search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.93k stars 494 forks source link

Error shown on Website: e.split(...)[1] is undefined #797

Closed Knniff closed 1 year ago

Knniff commented 1 year ago

Describe the problem After setting up netbird through docker with gitlab as an idp, the webui shows me this error on loading up: e.split(...)[1] is undefined

To Reproduce Steps to reproduce the behavior:

  1. Follow the provided docker guide
  2. Login through idp (in this case gitlab and not keycloak/auth0)

Expected behavior No error being displayed

Screenshots firefox_J298UVoRr6

Knniff commented 1 year ago

The provided screenshot was taken with Firefox, using edge/chromium i get a slightly different error: "Cannot read properties of undefined (reading 'replace')"

Knniff commented 1 year ago

After trying around for a bit i also noticed that the webui uses cause a significant slowdown of the respective browsersand the task manager shows 30-40% cpu utilization (ryzen 7 4700U) for the browser (happens in both firefox and edge).

mlsmaycon commented 1 year ago

Hello @Knniff sorry to see that you facing issues with the Keycloak integration.

Regarding the blank screen and the error, can you please open the development tools from your browse and refresh the page, then if you go to Console you should see more details about the error your are facing.

You can also check the management server logs by issuing the following command:

docker-compose logs management

Regarding the CPU consumption, let's check it again after we solve the first issue? I would like to have a look if it is related to the current errors you are facing.

Knniff commented 1 year ago

This is the error from the firefox dev tools:

TypeError: e.split(...)[1] is undefined
    mC token.ts:21
    gC token.ts:26
    e token.ts:38
    Babel 7
        p
        C
        E
        r
        s
        o
        o
    e token.ts:36
    e header-factory.ts:6
    Babel 7
        p
        C
        E
        r
        s
        o
        o
    an header-factory.ts:6
    t api-request.ts:11
    Babel 7
        p
        C
        E
        r
        s
        o
        o
    sn api-request.ts:6
    value api-request.ts:6
    value api-client.ts:18
    ZG App.tsx:59
    React 3
        rc
        Sl
        El
    S scheduler.production.min.js:13
    I scheduler.production.min.js:14
App.tsx:66:17

And here are the logs from the managment container:

Attaching to infrastructure_files-management-1
infrastructure_files-management-1 | time="2023-04-11T10:20:41Z" level=info msg="loading OIDC configuration from the provided IDP configuration endpoint https://gitlab.domain.de/.well-known/openid-configuration"
infrastructure_files-management-1 | time="2023-04-11T10:20:42Z" level=info msg="loaded OIDC configuration from the provided IDP configuration endpoint: https://gitlab.domain.de/.well-known/openid-configuration"
infrastructure_files-management-1 | time="2023-04-11T10:20:42Z" level=info msg="overriding HttpConfig.AuthIssuer with a new value https://gitlab.domain.de, previously configured value: https://gitlab.domain.de"
infrastructure_files-management-1 | time="2023-04-11T10:20:42Z" level=info msg="overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://gitlab.domain.de/oauth/discovery/keys, previously configured value: https://gitlab.domain.de/oauth/discovery/keys"
infrastructure_files-management-1 | 2023-04-11T10:20:42Z INFO management/server/telemetry/app_metrics.go:144: enabled application metrics and exposing on http://0.0.0.0:8081
infrastructure_files-management-1 | 2023-04-11T10:20:42Z INFO management/server/account.go:636: single account mode disabled, accounts number 0
infrastructure_files-management-1 | 2023-04-11T10:20:42Z INFO management/cmd/management.go:233: running gRPC backward compatibility server: [::]:33073
infrastructure_files-management-1 | 2023-04-11T10:20:42Z INFO management/cmd/management.go:265: running HTTP server and gRPC server on the same port: [::]:443

I also noticed, that the high cpu consumption only occurs after clicking on the settings button.

pascal-fischer commented 1 year ago

Hi @Knniff,

it seems the UI has issues validating the JWT. As Gitlab is using ID tokens can you check your configuration if NETBIRD_TOKEN_SOURCE=idToken is set? After you change it you need to run configure.sh again.

The UI is doing quite a few retries if JWT validation fails. That might be the reason for the high CPU usage.

Please let me know if that solves the issue.

Knniff commented 1 year ago

What do i have to put as NETBIRD_TOKEN_SOURCE? My Gitlab instance gives me an "Application ID" and "Secret"

Here are my setup files. setup.env

## example file, you can copy this file to setup.env and update its values
##
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.domain.de"
# OIDC configuration e.g., https://example.eu.auth0.com/.well-known/openid-configuration
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://gitlab.domain.de/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="https://netbird.domain.de"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="currently the gitlab Application ID"
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL="myemail@example.de"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/peers"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"

# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.domain.local

docker-compose.yml.tmpl:

version: "3"
services:
  #UI dashboard
  dashboard:
    image: wiretrustee/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
      - USE_AUTH0=$NETBIRD_USE_AUTH0
      - AUTH_SUPPORTED_SCOPES=openid profile email # because my gitlab only gives those 3
      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
      - NGINX_SSL_PORT=443
      - LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
      - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
      - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
    volumes:
      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/
  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - $SIGNAL_VOLUMENAME:/var/lib/netbird
    ports:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - $MGMT_VOLUMENAME:/var/lib/netbird
      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - $NETBIRD_MGMT_API_PORT:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
    command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN", "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"]
  # Coturn
  coturn:
    image: coturn/coturn
    restart: unless-stopped
    domainname: $NETBIRD_DOMAIN
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
volumes:
  $MGMT_VOLUMENAME:
  $SIGNAL_VOLUMENAME:
  $LETSENCRYPT_VOLUMENAME:

Is it a problem that there is no NETBIRD_TOKEN_SOURCE in the template file or the setup.env?

Thunderbottom commented 1 year ago

Yep, seems like you're still on an older tag and will require a git pull to fetch the latest commits. NETBIRD_TOKEN_SOURCE was added in https://github.com/netbirdio/netbird/commit/f14f34cf2bc6041030372c817dc797207edc7006, which was the v0.15.0 release.

What do i have to put as NETBIRD_TOKEN_SOURCE? My Gitlab instance gives me an "Application ID" and "Secret"

You need to set NETBIRD_TOKEN_SOURCE=idToken in your compose. The only two option that it supports is idToken and accessToken.

Also make sure to pull the new docker images with docker compose pull and run docker compose stop && docker compose up -d to recreate the containers with the new image after setting the variable.

Knniff commented 1 year ago

Im currently on no branch, which git branch am i supposed to use?

Thunderbottom commented 1 year ago

you could use the main branch, or if you're not willing to take the risk, you could pull the latest tag:

$ git fetch --tags
$ git checkout v0.16.0
Knniff commented 1 year ago

I switched to the latest tag and redid my setup.env. Now the site behaves normal but i get a new error: Request failed with status code 401. Please refresh the page if the issue continues. token invalid

Is that a problem with my setup.env?

## example file, you can copy this file to setup.env and update its values
##
# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.domain.de"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://gitlab.domain.de/.well-known/openid-configuration"
NETBIRD_AUTH_AUDIENCE="https://netbird.domain.de"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="gitlab application id"
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid profile email"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=true

# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/peers"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
NETBIRD_TOKEN_SOURCE="idToken"

# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL="mail"

# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.domain.local
Knniff commented 1 year ago

I now changed my idp to keycloak and have new issues but thats for a new issue