search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.27k stars 517 forks source link

Request failed with status code 401 (Authentik) #2941

Open MDMeridio001 opened 23 hours ago

MDMeridio001 commented 23 hours ago

Describe the problem

After updating to authentik version 2024.10.4 I am no longer able to access the dashboard as I get an "invalid token" error. Looking at the management logs I can see the following error: management-1 | 2024-11-23T11:01:07Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden. I have tried deleting the Netbird service account's token and create a new one and I have also tried completely removing the application and provider and setting them up again from scratch but it didn't fix the error. With version 2024.10.2 everything worked just fine.

To Reproduce

Steps to reproduce the behavior:

  1. Update authentik to version 2024.10.4
  2. Check for the error in the management logs

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.33.0

Screenshots

image

mlsmaycon commented 22 hours ago

Hello, @MDMeridio001, it seems like something went wrong with the guide steps 3 and 4 on your configuration. Can you review them and rerun the configure.sh script?

As an alternative, you can disable IdP manager in your management.json file by setting IdpManagerConfig.ManagerType and then restarting the management service with docker compose restart management

MDMeridio001 commented 22 hours ago

@mlsmaycon Thanks for the reply. I'd prefer not to disable the IdP as I have all of my users configured there.

I would like to specify that it worked in version 2024.10.2 and I suspect that maybe they have made some changes to some of authentik's API endpoints. I have also checked nginx logs and it seems like error 403 is returned when the management service tries to reach this endpoint: [23/Nov/2024:12:03:53 +0100] "GET /api/v3/core/users/?page=1 HTTP/2.0" 403 58 "-" "OpenAPI-Generator/1.0.0/go". If I try to access the same page in a web broswer logged in as the Netbird service account I successfully get a list with all the users in json format.

I would also like to mention that since I followed the guide when I first set netbird and authentik up the WebUI for authentik changed significantly, so it might be in need of an update. For example, when I tried to recreate the Netbird service account the token was not created automatically and I had to manually add one.

MDMeridio001 commented 21 hours ago

@mlsmaycon Just an update. I restored an old backup of authentik (version 2024.8.2) and it immediately started working again.

mlsmaycon commented 21 hours ago

The backup is old but are you running the latest authentik version?

MDMeridio001 commented 21 hours ago

@mlsmaycon No, I'm running version 2024.8.2

Spiritreader commented 13 hours ago

I am having the same problem since updating to 2024.10.4, only that rolling back to 2024.8.2 (or any other older version) does not restore functionality.

The service account mentioned in step 3 and 4 of the guide seems to work fine though, in Authentik I see it logging in successfully image

I have even set up netbird from scratch, deleting all configuration and recreating it from infrastructure artifacts with Authentik verisons 2024.8.6, 2024.8.5, 2024.8.2, 2024.10.4 and 2024.10.3.

There were some issues with redirect URLs for 2024.8.5 and 2024.10.3 which since have been resolved.

Currently I am on 2024.8.6, which is the latest supported build of 2024.8. Those are the logs:

2024-11-23T21:29:44Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden

2024-11-23T21:30:33Z DEBG management/server/account.go:1515: account cres9lc1955s73f2aig0 not found in cache, reloading
2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: 403 Forbidden
2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/util/util.go:81: got a handler error: token invalid
2024-11-23T21:30:33Z ERRO [requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response 5b94c307-da2a-406f-9545-3a886a33d7c4: GET /api/users status 401
2024-11-23T21:30:33Z DEBG [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/telemetry/http_api_metrics.go:181: request GET /api/users took 357 ms and finished with status 401
2024-11-23T21:30:35Z DEBG [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:120: keys refreshed, new UTC expiration time: 2024-11-23 21:30:35.465361803 +0000 UTC
2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:2002: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:1577: looking up user 1 of account cres9lc1955s73f2aig0 in cache

The netbird service account is in the authentik-admins group: image

roehren commented 10 hours ago

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again. grafik

Spiritreader commented 8 hours ago

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again. grafik

You're fantastic, that worked! Thank you ❤️