Keycloak 17.0.2: Direct device authentication not working #189

New Issue

Closed

opened 2025-11-20 05:07:39 -05:00 by saavagebueno · 20 comments

saavagebueno commented 2025-11-20 05:07:39 -05:00

Owner

Copy Link

Originally created by @ykorzikowski on GitHub (Sep 21, 2022).

Hello there,

I set up erverything like described in the selfhosting guide with keycloak. I can login to the admin console with keycloak and can see Peers etc.

However, when I try to do a netbird up, it wont connect to the management service.

$ netbird up  --management-url https://netbird-api.company.com/
WARN[2022-09-22T00:52:36+02:00] retrying Login to the Management service in 1.104660288s due to error rpc error: code = Unknown desc = context deadline exceeded

• Dashboard is runing under netbird.company.com
• API is running under netbird-api.company.com

I can curl the api from my machin:

$ curl https://netbird-api.compay.com/api/groups
The token isn't valid

Originally created by @ykorzikowski on GitHub (Sep 21, 2022). Hello there, I set up erverything like described in the selfhosting guide with keycloak. I can login to the admin console with keycloak and can see Peers etc. However, when I try to do a `netbird up`, it wont connect to the management service. ``` $ netbird up --management-url https://netbird-api.company.com/ WARN[2022-09-22T00:52:36+02:00] retrying Login to the Management service in 1.104660288s due to error rpc error: code = Unknown desc = context deadline exceeded ``` - Dashboard is runing under netbird.company.com - API is running under netbird-api.company.com I can curl the api from my machin: ``` $ curl https://netbird-api.compay.com/api/groups The token isn't valid ```

saavagebueno added the bugwaiting-feedbackidp labels 2025-11-20 05:07:39 -05:00

saavagebueno closed this issue 2025-11-20 05:07:40 -05:00

saavagebueno commented 2025-11-20 05:07:40 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 22, 2022):

Hey @ykorzikowski

Are you running Dashboard and API on different machines, right?
It might be that for the gRPC API a default 33073 port is used, as per the docker-compose.yml file.

Try

netbird up  --management-url https://netbird-api.company.com:33073

@braginini commented on GitHub (Sep 22, 2022): Hey @ykorzikowski Are you running Dashboard and API on different machines, right? It might be that for the gRPC API a default 33073 port is used, as per the docker-compose.yml file. Try ``` netbird up --management-url https://netbird-api.company.com:33073 ```

saavagebueno commented 2025-11-20 05:07:40 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Sep 22, 2022):

Good morning, just checked your reply.

I forget to tell you: I am using a nginx as reverse proxy.

CONTAINER ID   IMAGE                         COMMAND                  CREATED       STATUS       PORTS                                            NAMES
538bd6b9673e   netbirdio/management:latest   "/go/bin/netbird-mgm…"   8 hours ago   Up 8 hours   0.0.0.0:33073->80/tcp, :::33073->80/tcp          infrastructure_files-management-1
13a3d67ef2cb   wiretrustee/dashboard:main    "/usr/bin/supervisor…"   8 hours ago   Up 8 hours   443/tcp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp   infrastructure_files-dashboard-1
17c8165e7fd5   coturn/coturn                 "docker-entrypoint.s…"   9 hours ago   Up 9 hours                                                    infrastructure_files-coturn-1
9ada4b76d13b   netbirdio/signal:latest       "/go/bin/netbird-sig…"   9 hours ago   Up 9 hours   0.0.0.0:10000->80/tcp, :::10000->80/tcp          infrastructure_files-signal-1

So basically, I want use no TLS in the docker containers, but with my reverse proxy. The Management Service still asks for some certificate, so I give him a self-signed cert.

