Request failed with status code 401 (Authentik) #1446

New Issue

Open

opened 2025-11-20 05:30:33 -05:00 by saavagebueno · 53 comments

saavagebueno commented 2025-11-20 05:30:33 -05:00

Owner

Copy Link

Originally created by @MDMeridio001 on GitHub (Nov 23, 2024).

Describe the problem

After updating to authentik version 2024.10.4 I am no longer able to access the dashboard as I get an "invalid token" error. Looking at the management logs I can see the following error: management-1 | 2024-11-23T11:01:07Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden. I have tried deleting the Netbird service account's token and create a new one and I have also tried completely removing the application and provider and setting them up again from scratch but it didn't fix the error. With version 2024.10.2 everything worked just fine.

To Reproduce

Steps to reproduce the behavior:

1. Update authentik to version 2024.10.4
2. Check for the error in the management logs

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.33.0

Screenshots

Originally created by @MDMeridio001 on GitHub (Nov 23, 2024). **Describe the problem** After updating to authentik version 2024.10.4 I am no longer able to access the dashboard as I get an "invalid token" error. Looking at the management logs I can see the following error: ```management-1 | 2024-11-23T11:01:07Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden```. I have tried deleting the Netbird service account's token and create a new one and I have also tried completely removing the application and provider and setting them up again from scratch but it didn't fix the error. With version 2024.10.2 everything worked just fine. **To Reproduce** Steps to reproduce the behavior: 1. Update authentik to version 2024.10.4 2. Check for the error in the management logs **Are you using NetBird Cloud?** Self-hosted **NetBird version** `0.33.0` **Screenshots** 

saavagebueno added the triage-needed label 2025-11-20 05:30:33 -05:00

saavagebueno commented 2025-11-20 05:30:33 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 23, 2024):

Hello, @MDMeridio001, it seems like something went wrong with the guide steps 3 and 4 on your configuration. Can you review them and rerun the configure.sh script?

As an alternative, you can disable IdP manager in your management.json file by setting IdpManagerConfig.ManagerType and then restarting the management service with docker compose restart management

@mlsmaycon commented on GitHub (Nov 23, 2024): Hello, @MDMeridio001, it seems like something went wrong with the [guide](https://docs.netbird.io/selfhosted/identity-providers#step-3-create-service-account) steps 3 and 4 on your configuration. Can you review them and rerun the configure.sh script? As an alternative, you can disable IdP manager in your management.json file by setting `IdpManagerConfig.ManagerType` and then restarting the management service with `docker compose restart management`

saavagebueno commented 2025-11-20 05:30:33 -05:00

Author

Owner

Copy Link

@MDMeridio001 commented on GitHub (Nov 23, 2024):

@mlsmaycon Thanks for the reply. I'd prefer not to disable the IdP as I have all of my users configured there.

I would like to specify that it worked in version 2024.10.2 and I suspect that maybe they have made some changes to some of authentik's API endpoints. I have also checked nginx logs and it seems like error 403 is returned when the management service tries to reach this endpoint: [23/Nov/2024:12:03:53 +0100] "GET /api/v3/core/users/?page=1 HTTP/2.0" 403 58 "-" "OpenAPI-Generator/1.0.0/go".
If I try to access the same page in a web broswer logged in as the Netbird service account I successfully get a list with all the users in json format.

I would also like to mention that since I followed the guide when I first set netbird and authentik up the WebUI for authentik changed significantly, so it might be in need of an update. For example, when I tried to recreate the Netbird service account the token was not created automatically and I had to manually add one.

@MDMeridio001 commented on GitHub (Nov 23, 2024): @mlsmaycon Thanks for the reply. I'd prefer not to disable the IdP as I have all of my users configured there. I would like to specify that it worked in version 2024.10.2 and I suspect that maybe they have made some changes to some of authentik's API endpoints. I have also checked nginx logs and it seems like error 403 is returned when the management service tries to reach this endpoint: ```[23/Nov/2024:12:03:53 +0100] "GET /api/v3/core/users/?page=1 HTTP/2.0" 403 58 "-" "OpenAPI-Generator/1.0.0/go"```. If I try to access the same page in a web broswer logged in as the Netbird service account I successfully get a list with all the users in json format. I would also like to mention that since I followed the guide when I first set netbird and authentik up the WebUI for authentik changed significantly, so it might be in need of an update. For example, when I tried to recreate the Netbird service account the token was not created automatically and I had to manually add one.

saavagebueno commented 2025-11-20 05:30:34 -05:00

Author

Owner

Copy Link

@MDMeridio001 commented on GitHub (Nov 23, 2024):

@mlsmaycon Just an update. I restored an old backup of authentik (version 2024.8.2) and it immediately started working again.

@MDMeridio001 commented on GitHub (Nov 23, 2024): @mlsmaycon Just an update. I restored an old backup of authentik (version 2024.8.2) and it immediately started working again.

saavagebueno commented 2025-11-20 05:30:34 -05:00

Author

Owner

Copy Link

@mlsmaycon commented on GitHub (Nov 23, 2024):

The backup is old but are you running the latest authentik version?

@mlsmaycon commented on GitHub (Nov 23, 2024): The backup is old but are you running the latest authentik version?

saavagebueno commented 2025-11-20 05:30:34 -05:00

Author

Owner

Copy Link

@MDMeridio001 commented on GitHub (Nov 23, 2024):

@mlsmaycon No, I'm running version 2024.8.2

@MDMeridio001 commented on GitHub (Nov 23, 2024): @mlsmaycon No, I'm running version 2024.8.2

saavagebueno commented 2025-11-20 05:30:34 -05:00

Author

Owner

Copy Link

@Spiritreader commented on GitHub (Nov 23, 2024):

I am having the same problem since updating to 2024.10.4, only that rolling back to 2024.8.2 (or any other older version) does not restore functionality.

The service account mentioned in step 3 and 4 of the guide seems to work fine though, in Authentik I see it logging in successfully

I have even set up netbird from scratch, deleting all configuration and recreating it from infrastructure artifacts with Authentik verisons 2024.8.6, 2024.8.5, 2024.8.2, 2024.10.4 and 2024.10.3.

There were some issues with redirect URLs for 2024.8.5 and 2024.10.3 which since have been resolved.

Currently I am on 2024.8.6, which is the latest supported build of 2024.8. Those are the logs:

2024-11-23T21:29:44Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden

2024-11-23T21:30:33Z DEBG management/server/account.go:1515: account cres9lc1955s73f2aig0 not found in cache, reloading
2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: 403 Forbidden
2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/util/util.go:81: got a handler error: token invalid
2024-11-23T21:30:33Z ERRO [requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response 5b94c307-da2a-406f-9545-3a886a33d7c4: GET /api/users status 401
2024-11-23T21:30:33Z DEBG [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/telemetry/http_api_metrics.go:181: request GET /api/users took 357 ms and finished with status 401
2024-11-23T21:30:35Z DEBG [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:120: keys refreshed, new UTC expiration time: 2024-11-23 21:30:35.465361803 +0000 UTC
2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:2002: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:1577: looking up user 1 of account cres9lc1955s73f2aig0 in cache

The netbird service account is in the authentik-admins group:

@Spiritreader commented on GitHub (Nov 23, 2024): I am having the same problem since updating to 2024.10.4, only that rolling back to 2024.8.2 (or any other older version) does *not* restore functionality. The service account mentioned in step 3 and 4 of the guide seems to work fine though, in Authentik I see it logging in successfully  I have even set up netbird from scratch, deleting all configuration and recreating it from infrastructure artifacts with Authentik verisons 2024.8.6, 2024.8.5, 2024.8.2, 2024.10.4 and 2024.10.3. There were some issues with redirect URLs for 2024.8.5 and 2024.10.3 which since have been resolved. Currently I am on 2024.8.6, which is the latest supported build of 2024.8. Those are the logs: ``` 2024-11-23T21:29:44Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden 2024-11-23T21:30:33Z DEBG management/server/account.go:1515: account cres9lc1955s73f2aig0 not found in cache, reloading 2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: 403 Forbidden 2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/util/util.go:81: got a handler error: token invalid 2024-11-23T21:30:33Z ERRO [requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response 5b94c307-da2a-406f-9545-3a886a33d7c4: GET /api/users status 401 2024-11-23T21:30:33Z DEBG [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/telemetry/http_api_metrics.go:181: request GET /api/users took 357 ms and finished with status 401 2024-11-23T21:30:35Z DEBG [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:120: keys refreshed, new UTC expiration time: 2024-11-23 21:30:35.465361803 +0000 UTC 2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:2002: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:1577: looking up user 1 of account cres9lc1955s73f2aig0 in cache ``` The netbird service account is in the authentik-admins group: 

saavagebueno commented 2025-11-20 05:30:34 -05:00

Author

Owner

Copy Link

@roehren commented on GitHub (Nov 23, 2024):

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.

