OIDC: wrong host for .well-known/openid-configuration #1159

New Issue

Open

opened 2025-11-20 05:25:00 -05:00 by saavagebueno · 31 comments

saavagebueno commented 2025-11-20 05:25:00 -05:00

Owner

Copy Link

Originally created by @Cheezzhead on GitHub (Aug 17, 2024).

Describe the problem

I get an Error: Unauthenticated message upon opening the dashboard homepage. Checking the browser's development console, it is attempting to fetch the OIDC configuration from http://localhost/.well-known/openid-configuration which is obviously wrong. I can't find the (environment?) variable to change this.

Additionally (not sure if related), but the setup script generates an openid-configuration.json file which is never used in the generated compose file. Is this intentional?

To Reproduce

Relevant part from docker-compose.yml:

services:
  dashboard:
    image: netbirdio/dashboard:latest
    # ...
    environment:
      # ...
      # OIDC
      - AUTH_AUDIENCE=netbird
      - AUTH_CLIENT_ID=clientId
      - AUTH_CLIENT_SECRET=clientSecret
      - AUTH_AUTHORITY=https://auth.domain.tld
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api groups
      - NETBIRD_TOKEN_SOURCE=accessToken
      # ...

  management:
    image: netbirdio/management:latest
    // ...
    ports:
      - 33073:443
    command: [
      "--port", "443",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=net.doman.tld",
      "--dns-domain=netbird.selfhosted",
      # Only if dashboard doesn't exist/enable letsencrypt
      "--letsencrypt-domain", "net.domain.tld", 
    ]
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json

management.json:

{
    "Stuns": [
      {
        "Proto": "udp",
        "URI": "stun:net.domain.tld:3478",
        "Username": "",
        "Password": null
      }
    ],
    "TURNConfig": {
      "Turns": [
        {
          "Proto": "udp",
          "URI": "turn:net.domain.tld:3478",
          "Username": "self",
          "Password": "ZTgDOSevQghQDn6ZMgVYKld4vB0hXQ5dZ23cYM5pG0M"
        }
      ],
      "CredentialsTTL": "12h",
      "Secret": "secret",
      "TimeBasedCredentials": false
    },
    "Signal": {
      "Proto": "https",
      "URI": "net.domain.tld:10000",
      "Username": "",
      "Password": null
    },
    "ReverseProxy": {
      "TrustedHTTPProxies": [],
      "TrustedHTTPProxiesCount": 0,
      "TrustedPeers": [
        "0.0.0.0/0"
      ]
    },
    "Datadir": "",
    "DataStoreEncryptionKey": "",
    "StoreConfig": {
      "Engine": "sqlite"
    },
    "HttpConfig": {
      "Address": "0.0.0.0:33073",
      "AuthIssuer": "https://auth.domain.tld",
      "AuthAudience": "netbird",
      "AuthKeysLocation": "https://auth.domain.tld/jwks.json",
      "AuthUserIDClaim": "preferred_username",
      "CertFile": "",
      "CertKey": "",
      "IdpSignKeyRefreshEnabled": false,
      "OIDCConfigEndpoint": "https://auth.domain.tld/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
      "ManagerType": "",
      "ClientConfig": {
        "Issuer": "https://auth.domain.tld",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "ClientID": "",
        "ClientSecret": "",
        "GrantType": "client_credentials"
      },
      "ExtraConfig": {},
      "Auth0ClientCredentials": null,
      "AzureClientCredentials": null,
      "KeycloakClientCredentials": null,
      "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
      "Provider": "none",
      "ProviderConfig": {
        "Audience": "netbird",
        "AuthorizationEndpoint": "",
        "Domain": "",
        "ClientID": "",
        "ClientSecret": "",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "DeviceAuthEndpoint": "null",
        "Scope": "openid",
        "UseIDToken": false,
        "RedirectURLs": null
      }
    },
    "PKCEAuthorizationFlow": {
      "ProviderConfig": {
        "Audience": "netbird",
        "ClientID": "mMZH_ychgEKCMF73v0gFvy1~aSL7uCzS6oBJu8qVJrik4Kr.g_zQtonWEioCXRl746yFO.eC",
        "ClientSecret": "G1wY.vEQTCrMaHuPhnhCzR~Vc~LONL_Y.3UNBRRR5sy-vpgd36xSjRPetNrApOEe3i~p5bNg",
        "Domain": "",
        "AuthorizationEndpoint": "https://auth.domain.tld/api/oidc/authorization",
        "TokenEndpoint": "https://auth.domain.tld/api/oidc/token",
        "Scope": "openid profile email offline_access api groups",
        "RedirectURLs": [
          "http://localhost:53000"
        ],
        "UseIDToken": false
      }
    }
  }

Expected behavior

The configuration should be retrieved from https://auth.domain.tld/.well-known/oidc-configuration.

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.28.7

Originally created by @Cheezzhead on GitHub (Aug 17, 2024). **Describe the problem** I get an `Error: Unauthenticated` message upon opening the dashboard homepage. Checking the browser's development console, it is attempting to fetch the OIDC configuration from `http://localhost/.well-known/openid-configuration` which is obviously wrong. I can't find the (environment?) variable to change this. Additionally (not sure if related), but the [setup script](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/configure.sh) generates an `openid-configuration.json` file which is never used in the generated compose file. Is this intentional? **To Reproduce** Relevant part from `docker-compose.yml`: ``` services: dashboard: image: netbirdio/dashboard:latest # ... environment: # ... # OIDC - AUTH_AUDIENCE=netbird - AUTH_CLIENT_ID=clientId - AUTH_CLIENT_SECRET=clientSecret - AUTH_AUTHORITY=https://auth.domain.tld - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api groups - NETBIRD_TOKEN_SOURCE=accessToken # ... management: image: netbirdio/management:latest // ... ports: - 33073:443 command: [ "--port", "443", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=net.doman.tld", "--dns-domain=netbird.selfhosted", # Only if dashboard doesn't exist/enable letsencrypt "--letsencrypt-domain", "net.domain.tld", ] volumes: - netbird-mgmt:/var/lib/netbird - letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ``` `management.json`: ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:net.domain.tld:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:net.domain.tld:3478", "Username": "self", "Password": "ZTgDOSevQghQDn6ZMgVYKld4vB0hXQ5dZ23cYM5pG0M" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Signal": { "Proto": "https", "URI": "net.domain.tld:10000", "Username": "", "Password": null }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] }, "Datadir": "", "DataStoreEncryptionKey": "", "StoreConfig": { "Engine": "sqlite" }, "HttpConfig": { "Address": "0.0.0.0:33073", "AuthIssuer": "https://auth.domain.tld", "AuthAudience": "netbird", "AuthKeysLocation": "https://auth.domain.tld/jwks.json", "AuthUserIDClaim": "preferred_username", "CertFile": "", "CertKey": "", "IdpSignKeyRefreshEnabled": false, "OIDCConfigEndpoint": "https://auth.domain.tld/.well-known/openid-configuration" }, "IdpManagerConfig": { "ManagerType": "", "ClientConfig": { "Issuer": "https://auth.domain.tld", "TokenEndpoint": "https://auth.domain.tld/api/oidc/token", "ClientID": "", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": {}, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "Audience": "netbird", "AuthorizationEndpoint": "", "Domain": "", "ClientID": "", "ClientSecret": "", "TokenEndpoint": "https://auth.domain.tld/api/oidc/token", "DeviceAuthEndpoint": "null", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "Audience": "netbird", "ClientID": "mMZH_ychgEKCMF73v0gFvy1~aSL7uCzS6oBJu8qVJrik4Kr.g_zQtonWEioCXRl746yFO.eC", "ClientSecret": "G1wY.vEQTCrMaHuPhnhCzR~Vc~LONL_Y.3UNBRRR5sy-vpgd36xSjRPetNrApOEe3i~p5bNg", "Domain": "", "AuthorizationEndpoint": "https://auth.domain.tld/api/oidc/authorization", "TokenEndpoint": "https://auth.domain.tld/api/oidc/token", "Scope": "openid profile email offline_access api groups", "RedirectURLs": [ "http://localhost:53000" ], "UseIDToken": false } } } ``` **Expected behavior** The configuration should be retrieved from `https://auth.domain.tld/.well-known/oidc-configuration`. **Are you using NetBird Cloud?** Self-hosted **NetBird version** 0.28.7