server {
    listen *:80;
    listen [::]:80;
    server_name  netbird.***.com;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    include security.conf;
    listen *:443 ssl;
    listen [::]:443 ssl;
    server_name netbird.***.com;
    ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;

    access_log /var/log/nginx/***.com/netbird.log;
    error_log /var/log/nginx/***.com/err/netbird.log;

    location / {
        proxy_pass http://10.10.10.118:8080;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Scheme $scheme;
	proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Host netbird.***.com;
    }

}

and

server {
    listen *:80;
    listen [::]:80;
    server_name  netbird-api.***.com;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    include security.conf;
    listen *:443 ssl;
    listen [::]:443 ssl;
    server_name netbird-api.***.com;
    ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;

    access_log /var/log/nginx/***.com/netbird-api.log;
    error_log /var/log/nginx/***.com/err/netbird-api.log;

    location / {
        proxy_pass https://10.10.10.118:33073;
        proxy_ssl_verify              off;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        Access-Control-Allow-Origin "*";
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Scheme $scheme;
    	proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Forwarded-Host netbird-api.***.com;
    }

}

So maybe we can figure it out together and add it to the documentation :)

@ykorzikowski commented on GitHub (Sep 22, 2022): Good morning, just checked your reply. I forget to tell you: I am using a nginx as reverse proxy. ``` CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 538bd6b9673e netbirdio/management:latest "/go/bin/netbird-mgm…" 8 hours ago Up 8 hours 0.0.0.0:33073->80/tcp, :::33073->80/tcp infrastructure_files-management-1 13a3d67ef2cb wiretrustee/dashboard:main "/usr/bin/supervisor…" 8 hours ago Up 8 hours 443/tcp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp infrastructure_files-dashboard-1 17c8165e7fd5 coturn/coturn "docker-entrypoint.s…" 9 hours ago Up 9 hours infrastructure_files-coturn-1 9ada4b76d13b netbirdio/signal:latest "/go/bin/netbird-sig…" 9 hours ago Up 9 hours 0.0.0.0:10000->80/tcp, :::10000->80/tcp infrastructure_files-signal-1 ``` So basically, I want use no TLS in the docker containers, but with my reverse proxy. The Management Service still asks for some certificate, so I give him a self-signed cert. ``` server { listen *:80; listen [::]:80; server_name netbird.***.com; location / { return 301 https://$server_name$request_uri; } } server { include security.conf; listen *:443 ssl; listen [::]:443 ssl; server_name netbird.***.com; ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem; access_log /var/log/nginx/***.com/netbird.log; error_log /var/log/nginx/***.com/err/netbird.log; location / { proxy_pass http://10.10.10.118:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host netbird.***.com; } } ``` and ``` server { listen *:80; listen [::]:80; server_name netbird-api.***.com; location / { return 301 https://$server_name$request_uri; } } server { include security.conf; listen *:443 ssl; listen [::]:443 ssl; server_name netbird-api.***.com; ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem; access_log /var/log/nginx/***.com/netbird-api.log; error_log /var/log/nginx/***.com/err/netbird-api.log; location / { proxy_pass https://10.10.10.118:33073; proxy_ssl_verify off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Access-Control-Allow-Origin "*"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host netbird-api.***.com; } } ``` So maybe we can figure it out together and add it to the documentation :)

saavagebueno commented 2025-11-20 05:07:41 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 22, 2022):

We didn't try it yet with Ngnix but there should be some config that allows gRPC connections.

The Management service exposes gRPC API to clients to fetch the network config.

Dashboard uses the Management HTTP API.

gRPC and HTTP APIs are running on the same port.

@braginini commented on GitHub (Sep 22, 2022): We didn't try it yet with Ngnix but there should be some config that allows gRPC connections. The Management service exposes gRPC API to clients to fetch the network config. Dashboard uses the Management HTTP API. gRPC and HTTP APIs are running on the same port.

saavagebueno commented 2025-11-20 05:07:41 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Sep 22, 2022):

So the netbird client uses the gRPC-API and not HTTP?

