Open jkirkcaldy opened 8 months ago
I believe this is related to Authentik requiring the "offline access" request.
If I select offline access in the netbird provider/scopes in authentik, I get this error in the console in netbird:
Deselecting it in authentik results in the invalid token message.
Can confirm the same behavior on my side on Authentik 2024.2.1. It was working fine before the update. My existing authenticated clients continue to work, but I cannot authenticate any new ones. https://github.com/netbirdio/netbird/issues/1531 seems to be related, I tried the suggested fix there as well but unfortunately the issue still exists.
EDIT: Looks like it's an upstream authentik issue. Fix was applied 5 days ago but still hasn't been released, should be fixed in 2024.2.2 (See https://github.com/goauthentik/authentik/pull/8731 and https://github.com/goauthentik/authentik/issues/8660).
2024.2.2 has been released, did you have the chance to test it?
Yes, still not working for me.
In the iOS app I am getting an authentik, invalid redirect URI error also. the redirect URI are set as:
@sgtaziz can you share the logs from your management service container?
@mlsmaycon Everything is working from my side now. For me, it was 2 seperate issues:
offline_access
scope enabled, which was not working correctly in Authentik 2024.2.1. This issue was resolved in 2024.2.2offline_access
scope in 2024.2.1 (and in 2024.2.2), I still had the 401 error. This was actually completely unrelated, and was caused by incorrect credentials to my netbird
service account. I deleted the account and recreated it, and it was working perfectly after. I suggest you try the same @jkirkcaldy!thanks for confirming @sgtaziz.
@jkirkcaldy can you share the logs from your management service container?
Same issues after re-creating the netbird user in Authentik.
These are the management logs:
2024-03-25T15:47:50Z INFO management/cmd/management.go:449: loading OIDC configuration from the provided IDP configuration endpoint https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration
2024-03-25T15:47:51Z INFO management/cmd/management.go:454: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration
2024-03-25T15:47:51Z INFO management/cmd/management.go:456: overriding HttpConfig.AuthIssuer with a new value https://authentik.example.co.uk/application/o/netbird/, previously configured value: https://authentik.example.co.uk/application/o/netbird/
2024-03-25T15:47:51Z INFO management/cmd/management.go:460: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://authentik.example.co.uk/application/o/netbird/jwks/, previously configured value: https://authentik.example.co.uk/application/o/netbird/jwks/
2024-03-25T15:47:51Z INFO management/cmd/management.go:465: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/
2024-03-25T15:47:51Z INFO management/cmd/management.go:468: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://authentik.example.co.uk/application/o/device/, previously configured value: https://authentik.example.co.uk/application/o/device/
2024-03-25T15:47:51Z INFO management/cmd/management.go:476: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: authentik.example.co.uk, previously configured value: authentik.example.co.uk
2024-03-25T15:47:51Z INFO management/cmd/management.go:486: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/
2024-03-25T15:47:51Z INFO management/cmd/management.go:489: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://authentik.example.co.uk/application/o/authorize/, previously configured value: https://authentik.example.co.uk/application/o/authorize/
2024-03-25T15:47:51Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
2024-03-25T15:47:51Z INFO management/server/store.go:92: using SQLite store engine
2024-03-25T15:47:52Z INFO management/cmd/management.go:172: geo location service has been initialized from /var/lib/netbird/
2024-03-25T15:47:52Z INFO management/server/account.go:848: single account mode enabled, accounts number 1
2024-03-25T15:47:52Z WARN management/cmd/management.go:186: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.
2024-03-25T15:47:52Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400
2024-03-25T15:47:52Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073
2024-03-25T15:47:52Z INFO management/cmd/management.go:319: management server version 0.26.3
2024-03-25T15:47:52Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443
2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:10Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:10Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:10Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2097093298: GET /api/users status 401
2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1411618969: GET /api/users status 401
2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2393209750: GET /api/groups status 401
2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3916251322: GET /api/users status 401
I had exactly the same problem until I changed a few things:
you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings
.
the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the Directory > Tokens and App passwords
menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the Directory > Users
menu.
Ok, I've tried changing these settings and I'm still getting the same result:
2024-03-26T14:43:45Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400
2024-03-26T14:43:46Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073
2024-03-26T14:43:46Z INFO management/cmd/management.go:319: management server version 0.26.3
2024-03-26T14:43:46Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443
2024-03-26T14:44:12Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:12Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:12Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:12Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1102790954: GET /api/users status 401
2024-03-26T14:44:13Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:14Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:14Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:14Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:14Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3549645181: GET /api/users status 401
2024-03-26T14:44:15Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2353810366: GET /api/groups status 401
2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3963034838: GET /api/users status 401
For what it's worth, I'm getting a different error in the iOS app. I'm getting an redirect URI error
error inside authentik and it doesn't return me to the app.
I had exactly the same problem until I changed a few things:
- you have to bind the Netbird user to the Netbird application in the menu
Applications > Applications > Netbird > Policy / Group / User Bindings
.- the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the
Directory > Tokens and App passwords
menu. Do not use the Netbird user password that you may have created when creating the Netbird user in theDirectory > Users
menu.
This worked for me, I updated to the latest version of Authentik and updated netbird (both the git and the docker files). gave a user bind to the application for the Netbird account and BOOM. It authenticated me.
If you want, I could check with you through Discord (codixer) if you'd like. @jkirkcaldy
Using authentik as auth provider. and Traefik as the reverse proxy.
These lines appear in the management logs:
I have a red box with a warning message
management.json
Compose file