saavagebueno added the waiting-feedbacktriage-needed labels 2025-11-20 05:25:00 -05:00

saavagebueno commented 2025-11-20 05:25:01 -05:00

Author

Owner

Copy Link

@collse commented on GitHub (Aug 18, 2024):

it should be in your management.json https://<your.domain.tld>/application/o/netbird/.well-known/openid-configuration",

the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

@collse commented on GitHub (Aug 18, 2024): it should be in your management.json https://<your.domain.tld>/application/o/netbird/.well-known/openid-configuration", the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

saavagebueno commented 2025-11-20 05:25:01 -05:00

Author

Owner

Copy Link

@manju-rn commented on GitHub (Aug 18, 2024):

Actually I have the similar issue. I am using Zitadel - I was wondering what is the use of below which is setup in the management.json . I am using zitadel and I am not using this redirect URL. Even if I setup this up, where would this point to since myzitadel server is seperate from say netbird server?

        "RedirectURLs": [
          "http://localhost:53000"

@manju-rn commented on GitHub (Aug 18, 2024): Actually I have the similar issue. I am using Zitadel - I was wondering what is the use of below which is setup in the management.json . I am using zitadel and I am not using this redirect URL. Even if I setup this up, where would this point to since myzitadel server is seperate from say netbird server? ``` "RedirectURLs": [ "http://localhost:53000" ```

saavagebueno commented 2025-11-20 05:25:01 -05:00

Author

Owner

Copy Link

@Cheezzhead commented on GitHub (Aug 19, 2024):

it should be in your management.json https://<your.domain.tld>/application/o/netbird/.well-known/openid-configuration",

the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service

Yes, I modified my original post to include the netbird management service config. the management.json is indeed mounted as a volume, but I'm still getting the wrong redirect localhost.

The only property in management.json that would seemingly be relevant to this is OIDCConfigEndpoint, which in my setup is definitely pointing towards the right domain, and changing that doesn't seem to do anything. I don't really see what else would/could be responsible for this, but maybe you can point me in the right direction.

@manju-rn I believe that destination is for OIDC device authorization flow (Specifically PKCE flow), which I'm not well-versed about but should be localhost in most cases. The port is specified in netbird's provided setup.env script:

# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"

@Cheezzhead commented on GitHub (Aug 19, 2024): > it should be in your management.json https://<your.domain.tld>/application/o/netbird/.well-known/openid-configuration", > > the mangement.json itself is mounted as a volume in the docker-compose.yml in the management service Yes, I modified my original post to include the netbird management service config. the `management.json` is indeed mounted as a volume, but I'm still getting the wrong redirect localhost. The only property in `management.json` that would seemingly be relevant to this is `OIDCConfigEndpoint`, which in my setup is definitely pointing towards the right domain, and changing that doesn't seem to do anything. I don't really see what else would/could be responsible for this, but maybe you can point me in the right direction. @manju-rn I believe that destination is for OIDC device authorization flow (Specifically PKCE flow), which I'm not well-versed about but *should* be localhost in most cases. The port is specified in netbird's provided setup.env script: ``` # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" ```

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@sabya-oneassure commented on GitHub (Sep 9, 2024):

Facing the same issue

@sabya-oneassure commented on GitHub (Sep 9, 2024): Facing the same issue

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@wiiun commented on GitHub (Sep 20, 2024):

Facing the same issue

@wiiun commented on GitHub (Sep 20, 2024): Facing the same issue

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@ennbou commented on GitHub (Sep 24, 2024):

after finishing all required setups and run docker compose logs management
I got :

• INFO [context: SYSTEM] management/cmd/management.go:497: loading OIDC configuration from the provided IDP configuration endpoint https://authentik.mydomain.com/application/o/netbird/.well-known/openid-configuration
• Error: failed reading provided config file: /etc/netbird/management.json: OIDC configuration request returned status 403

@ennbou commented on GitHub (Sep 24, 2024): after finishing all required setups and run ```docker compose logs management``` I got : - INFO [context: SYSTEM] management/cmd/management.go:497: loading OIDC configuration from the provided IDP configuration endpoint `https://authentik.mydomain.com/application/o/netbird/.well-known/openid-configuration` - Error: failed reading provided config file: /etc/netbird/management.json: OIDC configuration request returned status 403

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@ennbou commented on GitHub (Sep 25, 2024):

I tried using curl to get the JSON response directly from my local terminal, and it worked perfectly. However, on my VPS, it didn't work due to Cloudflare security. The HTTP request worked in the browser but not with curl. I fixed the issue by whitelisting my VPS's IPv4/IPv6 in Cloudflare's WAF.

@ennbou commented on GitHub (Sep 25, 2024): I tried using `curl` to get the JSON response directly from my local terminal, and it worked perfectly. However, on my VPS, it didn't work due to `Cloudflare` security. The HTTP request worked in the browser but not with `curl`. I fixed the issue by whitelisting my VPS's IPv4/IPv6 in `Cloudflare's WAF`.

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@ekozan commented on GitHub (Jan 5, 2025):

Sorry to bump, stuck on same thing any new ?

....

  - NGINX_SSL_PORT=443

solve it forme:D

@ekozan commented on GitHub (Jan 5, 2025): Sorry to bump, stuck on same thing any new ? .... - NGINX_SSL_PORT=443 solve it forme:D

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@brandtjo commented on GitHub (Jan 25, 2025):

I did try to set up the self hosted compose stack with auth0 and actually forgot to perform step 5 which sets up the machine to machine application https://docs.netbird.io/selfhosted/identity-providers#step-5-create-and-configuire-machine-to-machine-application

Especially watch out for the quoted list of changed lines in setup.env at the end of that list, there are some changes that weren't mentioned in the guide before.

Once I completely restarted everything (with removing the created volumes docker-compose down --volumes, and re-running ./configure) everything came up.

Hope this helps.