@ykorzikowski commented on GitHub (Sep 22, 2022): So the netbird client uses the gRPC-API and not HTTP?

saavagebueno commented 2025-11-20 05:07:41 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 22, 2022):

So the netbird client uses the gRPC-API and not HTTP?

Yes, exactly. The HTTP API is used by the Dashboard.

We will be putting things behind Caddy for simpler setups in the near future.

@braginini commented on GitHub (Sep 22, 2022): > So the netbird client uses the gRPC-API and not HTTP? Yes, exactly. The HTTP API is used by the Dashboard. We will be putting things behind Caddy for simpler setups in the near future.

saavagebueno commented 2025-11-20 05:07:41 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Sep 22, 2022):

THX for the tip. I am one step further now:

server {
    include security.conf;
    listen *:9000 ssl http2;
    listen [::]:9000 ssl;
    server_name netbird-grpc.***.com;
    ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;

    access_log /var/log/nginx/***.com/netbird-grpc.log;
    error_log /var/log/nginx/***.com/err/netbird-grpc.log;

    location / {
        grpc_pass grpcs://10.10.10.118:33073;
        grpc_ssl_verify off;
    }

}

Now Keycloak Oauth opens, but I get this on mgmt console:

time="2022-09-22T08:05:46Z" level=debug msg="rpc error: code = PermissionDenied desc = provided peer with the key wgPubKey ***= is not registered and no setup key or jwt was provided, remote addr is 10.10.10.109:50042" file="grpcserver.go:282"

Maybe I did something wrong when setting up the keycloak realm.

@ykorzikowski commented on GitHub (Sep 22, 2022): THX for the tip. I am one step further now: ``` server { include security.conf; listen *:9000 ssl http2; listen [::]:9000 ssl; server_name netbird-grpc.***.com; ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem; access_log /var/log/nginx/***.com/netbird-grpc.log; error_log /var/log/nginx/***.com/err/netbird-grpc.log; location / { grpc_pass grpcs://10.10.10.118:33073; grpc_ssl_verify off; } } ``` Now Keycloak Oauth opens, but I get this on mgmt console: ``` time="2022-09-22T08:05:46Z" level=debug msg="rpc error: code = PermissionDenied desc = provided peer with the key wgPubKey ***= is not registered and no setup key or jwt was provided, remote addr is 10.10.10.109:50042" file="grpcserver.go:282" ``` Maybe I did something wrong when setting up the keycloak realm.

saavagebueno commented 2025-11-20 05:07:41 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 22, 2022):

I see, I think this one will be easy to fix. The Keycloak is fine.

How did you start the client? This way?

netbird up  --management-url https://netbird-api.company.com/

You should either run it with the setup key like so:

netbird up  --management-url https://netbird-api.company.com:33073 --setup-key <Your Setup Key>

Or Device Auth Flow (SSO Login) has to be enabled in Management config:
c5705803a5/infrastructure_files/management.json.tmpl (L42)

What is in your DeviceAuthorizationFlow config?

@braginini commented on GitHub (Sep 22, 2022): I see, I think this one will be easy to fix. The Keycloak is fine. How did you start the client? This way? ``` netbird up --management-url https://netbird-api.company.com/ ``` You should either run it with the setup key like so: ``` netbird up --management-url https://netbird-api.company.com:33073 --setup-key <Your Setup Key> ``` Or Device Auth Flow (SSO Login) has to be enabled in Management config: https://github.com/netbirdio/netbird/blob/c5705803a503a910c7fb07fbc3fe9515f6b88701/infrastructure_files/management.json.tmpl#L42 What is in your DeviceAuthorizationFlow config?

saavagebueno commented 2025-11-20 05:07:41 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Sep 22, 2022):

It looks like this. I am using the master realm, not sure if this is an issue. I did not create a extra one like in the setup guide described.