@roehren commented on GitHub (Nov 23, 2024): Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again. 

saavagebueno commented 2025-11-20 05:30:34 -05:00

Author

Owner

Copy Link

@Spiritreader commented on GitHub (Nov 23, 2024):

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.

You're fantastic, that worked! Thank you ❤️

@Spiritreader commented on GitHub (Nov 23, 2024): > Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.  You're fantastic, that worked! Thank you ❤️

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@MDMeridio001 commented on GitHub (Nov 24, 2024):

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.

Thank you a lot, that solved the issue immediately.

@MDMeridio001 commented on GitHub (Nov 24, 2024): > Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.  Thank you a lot, that solved the issue immediately.

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@rdeangel commented on GitHub (Nov 25, 2024):

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.

Thank you a lot, that solved the issue immediately.

For me that wasn't the only issue I had to reconfigure the redirects under Providers.
It seems authentik changed how these are entered in the latest version (they introduced strict and regex option in text fields rather than just regex and multiple lines in a text box) so in short they got wiped :-(

@rdeangel commented on GitHub (Nov 25, 2024): > > Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.  > > Thank you a lot, that solved the issue immediately. For me that wasn't the only issue I had to reconfigure the redirects under Providers. It seems authentik changed how these are entered in the latest version (they introduced strict and regex option in text fields rather than just regex and multiple lines in a text box) so in short they got wiped :-( 

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@Nivek938 commented on GitHub (Nov 26, 2024):

I ran into simmilar issues. I wasnt able to login to the netbird management dashboard too with the following message:

I had to do the following steps to get it working again (as described above):

1. In authentik provider:
   1a. change the https://netbird.tld.* to regex
   1b. add 'authentik api access' to selected scopes
2. restart netbird management container

Netbird version: 0.33.0
Authentik version: 2024.10.4

@Nivek938 commented on GitHub (Nov 26, 2024): I ran into simmilar issues. I wasnt able to login to the netbird management dashboard too with the following message:  I had to do the following steps to get it working again (as described above): 1. In authentik provider: 1a. change the https://netbird.tld.* to regex 1b. add 'authentik api access' to selected scopes 2. restart netbird management container Netbird version: 0.33.0 Authentik version: 2024.10.4

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@xpufx commented on GitHub (Nov 27, 2024):

I ran into simmilar issues. I wasnt able to login to the netbird management dashboard too with the following message:

I had to do the following steps to get it working again (as described above):

1. In authentik provider:
   1a. change the https://netbird.tld.* to regex
   1b. add 'authentik api access' to selected scopes

2. restart netbird management container

Netbird version: 0.33.0 Authentik version: 2024.10.4

That worked for me. Thanks. Also, the domain redirects need to be each in their own line. Authentik's documentation displays this correctly.

@xpufx commented on GitHub (Nov 27, 2024): > I ran into simmilar issues. I wasnt able to login to the netbird management dashboard too with the following message: > >  > > I had to do the following steps to get it working again (as described above): > > 1. In authentik provider: > 1a. change the https://netbird.tld.* to regex > 1b. add 'authentik api access' to selected scopes > > 2. restart netbird management container > > > Netbird version: 0.33.0 Authentik version: 2024.10.4 That worked for me. Thanks. Also, the domain redirects need to be each in their own line. Authentik's documentation displays this correctly.

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@btilford commented on GitHub (Nov 28, 2024):

Looks like I've hit the same thing or at least something similar. After adding both the api scope and fixing the redirect I can login but when it redirects back to netbird at /peers The call to /api/users fails with the error Error when validating JWT claims: error parsing token: invalid issuer.

I went several rounds trying to figure this out but the JWT looks fine, issuer is my authentik app URL.

@btilford commented on GitHub (Nov 28, 2024): Looks like I've hit the same thing or at least something similar. After adding both the api scope and fixing the redirect I can login but when it redirects back to netbird at `/peers` The call to `/api/users` fails with the error `Error when validating JWT claims: error parsing token: invalid issuer`. I went several rounds trying to figure this out but the JWT looks fine, issuer is my authentik app URL.

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@CD11b commented on GitHub (Dec 1, 2024):

Looks like I've hit the same thing or at least something similar. After adding both the api scope and fixing the redirect I can login but when it redirects back to netbird at /peers The call to /api/users fails with the error Error when validating JWT claims: error parsing token: invalid issuer.

I went several rounds trying to figure this out but the JWT looks fine, issuer is my authentik app URL.

@btilford Did you figure this out? I'm running into the same thing today.

@CD11b commented on GitHub (Dec 1, 2024): > Looks like I've hit the same thing or at least something similar. After adding both the api scope and fixing the redirect I can login but when it redirects back to netbird at `/peers` The call to `/api/users` fails with the error `Error when validating JWT claims: error parsing token: invalid issuer`. > > I went several rounds trying to figure this out but the JWT looks fine, issuer is my authentik app URL. @btilford Did you figure this out? I'm running into the same thing today.

saavagebueno commented 2025-11-20 05:30:35 -05:00

Author

Owner

Copy Link

@btilford commented on GitHub (Dec 2, 2024):

@CD11b not yet. I'm thinking maybe the instructions on setting up the Oauth in Authentik should be using client credential grants like normal instead of going and creating service accounts. Haven't had a chance to test yet though.

@btilford commented on GitHub (Dec 2, 2024): @CD11b not yet. I'm thinking maybe the instructions on setting up the Oauth in Authentik should be using client credential grants like normal instead of going and creating service accounts. Haven't had a chance to test yet though.

saavagebueno commented 2025-11-20 05:30:36 -05:00

Author

Owner

Copy Link

@likeablob commented on GitHub (Dec 4, 2024):

Hi,
In addition to what's listed above, I had to do the following:

• Replace an expired certificate-key pair: From System > Certificates, generate a new pair and update my provider to use it as the Signing key.
• Replace a service account with an expired token: Create a new service account and update management.json (.IdpManagerConfig.ExtraConfig) accordingly.
• Set .HttpConfig.IdpSignKeyRefreshEnabled to true in management.json.

Probably the issue I met is different from OP's and likely stems from my year-old setup, though.

---

netbirdio/management:0.33.0
netbirdio/dashboard:v2.7.1
ghcr.io/goauthentik/server:2024.10.4

@likeablob commented on GitHub (Dec 4, 2024): Hi, In addition to what's listed above, I had to do the following: - Replace an expired certificate-key pair: From System > Certificates, generate a new pair and update my provider to use it as the Signing key. - Replace a service account with an expired token: Create a new service account and update `management.json` (`.IdpManagerConfig.ExtraConfig`) accordingly. - Set `.HttpConfig.IdpSignKeyRefreshEnabled` to `true` in `management.json`. Probably the issue I met is different from OP's and likely stems from my year-old setup, though. --- netbirdio/management:0.33.0 netbirdio/dashboard:v2.7.1 ghcr.io/goauthentik/server:2024.10.4

saavagebueno commented 2025-11-20 05:30:36 -05:00

Author

Owner

Copy Link

@btilford commented on GitHub (Dec 11, 2024):

Should the traefik docker compose have a relay server like the non traefik compose?

@btilford commented on GitHub (Dec 11, 2024): Should the traefik docker compose have a relay server like the non traefik compose?

saavagebueno commented 2025-11-20 05:30:36 -05:00

Author

Owner

Copy Link

@ne0YT commented on GitHub (Dec 16, 2024):

this fixed it for me (1st part):

https://github.com/netbirdio/netbird/issues/1657#issuecomment-2127732511

@ne0YT commented on GitHub (Dec 16, 2024): this fixed it for me (1st part): https://github.com/netbirdio/netbird/issues/1657#issuecomment-2127732511

saavagebueno commented 2025-11-20 05:30:36 -05:00

Author

Owner

Copy Link

@barto95100 commented on GitHub (Dec 20, 2024):

The same problem Redirect URI error

change in my authentik:

and

Now the access dashboard is work :)

@barto95100 commented on GitHub (Dec 20, 2024): The same problem Redirect URI error change in my authentik: <img width="1025" alt="image" src="https://github.com/user-attachments/assets/53f10546-98d1-49d1-a24f-a95c9fd6fa25" /> and <img width="1166" alt="image" src="https://github.com/user-attachments/assets/f5b2c63d-39bd-4729-9ef2-2756e9325bde" /> Now the access dashboard is work :)

saavagebueno commented 2025-11-20 05:30:36 -05:00

Author

Owner

Copy Link

@seamajr commented on GitHub (Dec 24, 2024):

Regarding 401 - Invalid Token: I have read through many threads, verified all settings, tested alternate configurations based on the threads and cannot get rid of this error. I see that a few still have the error and wondering if any progress has been made?

