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the Directory > Users menu. image

This worked for me, I updated to the latest version of Authentik and updated netbird (both the git and the docker files). gave a user bind to the application for the Netbird account and BOOM. It authenticated me.

If you want, I could check with you through Discord (codixer) if you'd like. @jkirkcaldy