@brandtjo commented on GitHub (Jan 25, 2025): I did try to set up the self hosted compose stack with auth0 and actually forgot to perform step 5 which sets up the machine to machine application https://docs.netbird.io/selfhosted/identity-providers#step-5-create-and-configuire-machine-to-machine-application Especially watch out for the quoted list of changed lines in setup.env at the end of that list, there are some changes that weren't mentioned in the guide before. Once I completely restarted everything (with removing the created volumes `docker-compose down --volumes`, and re-running `./configure`) everything came up. Hope this helps.

saavagebueno commented 2025-11-20 05:25:02 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Apr 28, 2025):

Hello @Cheezzhead,

We're currently reviewing our open issues and would like to verify if this problem still exists in the latest NetBird version.

Could you please confirm if the issue is still there?

We may close this issue temporarily if we don't hear back from you within 2 weeks, but feel free to reopen it with updated information.

Thanks for your contribution to improving the project!

@nazarewk commented on GitHub (Apr 28, 2025): Hello @Cheezzhead, We're currently reviewing our open issues and would like to verify if this problem still exists in the [latest NetBird version](https://github.com/netbirdio/netbird/releases). Could you please confirm if the issue is still there? We may close this issue temporarily if we don't hear back from you within **2 weeks**, but feel free to reopen it with updated information. Thanks for your contribution to improving the project!

saavagebueno commented 2025-11-20 05:25:03 -05:00

Author

Owner

Copy Link

@Johgaaa commented on GitHub (May 19, 2025):

Im encountering the same issue. Running netbird v0.44.0 using authentik.
Netbird tries to fetch http://localhost/.well-known/openid-configuration when accessing the webpage.

@Johgaaa commented on GitHub (May 19, 2025): Im encountering the same issue. Running netbird v0.44.0 using authentik. Netbird tries to fetch `http://localhost/.well-known/openid-configuration` when accessing the webpage.

saavagebueno commented 2025-11-20 05:25:03 -05:00

Author

Owner

Copy Link

@Dofamin commented on GitHub (May 28, 2025):

same issue using keycloak
all latest version at 28.05.25
v [0.45.1]

@Dofamin commented on GitHub (May 28, 2025): same issue using keycloak all latest version at 28.05.25 v [0.45.1]

saavagebueno commented 2025-11-20 05:25:03 -05:00

Author

Owner

Copy Link

@LennartStoehr commented on GitHub (Jun 16, 2025):

Also experiencing this issue, tried authentik and zitadel, using netbird v0.46.0.
According to the logs, the management service gets its configuration from the correct endpoint (https://auth.domain.com/.well-known/openid-configuration) and is also able to log in to the service account to fetch users. The dashboard however always tries to get its openid configuration from http://localhost/.well-known/openid-configuration.
Please reopen this issue.

@LennartStoehr commented on GitHub (Jun 16, 2025): Also experiencing this issue, tried authentik and zitadel, using netbird v0.46.0. According to the logs, the management service gets its configuration from the correct endpoint (`https://auth.domain.com/.well-known/openid-configuration`) and is also able to log in to the service account to fetch users. The dashboard however always tries to get its openid configuration from `http://localhost/.well-known/openid-configuration`. Please reopen this issue.

saavagebueno commented 2025-11-20 05:25:03 -05:00

Author

Owner

Copy Link

@trevorsargent commented on GitHub (Jul 3, 2025):

i'm also facing this issue using auth0 - v0.40.0

@trevorsargent commented on GitHub (Jul 3, 2025): i'm also facing this issue using auth0 - v0.40.0

saavagebueno commented 2025-11-20 05:25:03 -05:00

Author

Owner

Copy Link

@arminfro commented on GitHub (Jul 23, 2025):

I'm also facing the same issue with netbird v0.49.0 and keycloak v26.2.5.

I've hacked around it by configuring nginx to proxy-pass the request to the desired location, something like:

http {
  server {
    server_name auth.mydomain.org;
    # ...
    location /.well-known/openid-configuration {
      # ...
      proxy_pass https://auth.mydomain.org/realms/netbird/.well-known/openid-configuration;
    }
  }
}

@arminfro commented on GitHub (Jul 23, 2025): I'm also facing the same issue with netbird v0.49.0 and keycloak v26.2.5. I've hacked around it by configuring nginx to proxy-pass the request to the desired location, something like: ```nginx http { server { server_name auth.mydomain.org; # ... location /.well-known/openid-configuration { # ... proxy_pass https://auth.mydomain.org/realms/netbird/.well-known/openid-configuration; } } } ```

saavagebueno commented 2025-11-20 05:25:03 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Jul 23, 2025):

@arminfro sounds like something $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT should handle this:

86c4b7e6f4/infrastructure_files/configure.sh (L132-L152)

Could you point me to which instructions you followed that were missing or provided incorrect information?

@nazarewk commented on GitHub (Jul 23, 2025): @arminfro sounds like something `$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT` should handle this: https://github.com/netbirdio/netbird/blob/86c4b7e6f47df1bf754dda735b97ce80c58422dc/infrastructure_files/configure.sh#L132-L152 Could you point me to which instructions you followed that were missing or provided incorrect information?

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@arminfro commented on GitHub (Jul 23, 2025):

Thank you for the fast response ;).
I'm using nixos with the netbird module provided by nixpkgs, I'm using the nix option services.netbird.server.management.oidcConfigEndpoint. This value gets successfully written into /var/lib/netbird-mgmt/management.json but the web UI does not seem to use it.

@arminfro commented on GitHub (Jul 23, 2025): Thank you for the fast response ;). I'm using nixos with the netbird module provided by nixpkgs, I'm using the nix option [`services.netbird.server.management.oidcConfigEndpoint`](https://github.com/NixOS/nixpkgs/blob/8e44bd9c6668e9f69593acfae351b24ee25baff7/nixos/modules/services/networking/netbird/management.nix#L84). This value gets successfully written into `/var/lib/netbird-mgmt/management.json` but the web UI does not seem to use it.

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@HEKPYTO commented on GitHub (Jul 30, 2025):

Same issue here. localhost/.well-known/openid-configuration:1 Failed to load resource: net::ERR_CONNECTION_REFUSED,
on Netbird v0.52.0 with Authentik via Docker

In management container logs:

INFO [context: SYSTEM] management/cmd/management.go:528: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.<domain_name>/application/o/netbird/.well-known/openid-configuration

successfully loaded, but I am not sure that localhost trying to access offline scope ?

@HEKPYTO commented on GitHub (Jul 30, 2025): Same issue here. `localhost/.well-known/openid-configuration:1 Failed to load resource: net::ERR_CONNECTION_REFUSED`, on Netbird v0.52.0 with Authentik via Docker In management container logs: ``` INFO [context: SYSTEM] management/cmd/management.go:528: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.<domain_name>/application/o/netbird/.well-known/openid-configuration ``` successfully loaded, but I am not sure that `localhost` trying to access offline scope ?

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@dani3lsf commented on GitHub (Aug 19, 2025):

Facing the same issue: GET http://localhost/.well-known/openid-configuration 404 Not Found
on Netbird 0.54.2 and dashboard v2.16.0 with Zitadel and k8s.