I'm getting permissions to run in Authintik, but when routed back to the netbird dashboard (oobe screen, never ran successfully) I get stuck at this:

It seems that most/all of the services requesting a token are not getting one. ..failed warming up cache, and JWT errors, etc.
Authentik ver: 2024.12.1 Ports: 9000->9443
Netbird ver: latest 33073->443

These are both docker containers on the same server with different sub domain routes. auth..cloud and nb..cloud

I'm not accustomed enough yet to get the logs I would really want to see yet. I would also like to run a sniffer to see the outgoing and incoming packets, but yet again.... not educated enough on linux. Hmmmm... maybe I should build a Windows VM and recreate the configuration to see if I get the same errors. I don't believe it's a Linux thing, just more proficient in Windows internals.

Any more suggestions would be greatly appreciated.

management-1 | 2024-12-25T02:10:10Z ERRO [context: HTTP, requestID: 0df096b5-7006-4ad5-9791-f0cded5f59d3] management/server/http/util/util.go:81: got a handler error: token invalid
management-1 | 2024-12-25T02:10:10Z ERRO [context: HTTP, requestID: 0df096b5-7006-4ad5-9791-f0cded5f59d3] management/server/telemetry/http_api_metrics.go:168: HTTP response 0df096b5-7006-4ad5-9791-f0cded5f59d3: GET /api/users status 401
management-1 | 2024-12-25T02:10:11Z ERRO [context: HTTP, requestID: d9beb883-8d54-4a28-b378-6ea4d6981660] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400
management-1 | 2024-12-25T02:10:11Z ERRO [context: HTTP, requestID: d9beb883-8d54-4a28-b378-6ea4d6981660] management/server/http/util/util.go:81: got a handler error: token invalid
management-1 | 2024-12-25T02:10:11Z ERRO [context: HTTP, requestID: d9beb883-8d54-4a28-b378-6ea4d6981660] management/server/telemetry/http_api_metrics.go:168: HTTP response d9beb883-8d54-4a28-b378-6ea4d6981660: GET /api/users status 401
management-1 | 2024-12-25T02:10:17Z ERRO [context: HTTP, requestID: 23e15c63-ee40-4022-ba81-9f9669504577] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400
management-1 | 2024-12-25T02:10:17Z ERRO [context: HTTP, requestID: 23e15c63-ee40-4022-ba81-9f9669504577] management/server/http/util/util.go:81: got a handler error: token invalid
management-1 | 2024-12-25T02:10:17Z ERRO [context: HTTP, requestID: 23e15c63-ee40-4022-ba81-9f9669504577] management/server/telemetry/http_api_metrics.go:168: HTTP response 23e15c63-ee40-4022-ba81-9f9669504577: GET /api/users status 401
management-1 | 2024-12-25T02:10:31Z ERRO [context: HTTP, requestID: dd20e868-1565-47ba-b9cb-f7ec1a8d6285] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400
management-1 | 2024-12-25T02:10:31Z ERRO [requestID: dd20e868-1565-47ba-b9cb-f7ec1a8d6285, context: HTTP] management/server/http/util/util.go:81: got a handler error: token invalid
management-1 | 2024-12-25T02:10:31Z ERRO [requestID: dd20e868-1565-47ba-b9cb-f7ec1a8d6285, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response dd20e868-1565-47ba-b9cb-f7ec1a8d6285: GET /api/users status 401
management-1 | 2024-12-25T02:10:35Z ERRO [context: HTTP, requestID: 981f746e-d787-44c4-8a38-24eff7d1eb38] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400
management-1 | 2024-12-25T02:10:35Z ERRO [context: HTTP, requestID: 981f746e-d787-44c4-8a38-24eff7d1eb38] management/server/http/util/util.go:81: got a handler error: token invalid
management-1 | 2024-12-25T02:10:35Z ERRO [context: HTTP, requestID: 981f746e-d787-44c4-8a38-24eff7d1eb38] management/server/telemetry/http_api_metrics.go:168: HTTP response 981f746e-d787-44c4-8a38-24eff7d1eb38: GET /api/users status 401
management-1 | 2024-12-25T02:11:03Z ERRO [context: HTTP, requestID: 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400
management-1 | 2024-12-25T02:11:03Z ERRO [context: HTTP, requestID: 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a] management/server/http/util/util.go:81: got a handler error: token invalid
management-1 | 2024-12-25T02:11:03Z ERRO [requestID: 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a: GET /api/users status 401

@seamajr commented on GitHub (Dec 24, 2024): Regarding 401 - Invalid Token: I have read through many threads, verified all settings, tested alternate configurations based on the threads and cannot get rid of this error. I see that a few still have the error and wondering if any progress has been made? I'm getting permissions to run in Authintik, but when routed back to the netbird dashboard (oobe screen, never ran successfully) I get stuck at this:  It seems that most/all of the services requesting a token are not getting one. ..failed warming up cache, and JWT errors, etc. Authentik ver: 2024.12.1 Ports: 9000->9443 Netbird ver: latest 33073->443 These are both docker containers on the same server with different sub domain routes. auth.*******.cloud and nb.*******.cloud I'm not accustomed enough yet to get the logs I would really want to see yet. I would also like to run a sniffer to see the outgoing and incoming packets, but yet again.... not educated enough on linux. Hmmmm... maybe I should build a Windows VM and recreate the configuration to see if I get the same errors. I don't believe it's a Linux thing, just more proficient in Windows internals. Any more suggestions would be greatly appreciated. management-1 | 2024-12-25T02:10:10Z ERRO [context: HTTP, requestID: 0df096b5-7006-4ad5-9791-f0cded5f59d3] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-12-25T02:10:10Z ERRO [context: HTTP, requestID: 0df096b5-7006-4ad5-9791-f0cded5f59d3] management/server/telemetry/http_api_metrics.go:168: HTTP response 0df096b5-7006-4ad5-9791-f0cded5f59d3: GET /api/users status 401 management-1 | 2024-12-25T02:10:11Z ERRO [context: HTTP, requestID: d9beb883-8d54-4a28-b378-6ea4d6981660] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400 management-1 | 2024-12-25T02:10:11Z ERRO [context: HTTP, requestID: d9beb883-8d54-4a28-b378-6ea4d6981660] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-12-25T02:10:11Z ERRO [context: HTTP, requestID: d9beb883-8d54-4a28-b378-6ea4d6981660] management/server/telemetry/http_api_metrics.go:168: HTTP response d9beb883-8d54-4a28-b378-6ea4d6981660: GET /api/users status 401 management-1 | 2024-12-25T02:10:17Z ERRO [context: HTTP, requestID: 23e15c63-ee40-4022-ba81-9f9669504577] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400 management-1 | 2024-12-25T02:10:17Z ERRO [context: HTTP, requestID: 23e15c63-ee40-4022-ba81-9f9669504577] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-12-25T02:10:17Z ERRO [context: HTTP, requestID: 23e15c63-ee40-4022-ba81-9f9669504577] management/server/telemetry/http_api_metrics.go:168: HTTP response 23e15c63-ee40-4022-ba81-9f9669504577: GET /api/users status 401 management-1 | 2024-12-25T02:10:31Z ERRO [context: HTTP, requestID: dd20e868-1565-47ba-b9cb-f7ec1a8d6285] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400 management-1 | 2024-12-25T02:10:31Z ERRO [requestID: dd20e868-1565-47ba-b9cb-f7ec1a8d6285, context: HTTP] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-12-25T02:10:31Z ERRO [requestID: dd20e868-1565-47ba-b9cb-f7ec1a8d6285, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response dd20e868-1565-47ba-b9cb-f7ec1a8d6285: GET /api/users status 401 management-1 | 2024-12-25T02:10:35Z ERRO [context: HTTP, requestID: 981f746e-d787-44c4-8a38-24eff7d1eb38] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400 management-1 | 2024-12-25T02:10:35Z ERRO [context: HTTP, requestID: 981f746e-d787-44c4-8a38-24eff7d1eb38] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-12-25T02:10:35Z ERRO [context: HTTP, requestID: 981f746e-d787-44c4-8a38-24eff7d1eb38] management/server/telemetry/http_api_metrics.go:168: HTTP response 981f746e-d787-44c4-8a38-24eff7d1eb38: GET /api/users status 401 management-1 | 2024-12-25T02:11:03Z ERRO [context: HTTP, requestID: 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: unable to get authentik token, statusCode 400 management-1 | 2024-12-25T02:11:03Z ERRO [context: HTTP, requestID: 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a] management/server/http/util/util.go:81: got a handler error: token invalid management-1 | 2024-12-25T02:11:03Z ERRO [requestID: 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response 4fa80205-ba1c-402a-9ddf-e6d65f4ebb7a: GET /api/users status 401

saavagebueno commented 2025-11-20 05:30:36 -05:00

Author

Owner

Copy Link

@FabulousCodingFox commented on GitHub (Dec 25, 2024):

Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works.