    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
          "Audience": "netbird-client",
          "Domain": "",
          "ClientID": "netbird-client",
          "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
          "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device"
         }
    }

@ykorzikowski commented on GitHub (Sep 22, 2022): It looks like this. I am using the master realm, not sure if this is an issue. I did not create a extra one like in the setup guide described. ``` "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "netbird-client", "Domain": "", "ClientID": "netbird-client", "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device" } } ```

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 22, 2022):

It looks like this. I am using the master realm, not sure if this is an issue. I did not create a extra one like in the setup guide described.

    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
          "Audience": "netbird-client",
          "Domain": "",
          "ClientID": "netbird-client",
          "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
          "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device"
         }
    }

It is hard to say what went wrong if you didn't follow the guide.
Maybe you didn't enable Device Authorization Grant in step 4 (second screenshot) of the client configuration?
https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak#step-4-create-a-netbird-client

@braginini commented on GitHub (Sep 22, 2022): > It looks like this. I am using the master realm, not sure if this is an issue. I did not create a extra one like in the setup guide described. > > ``` > "DeviceAuthorizationFlow": { > "Provider": "hosted", > "ProviderConfig": { > "Audience": "netbird-client", > "Domain": "", > "ClientID": "netbird-client", > "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token", > "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device" > } > } > ``` It is hard to say what went wrong if you didn't follow the guide. Maybe you didn't enable Device Authorization Grant in step 4 (second screenshot) of the client configuration? https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak#step-4-create-a-netbird-client

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Sep 23, 2022):

You are right, it was not selected.

I get this, but ithe netbird up command stuck.

Now I get another error in keycloak logs:

2022-09-23 17:43:20,332 WARN  [org.keycloak.events] (executor-thread-26) type=OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=79.**.**.70, error=invalid_oauth2_user_code, reason='device code not found (it may already have been used)'

Thank you very much for help :)

@ykorzikowski commented on GitHub (Sep 23, 2022): You are right, it was not selected. I get this, but ithe netbird up command stuck.  Now I get another error in keycloak logs: ``` 2022-09-23 17:43:20,332 WARN [org.keycloak.events] (executor-thread-26) type=OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=79.**.**.70, error=invalid_oauth2_user_code, reason='device code not found (it may already have been used)' ``` Thank you very much for help :)

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 23, 2022):

And if you restart NetBird and try again? The issue is reproducible?

@braginini commented on GitHub (Sep 23, 2022): And if you restart NetBird and try again? The issue is reproducible?

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Sep 24, 2022):

Yep, I restarted netbird.

I tried on a different machine as client with a different user. The version of keycloak i use is 17.0.2. It looks like, the callback from keycloak back to netbird is not triggered (but I do not know the exact way how the login procedure works). The CLI is endless waiting for the auth. If you re-open the link, keycloak complains that device key is already used (like above described).

THis keys get created on the attempt:

One thing I notice: I logged in with two users, but the cant see each other in users view:

User A:

User B:

keycloak log of auth:

2022-09-24 07:49:53,610 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (executor-thread-20) PrivacyIDEA Client: Replacing privacyIDEA instance for realm master
2022-09-24 07:49:53,613 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: POST /auth
2022-09-24 07:49:53,613 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: username=keycloak_service_account
2022-09-24 07:49:53,613 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: password=************************************
2022-09-24 07:49:53,614 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: realm=***.com.admin
2022-09-24 07:49:53,806 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: POST /validate/triggerchallenge
2022-09-24 07:49:53,807 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: user=yko_adm_user
2022-09-24 07:49:53,807 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: realm=***.com.admin
2022-09-24 07:49:54,204 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://2fa.***.com/...) PrivacyIDEA Client: /validate/triggerchallenge:
{
  "detail": {
    "attributes": {
      "hideResponseInput": true
    },
    "client_mode": "poll",
    "message": "Bitte geben Sie einen OTP-Wert ein: , Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request.",
    "messages": [
      "Bitte geben Sie einen OTP-Wert ein: ",
      "Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request."
    ],
    "multi_challenge": [
      {
        "client_mode": "interactive",
        "message": "Bitte geben Sie einen OTP-Wert ein: ",
        "serial": "***",
        "transaction_id": "00942768684158838260",
        "type": "totp"
      },
      {
        "attributes": {
          "hideResponseInput": true
        },
        "client_mode": "poll",
        "message": "Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request.",
        "serial": "***",
        "transaction_id": "00942768684158838260",
        "type": "push"
      }
    ],
    "serial": "***",
    "threadid": 140429160433472,
    "transaction_id": "00942768684158838260",
    "transaction_ids": [
      "00942768684158838260",
      "00942768684158838260"
    ],
    "type": "push"
  },
  "id": 2,
  "jsonrpc": "2.0",
  "result": {
    "authentication": "ACCEPT",
    "status": true,
    "value": 2
  },
  "time": 1664005794.1786666,
  "version": "privacyIDEA 3.7.3",
  "versionnumber": "3.7.3",
  "signature": "rsa_sha256_pss:7c00edba56691d004d26457616143077ad56d7607f07c3da40f95bceb2d57018f741786f90ab8eb4fbe9b476e27299b96e256baac0a4ef9489b91f5ad8a57245a365a10a219f50132dbd5e859a0d5ba5f136690e789102e12639b48fa0e8039af0224792a106643e85b9e65409a46069813edf0e713c7fc186cca092e02186a09e161f8f01c7bb70fc7808f17353b9e5fedd494c640a6e3f917474c6f215ae97f1deb9734375f74bc9677de819dda887fb8b49495872b26472f7fd243acc14215626bcc93c0a177d418910ddc1940181c2b7680c6cd928913dc9224b4a6115ce475cb2705e0c00def1d72afa79fc9eb504d8449cb2758dd554c95c67bcfc96ce"
}
2022-09-24 07:49:58,331 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-2) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:49:58,331 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-2) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:00,500 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-3) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:50:00,500 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-3) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:02,667 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-4) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:50:02,668 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-4) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:04,824 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-5) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:50:04,824 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-5) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:04,884 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: POST /validate/check
2022-09-24 07:50:04,884 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: user=yko_adm_user
2022-09-24 07:50:04,885 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: pass=
2022-09-24 07:50:04,885 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:04,885 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: realm=***.com.admin
2022-09-24 07:50:04,987 INFO  [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://2fa.***.com/...) PrivacyIDEA Client: /validate/check:
{
  "detail": {
    "message": "Found matching challenge",
    "serial": "***",
    "threadid": 140429160433472
  },
  "id": 2,
  "jsonrpc": "2.0",
  "result": {
    "authentication": "ACCEPT",
    "status": true,
    "value": true
  },
  "time": 1664005804.9552202,
  "version": "privacyIDEA 3.7.3",
  "versionnumber": "3.7.3",
  "signature": "rsa_sha256_pss:aeb77fe5037c16d9322dc6f9727c071ee65e2381f06e57fefdf2e7dae4730933f987ca70fa9bd66efc0d0c508945e41ce6095130abdb012a5a979d22f04f86eb115e00dd3eba2292afd7d7611282c5bedea94398c56d96e9e78053a8c05b264e1318f6c8bef3f004fb5af5b6d8bbdb65d44c8630374fd717a49aba43efa14d35f75e4190f5e38e4aaefda126f7c14a941153e5d5d84c1d4007ccbecb9295ff30c5b8c2f1bd2493041300b21dbf388918e370b30c012cb90e1863d312674d4d03324609390151941274ecebd9975f70ccf6aa99a9b32cc03ce58d696f900a2394d43d88223e9a1f372860bcb1c586e7e08b50e8bd9c918b6fc4578a20eb376cd1"
}
2022-09-24 07:54:51,235 WARN  [org.keycloak.services] (executor-thread-20) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.