In management pod logs, I get:

2025-08-19T07:33:26Z INFO [context: SYSTEM] management/cmd/management.go:523: loading OIDC configuration from the provided IDP configuration endpoint https://<zitadel-domain>/.well-known/openid-configuration

Any fixes already?

@dani3lsf commented on GitHub (Aug 19, 2025): Facing the same issue: GET http://localhost/.well-known/openid-configuration 404 Not Found on Netbird 0.54.2 and dashboard v2.16.0 with Zitadel and k8s. In management pod logs, I get: ``` 2025-08-19T07:33:26Z INFO [context: SYSTEM] management/cmd/management.go:523: loading OIDC configuration from the provided IDP configuration endpoint https://<zitadel-domain>/.well-known/openid-configuration ``` Any fixes already?

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@jschlitt-kupona commented on GitHub (Aug 19, 2025):

Hi, I am facing exactly the same issue using Keycloak. Are there any updates?

Thanks

@jschlitt-kupona commented on GitHub (Aug 19, 2025): Hi, I am facing exactly the same issue using Keycloak. Are there any updates? Thanks

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Aug 19, 2025):

@dani3lsf @jschlitt-kupona can you try setting up NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT envvar? you should be able to provide an explicit address of the OIDC endpoint with it as per https://github.com/netbirdio/netbird/issues/2442#issuecomment-3106892099

@nazarewk commented on GitHub (Aug 19, 2025): @dani3lsf @jschlitt-kupona can you try setting up `NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT` envvar? you should be able to provide an explicit address of the OIDC endpoint with it as per https://github.com/netbirdio/netbird/issues/2442#issuecomment-3106892099

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@jschlitt-kupona commented on GitHub (Aug 19, 2025):

Thanks alot for your fast reply.

This is not working for me, still getting the same error.

Here is my configuration with keycloak and traefik:

docker-compose.yaml

x-default: &default
  restart: 'unless-stopped'
  logging:
    driver: 'json-file'
    options:
      max-size: '500m'
      max-file: '2'

services:
  # UI dashboard
  dashboard:
    <<: *default
    image: netbirdio/dashboard:latest
    container_name: netbird-dashboard
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.my-domain.de:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.my-domain.de:443
      # OIDC
      - AUTH_AUDIENCE=netbird-client
      - AUTH_CLIENT_ID=netbird-client
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://auth.my-domain.de/realms/my-realm
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
      - NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=https://auth.my-domain.de/realms/my-realm/.well-known/openid-configuration
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=
      - LETSENCRYPT_EMAIL=
    # volumes:
    #   - netbird-letsencrypt:/etc/letsencrypt/
    networks:
      - proxy
      # - netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.my-domain.de`)
    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
    - traefik.http.routers.netbird-dashboard.tls=true
    - traefik.http.routers.netbird-dashboard.tls.certresolver=letsencrypt-production

  # Signal
  signal:
    <<: *default
    image: netbirdio/signal:latest
    container_name: netbird-signal
    volumes:
      - ./data/netbird-signal:/var/lib/netbird
    networks:
      - proxy
      - netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-signal.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
    - traefik.http.routers.netbird-signal.tls=true
    - traefik.http.routers.netbird-signal.tls.certresolver=letsencrypt-production

  netbird-postgres:
    <<: *default
    image: postgres:latest
    container_name: netbird-postgres
    environment:
      POSTGRES_USER: netbird
      POSTGRES_PASSWORD: pg-password
      POSTGRES_DB: netbird
    volumes:
      - ./data/netbird-postgres:/var/lib/postgresql/data
    networks:
      - netbird

  # Relay
  relay:
    <<: *default
    image: netbirdio/relay:latest
    container_name: netbird-relay
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:33080
    - NB_EXPOSED_ADDRESS=rels://netbird.my-domain.de:33080/relay
    # todo: change to a secure secret
    - NB_AUTH_SECRET=secret
    networks:
      - proxy
      - netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-relay.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/relay`)
    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080
    - traefik.http.services.netbird-relay.loadbalancer.server.scheme=h2c
    - traefik.http.routers.netbird-relay.tls=true
    - traefik.http.routers.netbird-relay.tls.certresolver=letsencrypt-production

  # Management
  management:
    <<: *default
    image: netbirdio/management:latest
    container_name: netbird-management
    depends_on:
      - dashboard
    volumes:
      - ./data/netbird-mgmt:/var/lib/netbird
      # - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    command: [
      "--port", "33073",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.my-domain.de",
      "--dns-domain=netbird.selfhosted"
      ]
    networks:
      - proxy
      - netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-api.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/api`)
    - traefik.http.routers.netbird-api.service=netbird-api
    - traefik.http.services.netbird-api.loadbalancer.server.port=33073

    - traefik.http.routers.netbird-management.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/management.ManagementService/`)
    - traefik.http.routers.netbird-management.service=netbird-management
    - traefik.http.services.netbird-management.loadbalancer.server.port=33073
    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
    - traefik.router.netbird-management.tls=true
    - traefik.router.netbird-management.tls.certresolver=letsencrypt-production
    environment:
      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=postgres://netbird:pg-password@netbird-postgres:5432/netbird?sslmode=disable
      
  # Coturn
  coturn:
    <<: *default
    image: coturn/coturn:latest
    container_name: netbird-coturn
    domainname: netbird.my-domain.de
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
    # neetworks:
    #   - netbird

# volumes:
  # netbird-mgmt:
  # netbird-signal:
  # netbird-letsencrypt:

networks:
  proxy:
    external: true
    name: proxy
  netbird:
    external: false
    name: netbird

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.my-domain.de:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.my-domain.de:3478",
                "Username": "self",
                "Password": "my-turn-password"
            }
        ]
    },
    "Relay": {
        "Addresses": [
            "rels://netbird.my-domain.de:33080/relay"
        ],
        "CredentialsTTL": "24h0m0s",
        "Secret": "my-relay-secret"
    },
    "Signal": {
        "Proto": "https",
        "URI": "netbird.my-domain.de:443",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "my-datastore-encryption-key",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "netbird-client",
        "AuthIssuer": "https://auth.my-domain.de/realms/my-realm",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/certs",
        "OIDCConfigEndpoint": "https://auth.my-domain.de/realms/my-realm/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": false,
        "ExtraAuthAudience": ""
    },
    "IdpManagerConfig": {
        "ManagerType": "keycloak",
        "ClientConfig": {
            "Issuer": "https://auth.my-domain.de/realms/my-realm",
            "TokenEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/token",
            "ClientID": "netbird-backend",
            "ClientSecret": "my-client-secret",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "AdminEndpoint": "https://auth.my-domain.de/admin/realms/my-realm"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "ClientID": "",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/auth/device",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null,
            "DisablePromptLogin": false,
            "LoginFlag": 0
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "netbird-client",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/auth",
            "Scope": "",
            "UseIDToken": false,
            "DisablePromptLogin": false,
            "LoginFlag": 0
        }
    },
    "StoreConfig": {
        "Engine": "postgres"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": [],
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": [
            "0.0.0.0/0"
        ]
    },
    "DisableDefaultPolicy": false
}

This is the error in the browser console:

Here are the dashboards container logs:

+ LETSENCRYPT_DOMAIN=none

+ LETSENCRYPT_EMAIL=example@local

+ NGINX_SSL_PORT=443

+ '[' none-x == none-x ']'

+ exit 0

AUTH_SUPPORTED_SCOPES environment variable must be set

+ LETSENCRYPT_DOMAIN=none

+ LETSENCRYPT_EMAIL=example@local

+ NGINX_SSL_PORT=443

+ '[' none-x == none-x ']'

+ exit 0

I hope somebody can help me out.