@FabulousCodingFox commented on GitHub (Dec 25, 2024): Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works. 

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@bannert1337 commented on GitHub (Jan 11, 2025):

The same problem Redirect URI error

change in my authentik:

and

Now the access dashboard is work :)

Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works.

After I applied these changes, it worked. Thank you very much. This should be added to troubleshooting of Netbird or Authentik.

@bannert1337 commented on GitHub (Jan 11, 2025): > The same problem Redirect URI error > > change in my authentik: <img alt="image" width="1025" src="https://private-user-images.githubusercontent.com/17863254/397710924-53f10546-98d1-49d1-a24f-a95c9fd6fa25.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzY1OTkwMjEsIm5iZiI6MTczNjU5ODcyMSwicGF0aCI6Ii8xNzg2MzI1NC8zOTc3MTA5MjQtNTNmMTA1NDYtOThkMS00OWQxLWEyNGYtYTk1YzlmZDZmYTI1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAxMTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMTExVDEyMzIwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWUyZjUyYTIzZTY0YTE4MWQ2OTJlOGJhMzkyMmExNmI2MWE3NjY2NjQ1ZDUwZmQ2MTM2YTU5M2U4MTk2NjgyMWYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.y6a8ASGc_OfFplQgjqCFoiYDE3cCLNwx0hY2PsHsQRo"> > > and > <img alt="image" width="1166" src="https://private-user-images.githubusercontent.com/17863254/397711600-f5b2c63d-39bd-4729-9ef2-2756e9325bde.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzY1OTkwMjEsIm5iZiI6MTczNjU5ODcyMSwicGF0aCI6Ii8xNzg2MzI1NC8zOTc3MTE2MDAtZjViMmM2M2QtMzliZC00NzI5LTllZjItMjc1NmU5MzI1YmRlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAxMTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMTExVDEyMzIwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTk5YzcyYmYzNjI2MDQyZDQ3NDFiNzU0OWY0ZTRmZjQ1YzA2YjIxNmFkZmQxOWNjZTcyMjhmNmZkMmY3MmQ5NDMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.9xz3lmB9CtkEAiagRXCgzwJZVCaysNzG71_FkjCDiYw"> > > Now the access dashboard is work :) > Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works.  After I applied these changes, it worked. Thank you very much. This should be added to troubleshooting of Netbird or Authentik.

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@rdeangel commented on GitHub (Jan 26, 2025):

Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works.

How did you disabled encrypted JWT, I select --------, and save the self-signed cert is still there, it seems I'm unable to deselect it.

or did you disable it some other way?

@rdeangel commented on GitHub (Jan 26, 2025): > Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works. How did you disabled encrypted JWT, I select --------, and save the self-signed cert is still there, it seems I'm unable to deselect it.  or did you disable it some other way?

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@FabulousCodingFox commented on GitHub (Jan 26, 2025):

Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works.

How did you disabled encrypted JWT, I select --------, and save the self-signed cert is still there, it seems I'm unable to deselect it.

or did you disable it some other way?

You are trying to disable the signing key. This needs to stay. You need to disable the encryption key below it.

@FabulousCodingFox commented on GitHub (Jan 26, 2025): > > Reading through the Authentik docs, I noticed that Authentik 2024.10.x introduced encrypted JWT, which are on by default. I turned them off in the Netbird provider and now it works. > > How did you disabled encrypted JWT, I select --------, and save the self-signed cert is still there, it seems I'm unable to deselect it. > >  > > or did you disable it some other way? You are trying to disable the signing key. This needs to stay. You need to disable the encryption key below it.

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@rdeangel commented on GitHub (Jan 26, 2025):

based on this:

my encryption key is not select and signing should be the same as before (they do need to be signed).

having like this which is what I had to start with should disable JWT encryption right?

Yea it works, I had messed up one of my env variables so I also broke it cause of that turns out.
All working now.

@rdeangel commented on GitHub (Jan 26, 2025): based on this:  my encryption key is not select and signing should be the same as before (they do need to be signed). having like this which is what I had to start with should disable JWT encryption right?  Yea it works, I had messed up one of my env variables so I also broke it cause of that turns out. All working now.

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@bsmithuk commented on GitHub (Jan 31, 2025):

The same problem Redirect URI error

change in my authentik:

and

Now the access dashboard is work :)

This worked for me - thanks :)

@bsmithuk commented on GitHub (Jan 31, 2025): [](url) > The same problem Redirect URI error > > change in my authentik: <img alt="image" width="1025" src="https://private-user-images.githubusercontent.com/17863254/397710924-53f10546-98d1-49d1-a24f-a95c9fd6fa25.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzgzNjgyMDcsIm5iZiI6MTczODM2NzkwNywicGF0aCI6Ii8xNzg2MzI1NC8zOTc3MTA5MjQtNTNmMTA1NDYtOThkMS00OWQxLWEyNGYtYTk1YzlmZDZmYTI1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAxMzElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMTMxVDIzNTgyN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ1NGFkZGRlY2M1YzBjMWQ2OGRlODQzMWY2MjdjOGM1OTgzOWFkZDRiNWQyYzMwYjdlNDk4MDAwMjFmODA1ZDQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.VdkdSEJvDxHlFwUipRgKNtmH1z_pFR2B3vUrmxmE5kw"> > > and > <img alt="image" width="1166" src="https://private-user-images.githubusercontent.com/17863254/397711600-f5b2c63d-39bd-4729-9ef2-2756e9325bde.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzgzNjgyMDcsIm5iZiI6MTczODM2NzkwNywicGF0aCI6Ii8xNzg2MzI1NC8zOTc3MTE2MDAtZjViMmM2M2QtMzliZC00NzI5LTllZjItMjc1NmU5MzI1YmRlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAxMzElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMTMxVDIzNTgyN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWM0MjdiNjY0MjU1MDBlNDFhNDc0MzViOTY5NjY2NzE1YjJjMjE0ZWE2MDhlNjczM2ExYmY2NDdiYjZmZTVjMzgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.SLW38LyEhu_AUNoBQ8aeNGDiNRS8lK88ANeLs0omXwY"> > > Now the access dashboard is work :) This worked for me - thanks :)

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@Berjou commented on GitHub (Feb 14, 2025):

Since I ended up here after encountering the same problem, and struggled to make it work even with the information of this thread, I will add this. If you created a group in Authentik to limit the access to netbird to a subset of users, do not forget to add the Netbird service account to this group. It is what solved the problem for me. :)

@Berjou commented on GitHub (Feb 14, 2025): Since I ended up here after encountering the same problem, and struggled to make it work even with the information of this thread, I will add this. If you created a group in Authentik to limit the access to netbird to a subset of users, do not forget to add the Netbird service account to this group. It is what solved the problem for me. :)

saavagebueno commented 2025-11-20 05:30:37 -05:00

Author

Owner

Copy Link

@barto95100 commented on GitHub (Feb 17, 2025):

same problem again 401 token invalid... :(

management-1  | 2025-02-17T17:45:47Z ERRO [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:142: getPublicKey error: unable to find appropriate key
management-1  | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/jwtclaims/jwtValidator.go:180: error parsing token: unable to find appropriate key
management-1  | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: error parsing token: unable to find appropriate key
management-1  | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/http/util/util.go:85: got a handler error: token invalid
management-1  | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/telemetry/http_api_metrics.go:189: HTTP response 8f31c841-aeb8-4923-9c93-a17a475fe29a: GET /api/users status 401
management-1  | 2025-02-17T17:45:50Z ERRO [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:142: getPublicKey error: unable to find appropriate key
management-1  | 2025-02-17T17:45:50Z ERRO [requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744, context: HTTP] management/server/jwtclaims/jwtValidator.go:180: error parsing token: unable to find appropriate key
management-1  | 2025-02-17T17:45:50Z ERRO [requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744, context: HTTP] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: error parsing token: unable to find appropriate key
management-1  | 2025-02-17T17:45:50Z ERRO [context: HTTP, requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744] management/server/http/util/util.go:85: got a handler error: token invalid
management-1  | 2025-02-17T17:45:50Z ERRO [context: HTTP, requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744] management/server/telemetry/http_api_metrics.go:189: HTTP response f0beb3c0-0a37-47f2-af34-c1e3cef6d744: GET /api/users status 401