Best regards

Jonathan

@jschlitt-kupona commented on GitHub (Aug 19, 2025): Thanks alot for your fast reply. This is not working for me, still getting the same error. Here is my configuration with keycloak and traefik: docker-compose.yaml ```yaml x-default: &default restart: 'unless-stopped' logging: driver: 'json-file' options: max-size: '500m' max-file: '2' services: # UI dashboard dashboard: <<: *default image: netbirdio/dashboard:latest container_name: netbird-dashboard environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.my-domain.de:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.my-domain.de:443 # OIDC - AUTH_AUDIENCE=netbird-client - AUTH_CLIENT_ID=netbird-client - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://auth.my-domain.de/realms/my-realm - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES= - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken - NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=https://auth.my-domain.de/realms/my-realm/.well-known/openid-configuration # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN= - LETSENCRYPT_EMAIL= # volumes: # - netbird-letsencrypt:/etc/letsencrypt/ networks: - proxy # - netbird labels: - traefik.enable=true - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.my-domain.de`) - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80 - traefik.http.routers.netbird-dashboard.tls=true - traefik.http.routers.netbird-dashboard.tls.certresolver=letsencrypt-production # Signal signal: <<: *default image: netbirdio/signal:latest container_name: netbird-signal volumes: - ./data/netbird-signal:/var/lib/netbird networks: - proxy - netbird labels: - traefik.enable=true - traefik.http.routers.netbird-signal.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/signalexchange.SignalExchange/`) - traefik.http.services.netbird-signal.loadbalancer.server.port=10000 - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c - traefik.http.routers.netbird-signal.tls=true - traefik.http.routers.netbird-signal.tls.certresolver=letsencrypt-production netbird-postgres: <<: *default image: postgres:latest container_name: netbird-postgres environment: POSTGRES_USER: netbird POSTGRES_PASSWORD: pg-password POSTGRES_DB: netbird volumes: - ./data/netbird-postgres:/var/lib/postgresql/data networks: - netbird # Relay relay: <<: *default image: netbirdio/relay:latest container_name: netbird-relay environment: - NB_LOG_LEVEL=info - NB_LISTEN_ADDRESS=:33080 - NB_EXPOSED_ADDRESS=rels://netbird.my-domain.de:33080/relay # todo: change to a secure secret - NB_AUTH_SECRET=secret networks: - proxy - netbird labels: - traefik.enable=true - traefik.http.routers.netbird-relay.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/relay`) - traefik.http.services.netbird-relay.loadbalancer.server.port=33080 - traefik.http.services.netbird-relay.loadbalancer.server.scheme=h2c - traefik.http.routers.netbird-relay.tls=true - traefik.http.routers.netbird-relay.tls.certresolver=letsencrypt-production # Management management: <<: *default image: netbirdio/management:latest container_name: netbird-management depends_on: - dashboard volumes: - ./data/netbird-mgmt:/var/lib/netbird # - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json command: [ "--port", "33073", "--log-file", "console", "--log-level", "info", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.my-domain.de", "--dns-domain=netbird.selfhosted" ] networks: - proxy - netbird labels: - traefik.enable=true - traefik.http.routers.netbird-api.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/api`) - traefik.http.routers.netbird-api.service=netbird-api - traefik.http.services.netbird-api.loadbalancer.server.port=33073 - traefik.http.routers.netbird-management.rule=Host(`netbird.my-domain.de`) && PathPrefix(`/management.ManagementService/`) - traefik.http.routers.netbird-management.service=netbird-management - traefik.http.services.netbird-management.loadbalancer.server.port=33073 - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c - traefik.router.netbird-management.tls=true - traefik.router.netbird-management.tls.certresolver=letsencrypt-production environment: - NETBIRD_STORE_ENGINE_POSTGRES_DSN=postgres://netbird:pg-password@netbird-postgres:5432/netbird?sslmode=disable # Coturn coturn: <<: *default image: coturn/coturn:latest container_name: netbird-coturn domainname: netbird.my-domain.de volumes: - ./turnserver.conf:/etc/turnserver.conf:ro network_mode: host command: - -c /etc/turnserver.conf # neetworks: # - netbird # volumes: # netbird-mgmt: # netbird-signal: # netbird-letsencrypt: networks: proxy: external: true name: proxy netbird: external: false name: netbird ``` management.json ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.my-domain.de:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:netbird.my-domain.de:3478", "Username": "self", "Password": "my-turn-password" } ] }, "Relay": { "Addresses": [ "rels://netbird.my-domain.de:33080/relay" ], "CredentialsTTL": "24h0m0s", "Secret": "my-relay-secret" }, "Signal": { "Proto": "https", "URI": "netbird.my-domain.de:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "my-datastore-encryption-key", "HttpConfig": { "LetsEncryptDomain": "", "CertFile": "", "CertKey": "", "AuthAudience": "netbird-client", "AuthIssuer": "https://auth.my-domain.de/realms/my-realm", "AuthUserIDClaim": "", "AuthKeysLocation": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/certs", "OIDCConfigEndpoint": "https://auth.my-domain.de/realms/my-realm/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": false, "ExtraAuthAudience": "" }, "IdpManagerConfig": { "ManagerType": "keycloak", "ClientConfig": { "Issuer": "https://auth.my-domain.de/realms/my-realm", "TokenEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/token", "ClientID": "netbird-backend", "ClientSecret": "my-client-secret", "GrantType": "client_credentials" }, "ExtraConfig": { "AdminEndpoint": "https://auth.my-domain.de/admin/realms/my-realm" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "ClientID": "", "ClientSecret": "", "Domain": "", "Audience": "netbird-client", "TokenEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/auth/device", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null, "DisablePromptLogin": false, "LoginFlag": 0 } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "netbird-client", "ClientSecret": "", "Domain": "", "Audience": "netbird-client", "TokenEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://auth.my-domain.de/realms/my-realm/protocol/openid-connect/auth", "Scope": "", "UseIDToken": false, "DisablePromptLogin": false, "LoginFlag": 0 } }, "StoreConfig": { "Engine": "postgres" }, "ReverseProxy": { "TrustedHTTPProxies": [], "TrustedHTTPProxiesCount": 0, "TrustedPeers": [ "0.0.0.0/0" ] }, "DisableDefaultPolicy": false } ``` This is the error in the browser console: <img width="2490" height="771" alt="Image" src="https://github.com/user-attachments/assets/897613e1-4afd-43c5-8144-9160488ddf86" /> Here are the dashboards container logs: ``` + LETSENCRYPT_DOMAIN=none + LETSENCRYPT_EMAIL=example@local + NGINX_SSL_PORT=443 + '[' none-x == none-x ']' + exit 0 AUTH_SUPPORTED_SCOPES environment variable must be set + LETSENCRYPT_DOMAIN=none + LETSENCRYPT_EMAIL=example@local + NGINX_SSL_PORT=443 + '[' none-x == none-x ']' + exit 0 ``` I hope somebody can help me out. Best regards Jonathan

saavagebueno commented 2025-11-20 05:25:04 -05:00

Author

Owner

Copy Link

@dani3lsf commented on GitHub (Aug 19, 2025):