I don't understand :(

@barto95100 commented on GitHub (Feb 17, 2025): same problem again 401 token invalid... :( ``` management-1 | 2025-02-17T17:45:47Z ERRO [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:142: getPublicKey error: unable to find appropriate key management-1 | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/jwtclaims/jwtValidator.go:180: error parsing token: unable to find appropriate key management-1 | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: error parsing token: unable to find appropriate key management-1 | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/http/util/util.go:85: got a handler error: token invalid management-1 | 2025-02-17T17:45:47Z ERRO [context: HTTP, requestID: 8f31c841-aeb8-4923-9c93-a17a475fe29a] management/server/telemetry/http_api_metrics.go:189: HTTP response 8f31c841-aeb8-4923-9c93-a17a475fe29a: GET /api/users status 401 management-1 | 2025-02-17T17:45:50Z ERRO [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:142: getPublicKey error: unable to find appropriate key management-1 | 2025-02-17T17:45:50Z ERRO [requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744, context: HTTP] management/server/jwtclaims/jwtValidator.go:180: error parsing token: unable to find appropriate key management-1 | 2025-02-17T17:45:50Z ERRO [requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744, context: HTTP] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: error parsing token: unable to find appropriate key management-1 | 2025-02-17T17:45:50Z ERRO [context: HTTP, requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744] management/server/http/util/util.go:85: got a handler error: token invalid management-1 | 2025-02-17T17:45:50Z ERRO [context: HTTP, requestID: f0beb3c0-0a37-47f2-af34-c1e3cef6d744] management/server/telemetry/http_api_metrics.go:189: HTTP response f0beb3c0-0a37-47f2-af34-c1e3cef6d744: GET /api/users status 401 ``` I don't understand :(

saavagebueno commented 2025-11-20 05:30:38 -05:00

Author

Owner

Copy Link

@barto95100 commented on GitHub (Feb 19, 2025):

other people have the same problem ?

@barto95100 commented on GitHub (Feb 19, 2025): other people have the same problem ?

saavagebueno commented 2025-11-20 05:30:38 -05:00

Author

Owner

Copy Link

@GeorgeDaGreatt commented on GitHub (Feb 23, 2025):

I seem to be getting the same problem, I opened an issue here for a different reason, but ended up like this instead...

@GeorgeDaGreatt commented on GitHub (Feb 23, 2025): I seem to be getting the same problem, I opened an issue here for a different reason, but ended up like this instead...

saavagebueno commented 2025-11-20 05:30:38 -05:00

Author

Owner

Copy Link

@CappyT commented on GitHub (Feb 24, 2025):

I'm getting the same issue, fresh installation of netbird as per docs. I honestly don't know what is wrong.

@CappyT commented on GitHub (Feb 24, 2025): I'm getting the same issue, fresh installation of netbird as per docs. I honestly don't know what is wrong.

saavagebueno commented 2025-11-20 05:30:38 -05:00

Author

Owner

Copy Link

@bmcgonag commented on GitHub (Feb 26, 2025):

I've tried everything through this entire thread. I got the URI Redirect resolved with the steps of

1. Change the redirect URI to use 'regex' for the URI ending with an asterisk '*'.
2. Adding the API to the scopes for the provider.

I am now getting the same 401 error listed above.

I'm running 2025.2.1 for Authentik, and just pulled the latest netbird this evening. No idea why this is happening.

I have switched from the self-signed authentik cert, which shows expired, to a non expired cert I created that isn't expired.

I checked my service user for netbird, but there isn't even a token listed for it, so nothing to chnage there.

The only thing I didn't change was the .HttpConfig.IdpSignKeyRefreshEnabled to true in management.json

Really not sure that's the issue. I'd love to get a resolution to this problem.

@bmcgonag commented on GitHub (Feb 26, 2025): I've tried everything through this entire thread. I got the URI Redirect resolved with the steps of 1. Change the redirect URI to use 'regex' for the URI ending with an asterisk '*'. 2. Adding the API to the scopes for the provider. I am now getting the same 401 error listed above. I'm running 2025.2.1 for Authentik, and just pulled the latest netbird this evening. No idea why this is happening. I have switched from the self-signed authentik cert, which shows expired, to a non expired cert I created that isn't expired. I checked my service user for netbird, but there isn't even a token listed for it, so nothing to chnage there. The only thing I didn't change was the `.HttpConfig.IdpSignKeyRefreshEnabled` to `true` in management.json Really not sure that's the issue. I'd love to get a resolution to this problem.

saavagebueno commented 2025-11-20 05:30:38 -05:00

Author

Owner

Copy Link

@bmcgonag commented on GitHub (Feb 27, 2025):

Since I ended up here after encountering the same problem, and struggled to make it work even with the information of this thread, I will add this. If you created a group in Authentik to limit the access to netbird to a subset of users, do not forget to add the Netbird service account to this group. It is what solved the problem for me. :)

I did check this as well. No group specified for my netbird application access. I still get the 401 authentication errors though.

@bmcgonag commented on GitHub (Feb 27, 2025): > Since I ended up here after encountering the same problem, and struggled to make it work even with the information of this thread, I will add this. If you created a group in Authentik to limit the access to netbird to a subset of users, do not forget to add the Netbird service account to this group. It is what solved the problem for me. :) I did check this as well. No group specified for my netbird application access. I still get the 401 authentication errors though.

saavagebueno commented 2025-11-20 05:30:38 -05:00

Author

Owner

Copy Link

@bmcgonag commented on GitHub (Feb 27, 2025):

Finally, this is what all I had to dod to make this work.

1. Add the 'API' scope to the provider under Applications > Providers, edit the Netbird provider, then expand Advanced Protocol Settings, and add the scope by selecting it on the left, and moving it to the right with the single '>' button.
2. Change the Redirect URL with the wildcard * symbol (in my case the second one, in Applications > Providers, edit the netbird provider, and change it from Strict to Regex.

The above will fix the URI Redirect issue people are running into.

Next, I had to tackle the 401 Access Error.

1. Bind the Netbird System account to the Netbird application.

Go to your Admin console in Authentik. Click on Applications in left Menu to expand it. Select Applications. Click the Netbird application in the list to open its properties. Select the Policy / Group / User Bindings tab.

Click the Bind existing Policy / Group / User button, and then select the User tab on the window that opens. Select the Netbird user from the drop-down, and click the Create button.

NOTE: While you're here, you can bind any other users or groups in the same way, and skip step 3 below.

2. Add an app password for the Netbird system account.

In the left menu select Directory > Token and App Passwords. Click the Create button. Name the object whatever makes sense to you, then select the Netbird user. Select the App Password option, give it a description that makes sense to you, and un-tick the Expiring option, or set the expiration date out a good ways (like a year or so). Click Create.

Copy the password by clicking the little copy icon out to the right on the new entry in the table.

On your Netbird server, locate your management.json file (mine's in netbird/infrastructure-files/artifacts. Edit the file, and find the section IdpManagerConfig, then find the sub-section ExtraConfig and replace the password with the new App Password you just copied. Save the file.

3. Make sure any users you want to access Netbird are part of a Group with a bind to the Netbird application, or that each user is set with a Bing to the application.

Using the same steps as in number 1 above, bind any users or groups to the Netbird application who will need to access it using their Authentik credentials.

4. Restart the management container on your netbird server.

Now restart the netbird management service and container on your netbird server by going into the artifacts folder, and running docker compose restart management.

You will hopefully now be able to access the management system again.