@jschlitt-kupona I was able to make it work. For me was missing the:

• NGINX_SSL_PORT=443
  Also removed the :443 suffix from NETBIRD_MGMT_API_ENDPOINT and NETBIRD_MGMT_GRPC_API_ENDPOINT env variables

@dani3lsf commented on GitHub (Aug 19, 2025): @jschlitt-kupona I was able to make it work. For me was missing the: - NGINX_SSL_PORT=443 Also removed the :443 suffix from NETBIRD_MGMT_API_ENDPOINT and NETBIRD_MGMT_GRPC_API_ENDPOINT env variables

saavagebueno commented 2025-11-20 05:25:05 -05:00

Author

Owner

Copy Link

@jschlitt-kupona commented on GitHub (Aug 19, 2025):

@dani3lsf I had no luck setting it up. There are no other errors, and only the Dashboard is trying to connect to localhost and not to the Keycloak domain and realm.

http://localhost/.well-known/openid-configuration

should be

https://auth.my-domain/realms/my-realm/.well-known/openid-configuration

I was not able to find the frontend source code of the Next.js dashboard to find the implementation, where the localhost value was set and which env variables are involved.

I hope somebody has a deeper understanding of the implementation and can tell me where the env variable is set so we can find a possible solution together.

@jschlitt-kupona commented on GitHub (Aug 19, 2025): @dani3lsf I had no luck setting it up. There are no other errors, and only the Dashboard is trying to connect to localhost and not to the Keycloak domain and realm. http://localhost/.well-known/openid-configuration should be https://auth.my-domain/realms/my-realm/.well-known/openid-configuration I was not able to find the frontend source code of the Next.js dashboard to find the implementation, where the localhost value was set and which env variables are involved. I hope somebody has a deeper understanding of the implementation and can tell me where the env variable is set so we can find a possible solution together.

saavagebueno commented 2025-11-20 05:25:05 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Aug 19, 2025):

@jschlitt-kupona could ou post your setup.env file content (redacting out the sensitive information)? Feel free to send it to support@netbird.io if you don't want to share publicly.

@nazarewk commented on GitHub (Aug 19, 2025): @jschlitt-kupona could ou post your `setup.env` file content (redacting out the sensitive information)? Feel free to send it to support@netbird.io if you don't want to share publicly.

saavagebueno commented 2025-11-20 05:25:05 -05:00

Author

Owner

Copy Link

@jschlitt-kupona commented on GitHub (Aug 20, 2025):

Hello @nazarewk.

Thanks a lot for your answer.

These are my setup.env file's contents. What am I missing, or what is misconfigured here?

I hope you can support me by fixing my installation...

Otherwise I will go with the hosted option until the problem is solved.

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""
NETBIRD_RELAY_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.<my-domain>"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="<my-external-ip>"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<my-keycloak-domain>/realms/<my-realm>/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="netbird-client"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_AUTH_AUDIENCE="netbird-client"

NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="netbird-client"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="netbird-client"

NETBIRD_MGMT_IDP="keycloak"
NETBIRD_IDP_MGMT_CLIENT_ID="netbird-backend"
NETBIRD_IDP_MGMT_CLIENT_SECRET="<my-client-secret>"
NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT="https://<my-keycloak-domain>/admin/realms/<my-realm>"


# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="netbird-client"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="netbird-client"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES=""
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
# NETBIRD_AUTH_REDIRECT_URI="/peers"
# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
# NETBIRD_MGMT_IDP="keycloak"
# Some IDPs requires different client id and client secret for management api
# NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
# NETBIRD_IDP_MGMT_CLIENT_SECRET="NGFFxJbnU7PS4Z4t6B5SgZYuI2PtMafC"
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
# Disable default all-to-all policy for new accounts
NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false
# -------------------------------------------
# Relay settings
# -------------------------------------------
# Relay server domain. e.g. relay.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_RELAY_DOMAIN=""

# Relay server connection port. If none is supplied
# it will default to 33080
# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
NETBIRD_RELAY_PORT=""

# Management API connecting port. If none is supplied
# it will default to 33073
# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
NETBIRD_MGMT_API_PORT="443"

# Signal service connecting port. If none is supplied
# it will default to 10000
# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
NETBIRD_SIGNAL_PORT="443"

NETBIRD_STORE_CONFIG_ENGINE=postgres
NETBIRD_STORE_ENGINE_POSTGRES_DSN="postgres://netbird:netbird@netbird-postgres:5432/netbird?sslmode=disable"

# -------------------------------------------
# I followed the instructions to set up netbird with the traefik reverse proxy, so I used the docker-compose.yml.tmpl.traefik template file.
# -------------------------------------------

@jschlitt-kupona commented on GitHub (Aug 20, 2025): Hello @nazarewk. Thanks a lot for your answer. These are my setup.env file's contents. What am I missing, or what is misconfigured here? I hope you can support me by fixing my installation... Otherwise I will go with the hosted option until the problem is solved. ```.env ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" NETBIRD_RELAY_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="netbird.<my-domain>" # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="<my-external-ip>" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<my-keycloak-domain>/realms/<my-realm>/.well-known/openid-configuration" NETBIRD_USE_AUTH0=false NETBIRD_AUTH_CLIENT_ID="netbird-client" NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" NETBIRD_AUTH_AUDIENCE="netbird-client" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="netbird-client" NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="netbird-client" NETBIRD_MGMT_IDP="keycloak" NETBIRD_IDP_MGMT_CLIENT_ID="netbird-backend" NETBIRD_IDP_MGMT_CLIENT_SECRET="<my-client-secret>" NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT="https://<my-keycloak-domain>/admin/realms/<my-realm>" # The default setting is to transmit the audience to the IDP during authorization. However, # if your IDP does not have this capability, you can turn this off by setting it to false. #NETBIRD_DASH_AUTH_USE_AUDIENCE=false NETBIRD_AUTH_AUDIENCE="netbird-client" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="netbird-client" # indicates the scopes that will be requested to the IDP NETBIRD_AUTH_SUPPORTED_SCOPES="" # NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. # NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here # NETBIRD_AUTH_USER_ID_CLAIM="" # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0="false" # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. # NETBIRD_AUTH_REDIRECT_URI="/peers" # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers" # Updates the preference to use id tokens instead of access token on dashboard # Okta and Gitlab IDPs can benefit from this # NETBIRD_TOKEN_SOURCE="idToken" # ------------------------------------------- # OIDC Device Authorization Flow # ------------------------------------------- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" # Some IDPs requires different audience, scopes and to use id token for device authorization flow # you can customize here: NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak # NETBIRD_MGMT_IDP="keycloak" # Some IDPs requires different client id and client secret for management api # NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID # NETBIRD_IDP_MGMT_CLIENT_SECRET="NGFFxJbnU7PS4Z4t6B5SgZYuI2PtMafC" # Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird" # NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT= # With some IDPs may be needed enabling automatic refresh of signing keys on expire # NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false # NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice. # ------------------------------------------- # Letsencrypt # ------------------------------------------- # Disable letsencrypt # if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead NETBIRD_DISABLE_LETSENCRYPT=true # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted # Disable default all-to-all policy for new accounts NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false # ------------------------------------------- # Relay settings # ------------------------------------------- # Relay server domain. e.g. relay.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_RELAY_DOMAIN="" # Relay server connection port. If none is supplied # it will default to 33080 # should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy NETBIRD_RELAY_PORT="" # Management API connecting port. If none is supplied # it will default to 33073 # should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy NETBIRD_MGMT_API_PORT="443" # Signal service connecting port. If none is supplied # it will default to 10000 # should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy NETBIRD_SIGNAL_PORT="443" NETBIRD_STORE_CONFIG_ENGINE=postgres NETBIRD_STORE_ENGINE_POSTGRES_DSN="postgres://netbird:netbird@netbird-postgres:5432/netbird?sslmode=disable" # ------------------------------------------- # I followed the instructions to set up netbird with the traefik reverse proxy, so I used the docker-compose.yml.tmpl.traefik template file. # ------------------------------------------- ```