@bmcgonag commented on GitHub (Feb 27, 2025): Finally, this is what all I had to dod to make this work. 1. Add the 'API' scope to the provider under `Applications > Providers`, edit the Netbird provider, then expand `Advanced Protocol Settings`, and add the scope by selecting it on the left, and moving it to the right with the single '>' button. 2. Change the Redirect URL with the wildcard `*` symbol (in my case the second one, in `Applications > Providers`, edit the netbird provider, and change it from `Strict` to `Regex`. The above will fix the URI Redirect issue people are running into. Next, I had to tackle the 401 Access Error. 1. Bind the Netbird System account to the Netbird application. Go to your Admin console in Authentik. Click on `Applications` in left Menu to expand it. Select `Applications`. Click the `Netbird` application in the list to open its properties. Select the `Policy / Group / User Bindings` tab. Click the `Bind existing Policy / Group / User` button, and then select the `User` tab on the window that opens. Select the `Netbird` user from the drop-down, and click the `Create` button. NOTE: While you're here, you can bind any other users or groups in the same way, and skip step 3 below. 2. Add an app password for the Netbird system account. In the left menu select `Directory > Token and App Passwords`. Click the `Create` button. Name the object whatever makes sense to you, then select the `Netbird` user. Select the `App Password` option, give it a description that makes sense to you, and un-tick the `Expiring` option, or set the expiration date out a good ways (like a year or so). Click `Create`. Copy the password by clicking the little copy icon out to the right on the new entry in the table. On your Netbird server, locate your `management.json` file (mine's in `netbird/infrastructure-files/artifacts`. Edit the file, and find the section `IdpManagerConfig`, then find the sub-section `ExtraConfig` and replace the password with the new App Password you just copied. Save the file. 3. Make sure any users you want to access Netbird are part of a Group with a bind to the Netbird application, or that each user is set with a Bing to the application. Using the same steps as in number 1 above, bind any users or groups to the Netbird application who will need to access it using their Authentik credentials. 4. Restart the `management` container on your netbird server. Now restart the netbird management service and container on your netbird server by going into the artifacts folder, and running `docker compose restart management`. You will hopefully now be able to access the management system again.

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@barto95100 commented on GitHub (Mar 1, 2025):

@bmcgonag thank's for information

I will configure how to indicate and all it's ok I access again my netbird dashboard

:)

@barto95100 commented on GitHub (Mar 1, 2025): @bmcgonag thank's for information I will configure how to indicate and all it's ok I access again my netbird dashboard :)

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@mileyceberus commented on GitHub (Mar 4, 2025):

You will hopefully now be able to access the management system again.

Unfortunately I am still seeing 401 errors with your suggestions. Authentik version 2025.2.1.

@mileyceberus commented on GitHub (Mar 4, 2025): > You will hopefully now be able to access the management system again. Unfortunately I am still seeing 401 errors with your suggestions. Authentik version 2025.2.1.

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@davidliyutong commented on GitHub (Mar 19, 2025):

This solution works in my case (use the App Password, not the plain password)
https://github.com/netbirdio/netbird/issues/2847#issuecomment-2504668552

@davidliyutong commented on GitHub (Mar 19, 2025): This solution works in my case (use the App Password, not the plain password) https://github.com/netbirdio/netbird/issues/2847#issuecomment-2504668552

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@mileyceberus commented on GitHub (Mar 20, 2025):

This solution works in my case (use the App Password, not the plain password)

I am still getting "token invalid" messages even after

1. adding the "app password" for the netbird service account
2. binding the netbird service account to the netbird provider
3. binding the netbird user group to the netbird provider

I am using Authentik 2025.2.2.

netbird-mgmt    | 2025-03-20T05:45:12Z ERRO [context: HTTP, requestID: aaee23d7-62f3-454d-81ae-c8e592f77d7c] management/server/telemetry/http_api_metrics.go:189: HTTP response aaee23d7-62f3-454d-81ae-c8e592f77d7c: GET /api/users status 401
netbird-mgmt    | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/auth/jwt/validator.go:161: token could not be parsed: Token used before issued
netbird-mgmt    | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/http/middleware/auth_middleware.go:63: Error when validating JWT: token could not be parsed: Token used before issued
netbird-mgmt    | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/http/util/util.go:85: got a handler error: token invalid
netbird-mgmt    | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/telemetry/http_api_metrics.go:189: HTTP response 11e7943a-4b5f-4c40-a286-01aa661291f4: GET /api/users status 401
netbird-mgmt    | 2025-03-20T05:45:14Z ERRO [requestID: 1473925f-6d7a-4120-9506-4e663150756f, context: HTTP] management/server/auth/jwt/validator.go:161: token could not be parsed: Token used before issued

The relevant authentik configs

@mileyceberus commented on GitHub (Mar 20, 2025): > This solution works in my case (use the App Password, not the plain password) I am still getting "token invalid" messages even after 1. adding the "app password" for the netbird service account 2. binding the netbird service account to the netbird provider 3. binding the netbird user group to the netbird provider I am using Authentik 2025.2.2. ``` netbird-mgmt | 2025-03-20T05:45:12Z ERRO [context: HTTP, requestID: aaee23d7-62f3-454d-81ae-c8e592f77d7c] management/server/telemetry/http_api_metrics.go:189: HTTP response aaee23d7-62f3-454d-81ae-c8e592f77d7c: GET /api/users status 401 netbird-mgmt | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/auth/jwt/validator.go:161: token could not be parsed: Token used before issued netbird-mgmt | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/http/middleware/auth_middleware.go:63: Error when validating JWT: token could not be parsed: Token used before issued netbird-mgmt | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/http/util/util.go:85: got a handler error: token invalid netbird-mgmt | 2025-03-20T05:45:13Z ERRO [context: HTTP, requestID: 11e7943a-4b5f-4c40-a286-01aa661291f4] management/server/telemetry/http_api_metrics.go:189: HTTP response 11e7943a-4b5f-4c40-a286-01aa661291f4: GET /api/users status 401 netbird-mgmt | 2025-03-20T05:45:14Z ERRO [requestID: 1473925f-6d7a-4120-9506-4e663150756f, context: HTTP] management/server/auth/jwt/validator.go:161: token could not be parsed: Token used before issued ``` The relevant authentik configs <img width="566" alt="Image" src="https://github.com/user-attachments/assets/4b43960f-eaab-40d3-897a-8364a9c660df" /> <img width="764" alt="Image" src="https://github.com/user-attachments/assets/6ac4d480-1ea9-4594-bd6a-a992c4036d4d" />

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@davidliyutong commented on GitHub (Mar 20, 2025):

This solution works in my case (use the App Password, not the plain password) #2847 (comment)

Apart from this trick, I also did:

• set IdpSignKeyRefreshEnabled to true in artifacts/management.json
• enable jwt signing in Provider > Netbird, but disable encryption
• add netbird's service account to authentik Admins group (you can impersonate the service account and visit https://authentik.your.company/api/users in browser to see if you can get an output)
• add default Device Authorization Flow according to the official guide

@davidliyutong commented on GitHub (Mar 20, 2025): > This solution works in my case (use the App Password, not the plain password) [#2847 (comment)](https://github.com/netbirdio/netbird/issues/2847#issuecomment-2504668552) Apart from this trick, I also did: - set `IdpSignKeyRefreshEnabled` to `true` in `artifacts/management.json` - enable jwt signing in `Provider > Netbird`, but disable encryption - add netbird's service account to `authentik Admins` group (you can **impersonate** the service account and visit `https://authentik.your.company/api/users` in browser to see if you can get an output) - add default `Device Authorization Flow` according to the official guide

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@MinaMatta98 commented on GitHub (Mar 26, 2025):

For anyone still struggling with this, I would like to note that you have to use the authentik app password created under:

Authentik Settings -> Directory -> Token App and Passwords

Not the Netbird Password, as this will not work.

@MinaMatta98 commented on GitHub (Mar 26, 2025): For anyone still struggling with this, I would like to note that you have to use the authentik app password created under: ``` Authentik Settings -> Directory -> Token App and Passwords ``` Not the Netbird Password, as this will not work.

saavagebueno commented 2025-11-20 05:30:39 -05:00

Author

Owner

Copy Link

@HiFallMaple commented on GitHub (Apr 10, 2025):

• add netbird's service account to authentik Admins group (you can impersonate the service account and visit https://authentik.your.company/api/users in browser to see if you can get an output)

@davidliyutong For me, it's sufficient to grant the Netbird service account the "Can view User" permission. There's no need to add it to the admin group.