saavagebueno commented 2025-11-20 05:25:05 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Aug 22, 2025):

@jschlitt-kupona @jonathanschlitt the setup.env looks fine, can you confirm that curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" returns the expected JSON data?

Is the previously mentioned docker-compose.yml the one you are currently using? Could you post your current version if it isn't?

@nazarewk commented on GitHub (Aug 22, 2025): @jschlitt-kupona @jonathanschlitt the `setup.env` looks fine, can you confirm that `curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"` returns the expected JSON data? Is the [previously mentioned `docker-compose.yml`](https://github.com/netbirdio/netbird/issues/2442#issuecomment-3200070065) the one you are currently using? Could you post your current version if it isn't?

saavagebueno commented 2025-11-20 05:25:05 -05:00

Author

Owner

Copy Link

@jonathanschlitt commented on GitHub (Aug 22, 2025):

It is the current compose file.

@jonathanschlitt commented on GitHub (Aug 22, 2025): It is the current compose file.

saavagebueno commented 2025-11-20 05:25:05 -05:00

Author

Owner

Copy Link

@jschlitt-kupona commented on GitHub (Aug 24, 2025):

The URL of the "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" returns the following data but is not used in the Netbird-Dashboard.

https://<my-keycloak-domain>/realms/<my-realm>/.well-known/openid-configuration

{
  "issuer": "https://<my-keycloak-domain>/realms/<my-realm>",
  "authorization_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/auth",
  "token_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token",
  "introspection_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/logout",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "jwks_uri": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/certs",
  "check_session_iframe": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:openid:params:grant-type:ciba",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "acr_values_supported": ["0", "1"],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": ["public", "pairwise"],
  "id_token_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
  "id_token_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512",
    "none"
  ],
  "userinfo_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
  "userinfo_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "request_object_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512",
    "none"
  ],
  "request_object_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
  "request_object_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "response_modes_supported": ["query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"],
  "registration_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/clients-registrations/openid-connect",
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "authorization_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "authorization_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
  "authorization_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "claims_supported": [
    "aud",
    "sub",
    "iss",
    "auth_time",
    "name",
    "given_name",
    "family_name",
    "preferred_username",
    "email",
    "acr"
  ],
  "claim_types_supported": ["normal"],
  "claims_parameter_supported": true,
  "scopes_supported": [
    "openid",
    "address",
    "microprofile-jwt",
    "api",
    "profile",
    "email",
    "roles",
    "web-origins",
    "acr",
    "phone",
    "offline_access"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "code_challenge_methods_supported": ["plain", "S256"],
  "tls_client_certificate_bound_access_tokens": true,
  "revocation_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/revoke",
  "revocation_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "device_authorization_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/auth/device",
  "backchannel_token_delivery_modes_supported": ["poll", "ping"],
  "backchannel_authentication_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/ciba/auth",
  "backchannel_authentication_request_signing_alg_values_supported": [
    "PS384",
    "RS384",
    "EdDSA",
    "ES384",
    "ES256",
    "RS256",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "require_pushed_authorization_requests": false,
  "pushed_authorization_request_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/par/request",
  "mtls_endpoint_aliases": {
    "token_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token",
    "revocation_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/revoke",
    "introspection_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token/introspect",
    "device_authorization_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/auth/device",
    "registration_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/clients-registrations/openid-connect",
    "userinfo_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/userinfo",
    "pushed_authorization_request_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/par/request",
    "backchannel_authentication_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/ciba/auth"
  },
  "authorization_response_iss_parameter_supported": true
}

@jschlitt-kupona commented on GitHub (Aug 24, 2025): The URL of the "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" returns the following data but is not used in the Netbird-Dashboard. `https://<my-keycloak-domain>/realms/<my-realm>/.well-known/openid-configuration` ```json { "issuer": "https://<my-keycloak-domain>/realms/<my-realm>", "authorization_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/auth", "token_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token", "introspection_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/userinfo", "end_session_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/logout", "frontchannel_logout_session_supported": true, "frontchannel_logout_supported": true, "jwks_uri": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/certs", "check_session_iframe": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:openid:params:grant-type:ciba", "urn:ietf:params:oauth:grant-type:device_code" ], "acr_values_supported": ["0", "1"], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": ["public", "pairwise"], "id_token_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"], "id_token_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "userinfo_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "userinfo_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"], "userinfo_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "request_object_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "request_object_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"], "request_object_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "response_modes_supported": ["query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"], "registration_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "introspection_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "introspection_endpoint_auth_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "authorization_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "authorization_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"], "authorization_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "claims_supported": [ "aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr" ], "claim_types_supported": ["normal"], "claims_parameter_supported": true, "scopes_supported": [ "openid", "address", "microprofile-jwt", "api", "profile", "email", "roles", "web-origins", "acr", "phone", "offline_access" ], "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, "code_challenge_methods_supported": ["plain", "S256"], "tls_client_certificate_bound_access_tokens": true, "revocation_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/revoke", "revocation_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "revocation_endpoint_auth_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, "device_authorization_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/auth/device", "backchannel_token_delivery_modes_supported": ["poll", "ping"], "backchannel_authentication_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/ciba/auth", "backchannel_authentication_request_signing_alg_values_supported": [ "PS384", "RS384", "EdDSA", "ES384", "ES256", "RS256", "ES512", "PS256", "PS512", "RS512" ], "require_pushed_authorization_requests": false, "pushed_authorization_request_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/par/request", "mtls_endpoint_aliases": { "token_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token", "revocation_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/revoke", "introspection_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/token/introspect", "device_authorization_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/auth/device", "registration_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/clients-registrations/openid-connect", "userinfo_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/userinfo", "pushed_authorization_request_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/par/request", "backchannel_authentication_endpoint": "https://<my-keycloak-domain>/realms/<my-realm>/protocol/openid-connect/ext/ciba/auth" }, "authorization_response_iss_parameter_supported": true } ```

saavagebueno commented 2025-11-20 05:25:06 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Aug 27, 2025):

@jonathanschlitt looks like you're not setting the AUTH_SUPPORTED_SCOPES environment variable to a meaningful value. Please see other relevant envvars for the Dashboard.

Seems like you might not have carried over the other setup.env variables, did you run configure.sh after you changed those?

the relevant log

Here are the dashboards container logs:

+ LETSENCRYPT_DOMAIN=none

+ LETSENCRYPT_EMAIL=example@local

+ NGINX_SSL_PORT=443

+ '[' none-x == none-x ']'

+ exit 0

AUTH_SUPPORTED_SCOPES environment variable must be set

+ LETSENCRYPT_DOMAIN=none

+ LETSENCRYPT_EMAIL=example@local

+ NGINX_SSL_PORT=443

+ '[' none-x == none-x ']'

+ exit 0

I hope somebody can help me out.

@nazarewk commented on GitHub (Aug 27, 2025): @jonathanschlitt looks like you're not setting the `AUTH_SUPPORTED_SCOPES` environment variable to a meaningful value. Please [see other relevant envvars](https://github.com/netbirdio/dashboard-cloud/blob/c8874c09dcf522ab55fe4b1c919d540ea8bebee8/docker/init_react_envs.sh#L4-L46) for the Dashboard. Seems like you might not have carried over the other `setup.env` variables, did you run `configure.sh` after you changed those? <details> <summary>the relevant log</summary> > Here are the dashboards container logs: > > ``` > + LETSENCRYPT_DOMAIN=none > > + LETSENCRYPT_EMAIL=example@local > > + NGINX_SSL_PORT=443 > > + '[' none-x == none-x ']' > > + exit 0 > > AUTH_SUPPORTED_SCOPES environment variable must be set > > + LETSENCRYPT_DOMAIN=none > > + LETSENCRYPT_EMAIL=example@local > > + NGINX_SSL_PORT=443 > > + '[' none-x == none-x ']' > > + exit 0 > ``` > > I hope somebody can help me out. </details>

saavagebueno commented 2025-11-20 05:25:06 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Aug 27, 2025):

FYI: I have checked with the existing documentation and thought it might not be 100% clear to run configure.sh after every setup.env change, added the new notes at https://github.com/netbirdio/docs/pull/419/files that are now live at https://docs.netbird.io/selfhosted/selfhosted-guide#step-2-prepare-configuration-files

@nazarewk commented on GitHub (Aug 27, 2025): FYI: I have checked with the existing documentation and thought it might not be 100% clear to run `configure.sh` after every `setup.env` change, added the new notes at https://github.com/netbirdio/docs/pull/419/files that are now live at https://docs.netbird.io/selfhosted/selfhosted-guide#step-2-prepare-configuration-files

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

drop-candidateviaroutes-filter

ui-refactor

fix/rosenpass

ui-refactor-ui

e2e-windows-dns-combined

refactor-combined

wasm-websocket-dial

drop-dns-probes

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

reduce-embed-wg-pool

windows-dns-firewall

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

vnc-server

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

v0.70.5

v0.70.4

v0.70.3

v0.70.2

v0.70.1

v0.70.0

v0.69.0

v0.68.3

v0.68.2

v0.68.1

v0.68.0

v0.67.4

v0.67.3

v0.67.2

v0.67.1

v0.67.0

v0.66.4

v0.66.3

v0.66.2

v0.66.1

v0.66.0

v0.65.3

v0.65.2

v0.65.1

v0.65.0

v0.64.6

v0.64.5

v0.64.4

v0.64.3

v0.64.2

v0.64.1

v0.64.0

v0.63.0

v0.62.3

v0.62.2

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.9

v0.60.8

v0.60.7

v0.60.6

v0.60.5

v0.60.4

v0.60.3

v0.60.2

v0.60.1

v0.60.0

v0.59.13

v0.59.12

v0.59.11

v0.59.10

v0.59.9

v0.59.8

v0.59.7

v0.59.6

v0.59.5

v0.59.4

v0.59.3

v0.59.2

v0.59.1

v0.59.0

v0.58.2

v0.58.1

v0.58.0

v0.57.1

v0.57.0

v0.56.1

v0.56.0

v0.55.1

v0.55.0

v0.54.2

v0.54.1

v0.54.0

v0.53.0

v0.52.2

v0.52.1

v0.52.0

v0.51.2

v0.51.1

v0.51.0

v0.50.3

v0.50.2

v0.50.1

v0.50.0

v0.49.0

v0.48.0-dev2

v0.48.0

v0.47.2

v0.47.1

v0.47.0

v0.46.0

v0.45.3

v0.45.2

v0.45.1

v0.45.0

v0.44.0

v0.43.3

v0.43.2

v0.43.1

v0.43.0

v0.42.0

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.2

v0.38.1

v0.38.0

v0.37.2

v0.37.1

v0.37.0

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.2

v0.35.1

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.4

v0.29.3

0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.10

v0.27.9

v0.27.8

v0.27.7

v0.27.6

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.7

v0.26.6

v0.26.5

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.9

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.9

v0.23.8

v0.23.7

v0.23.6

v0.23.5

v0.23.4

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.7

v0.22.6

v0.22.5

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.11

v0.21.10

v0.21.9

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.10

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.11

v0.5.10

v0.5.1

v0.5.0

v0.4.0

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2-beta.1

v0.2.1-beta.5

v0.2.0-beta.5

v0.2.0-beta.4

v0.2.0-beta.3

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.0-beta.3

v0.1.0-beta.2

v0.1.0-beta.1

v0.1.0-rc.2

v0.1.0-rc-1

v0.0.8-hotfix-1

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

v0.0.0

Labels

Clear labels

2021 Q4

2022 Q1

2022 Q1

accessibility

acl

agent

agent

Android

Android

api

authentik

automation

azure

battery-usage

bug

cache

client

client-ui

cloud

cloud-only

cloudflare

community

compatibility

config-idp

config-issue

connection

contribution

coturn

cross-vpn

dashboard

data-usage

distribution

dns

docker

documentation

duplicate

enhancement

enhancement

event-stream

feature-request

freebsd

getting-started

go

good first issue

gui

help wanted

home-assistant

idp

inconsistency

integration

integrations

ios

ipv6

jwt

k8s

keycloak

linux

login

macos

management-service

missing-docs

mobile

moved-internal

needs-review

netbird-ui

networking

new-platform

nginx

notification

okta

openwrt

packaging

peer-management

peer-management

peer-management

performance

postgres

posture-checks

psk

pull-request

Mirrored from GitHub Pull Request

question

refactor

relay

release

rfc

routes

security

security-related

self-hosting

server

signal

sleep-issue

ssh

ssl

status

store

synology

system-compatibility-issue

test-suite

third-party-integration

triage

triage-needed

troubleshooting

UX

waiting-feedback

windows

wontfix

zitadel

No Label triage-needed waiting-feedback

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#1159