@HiFallMaple commented on GitHub (Apr 10, 2025): > * add netbird's service account to `authentik Admins` group (you can **impersonate** the service account and visit `https://authentik.your.company/api/users` in browser to see if you can get an output) @davidliyutong For me, it's sufficient to grant the Netbird service account the "Can view User" permission. There's no need to add it to the admin group. 

saavagebueno commented 2025-11-20 05:30:40 -05:00

Author

Owner

Copy Link

@kororo commented on GitHub (Apr 30, 2025):

Dont forget guys, if you set your application with group policy, you need to update your Netbird user to be in that group.

If an access group is created for the Netbird application, the Netbird service account must be included in the group. Otherwise you will see a 401 error after login.

https://github.com/goauthentik/authentik/pull/14191/files#diff-2231281ba2582bc964b532dd44bdf52622f92e1b903c51913d24d6e71c364833R53

@kororo commented on GitHub (Apr 30, 2025): Dont forget guys, if you set your application with group policy, you need to update your `Netbird` user to be in that group. > If an access group is created for the Netbird application, the Netbird service account must be included in the group. Otherwise you will see a 401 error after login. https://github.com/goauthentik/authentik/pull/14191/files#diff-2231281ba2582bc964b532dd44bdf52622f92e1b903c51913d24d6e71c364833R53

saavagebueno commented 2025-11-20 05:30:40 -05:00

Author

Owner

Copy Link

@FoxxMD commented on GitHub (Jun 18, 2025):

@bmcgonag THANK YOU this finally fixed things for me.

For future users:

Both the Authentik and Netbird guides cover the majority of this now but critically:

In the left menu select Directory > Token and App Passwords. Click the Create button. Name the object whatever makes sense to you, then select the Netbird user. Select the App Password option, give it a description that makes sense to you, and un-tick the Expiring option, or set the expiration date out a good ways (like a year or so). Click Create.

This is not covered in the Authentik guide. The Netbird briefly mentioned creating an App Password but...

Copy the password by clicking the little copy icon out to the right on the new entry in the table.

It does not specify that you need to associate it to the Service Account, need to copy this password, and use this instead of the Service Account password. The greatest point of confusion is that the Netbird guide has this excerpt in the setup.env example

...
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<SERVICE_ACCOUNT_PASSWORD>"

when it really should be <APP_PASSWORD>

@FoxxMD commented on GitHub (Jun 18, 2025): @bmcgonag THANK YOU [this finally fixed things for me.](https://github.com/netbirdio/netbird/issues/2941#issuecomment-2688886574) For future users: Both the [Authentik](https://docs.goauthentik.io/integrations/services/netbird) and [Netbird](https://docs.netbird.io/selfhosted/identity-providers#authentik) guides cover the majority of this now but critically: > In the left menu select Directory > Token and App Passwords. Click the Create button. Name the object whatever makes sense to you, then select the Netbird user. Select the App Password option, give it a description that makes sense to you, and un-tick the Expiring option, or set the expiration date out a good ways (like a year or so). Click Create. This is **not** covered in the Authentik guide. The Netbird **briefly** mentioned creating an App Password but... > Copy the password by clicking the little copy icon out to the right on the new entry in the table. It does not specify that you need to associate it to the Service Account, need to **copy** this password, and use this instead of the Service Account password. The greatest point of confusion is that the Netbird guide has this excerpt in the `setup.env` example ``` ... NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<SERVICE_ACCOUNT_PASSWORD>" ``` when it really should be `<APP_PASSWORD>`

saavagebueno commented 2025-11-20 05:30:40 -05:00

Author

Owner

Copy Link

@buzzard10 commented on GitHub (Jul 18, 2025):

add netbird's service account to authentik Admins group (you can impersonate the service account and visit https://authentik.your.company/api/users in browser to see if you can get an output)

@davidliyutong I have "Not Found" error when i'm trying to open auth.domain.com/api/users - do you have any idea why?

@buzzard10 commented on GitHub (Jul 18, 2025): > add netbird's service account to authentik Admins group (you can impersonate the service account and visit https://authentik.your.company/api/users in browser to see if you can get an output) @davidliyutong I have "Not Found" error when i'm trying to open auth.domain.com/api/users - do you have any idea why?

saavagebueno commented 2025-11-20 05:30:40 -05:00

Author

Owner

Copy Link

@Oriann commented on GitHub (Jul 29, 2025):

@bmcgonag Thank, you lifesaver.
Just bothering me...somebody just update something without proper docs (Authentik). Software is good but docs needs extra grinding.

@Oriann commented on GitHub (Jul 29, 2025): @bmcgonag Thank, you lifesaver. Just bothering me...somebody just update something without proper docs (Authentik). Software is good but docs needs extra grinding.

saavagebueno commented 2025-11-20 05:30:40 -05:00

Author

Owner

Copy Link

@davidliyutong commented on GitHub (Jul 29, 2025):

add netbird's service account to authentik Admins group (you can impersonate the service account and visit https://authentik.your.company/api/users in browser to see if you can get an output)

@davidliyutong I have "Not Found" error when i'm trying to open auth.domain.com/api/users - do you have any idea why?

@buzzard10 Have you already "Impersonated" the service account? I guess this is caused by misconfigured permissions of the account currently logged in.

@davidliyutong commented on GitHub (Jul 29, 2025): > > add netbird's service account to authentik Admins group (you can impersonate the service account and visit https://authentik.your.company/api/users in browser to see if you can get an output) > > @davidliyutong I have "Not Found" error when i'm trying to open auth.domain.com/api/users - do you have any idea why? @buzzard10 Have you already "Impersonated" the service account? I guess this is caused by misconfigured permissions of the account currently logged in.

saavagebueno commented 2025-11-20 05:30:40 -05:00

Author

Owner

Copy Link

@buzzard10 commented on GitHub (Aug 1, 2025):

@davidliyutong yeah, I've tried already all recommended fixes and still have this error 401 token invalid :(

@buzzard10 commented on GitHub (Aug 1, 2025): @davidliyutong yeah, I've tried already all recommended fixes and still have this error 401 token invalid :(

saavagebueno commented 2025-11-20 05:30:41 -05:00

Author

Owner

Copy Link

@davidliyutong commented on GitHub (Aug 17, 2025):

@davidliyutong yeah, I've tried already all recommended fixes and still have this error 401 token invalid :(

Hi @buzzard10 FYI, I recently deployed another netbird instance, and encountered the same 401 error. Then I followed this comment and set the ExtraConfig section. The issue was then resolved :-)

@davidliyutong commented on GitHub (Aug 17, 2025): > [@davidliyutong](https://github.com/davidliyutong) yeah, I've tried already all recommended fixes and still have this error 401 token invalid :( Hi @buzzard10 FYI, I recently deployed another netbird instance, and encountered the same 401 error. Then I followed [this comment](https://github.com/netbirdio/netbird/issues/2941#issuecomment-2688886574) and set the `ExtraConfig` section. The issue was then resolved :-)

saavagebueno commented 2025-11-20 05:30:41 -05:00

Author

Owner

Copy Link

@simensgreen commented on GitHub (Sep 13, 2025):

@buzzard10 The Authentik /api/users endpoint also does not work. Regarding the documentation for the Authentik API, Authentik expects a user list request to be made at /api/v3/core/users. I do not know how to solve this problem at the moment.

@simensgreen commented on GitHub (Sep 13, 2025): @buzzard10 The `Authentik` `/api/users` endpoint also does not work. Regarding the [documentation for the Authentik API](https://api.goauthentik.io/reference/core-users-list/), Authentik expects a user list request to be made at `/api/v3/core/users`. I do not know how to solve this problem at the moment.

saavagebueno commented 2025-11-20 05:30:41 -05:00

Author

Owner

Copy Link

@tugdualenligne commented on GitHub (Sep 27, 2025):

Has someone found a solution? Using Last Authentik version 2025.08.03 and latest Netbird as Docker compose
I cannot get passed of this error while I tried any advise given on Github and Reddit:
management/server/http/middleware/auth_middleware.go:69: Error when validating JWT: token could not be parsed: token has invalid claims: token used before issued

@tugdualenligne commented on GitHub (Sep 27, 2025): Has someone found a solution? Using Last Authentik version 2025.08.03 and latest Netbird as Docker compose I cannot get passed of this error while I tried any advise given on Github and Reddit: management/server/http/middleware/auth_middleware.go:69: Error when validating JWT: token could not be parsed: token has invalid claims: token used before issued

saavagebueno commented 2025-11-20 05:30:41 -05:00

Author

Owner

Copy Link

@tugdualenligne commented on GitHub (Oct 3, 2025):

Comment received: thelordtourette left a comment
Assigning "User Object Permissons" to the Netbird service user fixed the issue for me. Before that the service user was unable to access the Authentik API.

Authentik Settings -> Directory -> User -> Netbird User -> Permissions -> User Object Permissons -> Assign to new user -> select the Netbird User -> "View applications the user has access to" and "Can view User -> Assign"

---- > Thanks for that comment but unfortunately, I didn't change anything for me, and I suspect (please see the screen capture) that I already had all the options activated:

@tugdualenligne commented on GitHub (Oct 3, 2025): Comment received: thelordtourette left a comment Assigning "User Object Permissons" to the Netbird service user fixed the issue for me. Before that the service user was unable to access the Authentik API. Authentik Settings -> Directory -> User -> Netbird User -> Permissions -> User Object Permissons -> Assign to new user -> select the Netbird User -> "View applications the user has access to" and "Can view User -> Assign" ---- > Thanks for that comment but unfortunately, I didn't change anything for me, and I suspect (please see the screen capture) that I already had all the options activated: <img width="1966" height="504" alt="Image" src="https://github.com/user-attachments/assets/573ed40d-abb3-4ca0-b35a-9b4c339af4b4" />

saavagebueno commented 2025-11-20 05:30:41 -05:00

Author

Owner

Copy Link

@Raito00 commented on GitHub (Oct 12, 2025):

Comment received: thelordtourette left a comment Assigning "User Object Permissons" to the Netbird service user fixed the issue for me. Before that the service user was unable to access the Authentik API.

Authentik Settings -> Directory -> User -> Netbird User -> Permissions -> User Object Permissons -> Assign to new user -> select the Netbird User -> "View applications the user has access to" and "Can view User -> Assign"

---- > Thanks for that comment but unfortunately, I didn't change anything for me, and I suspect (please see the screen capture) that I already had all the options activated:

In Provaider You add API access and offline_access ?

@Raito00 commented on GitHub (Oct 12, 2025): > Comment received: thelordtourette left a comment Assigning "User Object Permissons" to the Netbird service user fixed the issue for me. Before that the service user was unable to access the Authentik API. > > Authentik Settings -> Directory -> User -> Netbird User -> Permissions -> User Object Permissons -> Assign to new user -> select the Netbird User -> "View applications the user has access to" and "Can view User -> Assign" > > ---- > Thanks for that comment but unfortunately, I didn't change anything for me, and I suspect (please see the screen capture) that I already had all the options activated: > > <img alt="Image" width="1966" height="504" src="https://private-user-images.githubusercontent.com/16443250/497296131-573ed40d-abb3-4ca0-b35a-9b4c339af4b4.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjAzMTA5MjIsIm5iZiI6MTc2MDMxMDYyMiwicGF0aCI6Ii8xNjQ0MzI1MC80OTcyOTYxMzEtNTczZWQ0MGQtYWJiMy00Y2EwLWIzNWEtOWI0YzMzOWFmNGI0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDEyVDIzMTAyMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWMxZTAyZGJhYzkzZGQ0NjNiYzIzYjJhMmU5OTQ0YzQ5MTIxNjIxMGE5NWEyZGNlZWM3YWI4M2Q0YmU5YmRiNjImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.PgEQBlz3lk9Yz_JiRY3E0KlwvDLoFxIUMtOlUMclFXk"> In Provaider You add API access and offline_access ? <img width="517" height="463" alt="Image" src="https://github.com/user-attachments/assets/eb611e60-2770-40b6-8aff-afd2d14ce030" />

saavagebueno commented 2025-11-20 05:30:41 -05:00

Author

Owner

Copy Link

@tugdualenligne commented on GitHub (Oct 13, 2025):

Thanks, yes those are selected
I managed to get passed the JWT token error at least by synchronising time better between my Authentik server and my Netbird server: I set up ntpsec (Debian OS) on both systems, forced time sync and tada, no more JWT token used before issued error!

@tugdualenligne commented on GitHub (Oct 13, 2025): Thanks, yes those are selected I managed to get passed the JWT token error at least by synchronising time better between my Authentik server and my Netbird server: I set up ntpsec (Debian OS) on both systems, forced time sync and tada, no more JWT token used before issued error!

saavagebueno referenced this issue 2025-11-20 08:05:00 -05:00

[PR #1446] Fix allow netbird traffic for nftables and userspace #3116

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/byop-selfhost

feat/status-short-flags

fix/rosenpass

ui-refactor-ui

ui-refactor

proxy-ipv6-bracket-and-debug-bundle

e2e-windows-dns-combined

mgmt-proxy-peer-ipv6

refactor-combined

wasm-websocket-dial

drop-dns-probes

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

reduce-embed-wg-pool

windows-dns-firewall

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

vnc-server

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

v0.70.5

v0.70.4

v0.70.3

v0.70.2

v0.70.1

v0.70.0

v0.69.0

v0.68.3

v0.68.2

v0.68.1

v0.68.0

v0.67.4

v0.67.3

v0.67.2

v0.67.1

v0.67.0

v0.66.4

v0.66.3

v0.66.2

v0.66.1

v0.66.0

v0.65.3

v0.65.2

v0.65.1

v0.65.0

v0.64.6

v0.64.5

v0.64.4

v0.64.3

v0.64.2

v0.64.1

v0.64.0

v0.63.0

v0.62.3

v0.62.2

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.9

v0.60.8

v0.60.7

v0.60.6

v0.60.5

v0.60.4

v0.60.3

v0.60.2

v0.60.1

v0.60.0

v0.59.13

v0.59.12

v0.59.11

v0.59.10

v0.59.9

v0.59.8

v0.59.7

v0.59.6

v0.59.5

v0.59.4

v0.59.3

v0.59.2

v0.59.1

v0.59.0

v0.58.2

v0.58.1

v0.58.0

v0.57.1

v0.57.0

v0.56.1

v0.56.0

v0.55.1

v0.55.0

v0.54.2

v0.54.1

v0.54.0

v0.53.0

v0.52.2

v0.52.1

v0.52.0

v0.51.2

v0.51.1

v0.51.0

v0.50.3

v0.50.2

v0.50.1

v0.50.0

v0.49.0

v0.48.0-dev2

v0.48.0

v0.47.2

v0.47.1

v0.47.0

v0.46.0

v0.45.3

v0.45.2

v0.45.1

v0.45.0

v0.44.0

v0.43.3

v0.43.2

v0.43.1

v0.43.0

v0.42.0

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.2

v0.38.1

v0.38.0

v0.37.2

v0.37.1

v0.37.0

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.2

v0.35.1

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.4

v0.29.3

0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.10

v0.27.9

v0.27.8

v0.27.7

v0.27.6

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.7

v0.26.6

v0.26.5

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.9

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.9

v0.23.8

v0.23.7

v0.23.6

v0.23.5

v0.23.4

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.7

v0.22.6

v0.22.5

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.11

v0.21.10

v0.21.9

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.10

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.11

v0.5.10

v0.5.1

v0.5.0

v0.4.0

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2-beta.1

v0.2.1-beta.5

v0.2.0-beta.5

v0.2.0-beta.4

v0.2.0-beta.3

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.0-beta.3

v0.1.0-beta.2

v0.1.0-beta.1

v0.1.0-rc.2

v0.1.0-rc-1

v0.0.8-hotfix-1

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

v0.0.0

Labels

Clear labels

2021 Q4

2022 Q1

2022 Q1

accessibility

acl

agent

agent

Android

Android

api

authentik

automation

azure

battery-usage

bug

cache

client

client-ui

cloud

cloud-only

cloudflare

community

compatibility

config-idp

config-issue

connection

contribution

coturn

cross-vpn

dashboard

data-usage

distribution

dns

docker

documentation

duplicate

enhancement

enhancement

event-stream

feature-request

freebsd

getting-started

go

good first issue

gui

help wanted

home-assistant

idp

inconsistency

integration

integrations

ios

ipv6

jwt

k8s

keycloak

linux

login

macos

management-service

missing-docs

mobile

moved-internal

needs-review

netbird-ui

networking

new-platform

nginx

notification

okta

openwrt

packaging

peer-management

peer-management

peer-management

performance

postgres

posture-checks

psk

pull-request

Mirrored from GitHub Pull Request

question

refactor

relay

release

rfc

routes

security

security-related

self-hosting

server

signal

sleep-issue

ssh

ssl

status

store

synology

system-compatibility-issue

test-suite

third-party-integration

triage

triage-needed

troubleshooting

UX

waiting-feedback

windows

wontfix

zitadel

No Label triage-needed

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#1446