@ykorzikowski commented on GitHub (Sep 24, 2022): Yep, I restarted netbird. I tried on a different machine as client with a different user. The version of keycloak i use is 17.0.2. It looks like, the callback from keycloak back to netbird is not triggered (but I do not know the exact way how the login procedure works). The CLI is endless waiting for the auth. If you re-open the link, keycloak complains that device key is already used (like above described). THis keys get created on the attempt:  One thing I notice: I logged in with two users, but the cant see each other in users view: User A:  User B:  keycloak log of auth: ``` 2022-09-24 07:49:53,610 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (executor-thread-20) PrivacyIDEA Client: Replacing privacyIDEA instance for realm master 2022-09-24 07:49:53,613 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: POST /auth 2022-09-24 07:49:53,613 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: username=keycloak_service_account 2022-09-24 07:49:53,613 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: password=************************************ 2022-09-24 07:49:53,614 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: realm=***.com.admin 2022-09-24 07:49:53,806 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: POST /validate/triggerchallenge 2022-09-24 07:49:53,807 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: user=yko_adm_user 2022-09-24 07:49:53,807 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: realm=***.com.admin 2022-09-24 07:49:54,204 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://2fa.***.com/...) PrivacyIDEA Client: /validate/triggerchallenge: { "detail": { "attributes": { "hideResponseInput": true }, "client_mode": "poll", "message": "Bitte geben Sie einen OTP-Wert ein: , Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request.", "messages": [ "Bitte geben Sie einen OTP-Wert ein: ", "Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request." ], "multi_challenge": [ { "client_mode": "interactive", "message": "Bitte geben Sie einen OTP-Wert ein: ", "serial": "***", "transaction_id": "00942768684158838260", "type": "totp" }, { "attributes": { "hideResponseInput": true }, "client_mode": "poll", "message": "Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request.", "serial": "***", "transaction_id": "00942768684158838260", "type": "push" } ], "serial": "***", "threadid": 140429160433472, "transaction_id": "00942768684158838260", "transaction_ids": [ "00942768684158838260", "00942768684158838260" ], "type": "push" }, "id": 2, "jsonrpc": "2.0", "result": { "authentication": "ACCEPT", "status": true, "value": 2 }, "time": 1664005794.1786666, "version": "privacyIDEA 3.7.3", "versionnumber": "3.7.3", "signature": "rsa_sha256_pss:7c00edba56691d004d26457616143077ad56d7607f07c3da40f95bceb2d57018f741786f90ab8eb4fbe9b476e27299b96e256baac0a4ef9489b91f5ad8a57245a365a10a219f50132dbd5e859a0d5ba5f136690e789102e12639b48fa0e8039af0224792a106643e85b9e65409a46069813edf0e713c7fc186cca092e02186a09e161f8f01c7bb70fc7808f17353b9e5fedd494c640a6e3f917474c6f215ae97f1deb9734375f74bc9677de819dda887fb8b49495872b26472f7fd243acc14215626bcc93c0a177d418910ddc1940181c2b7680c6cd928913dc9224b4a6115ce475cb2705e0c00def1d72afa79fc9eb504d8449cb2758dd554c95c67bcfc96ce" } 2022-09-24 07:49:58,331 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-2) PrivacyIDEA Client: GET /validate/polltransaction 2022-09-24 07:49:58,331 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-2) PrivacyIDEA Client: transaction_id=00942768684158838260 2022-09-24 07:50:00,500 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-3) PrivacyIDEA Client: GET /validate/polltransaction 2022-09-24 07:50:00,500 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-3) PrivacyIDEA Client: transaction_id=00942768684158838260 2022-09-24 07:50:02,667 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-4) PrivacyIDEA Client: GET /validate/polltransaction 2022-09-24 07:50:02,668 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-4) PrivacyIDEA Client: transaction_id=00942768684158838260 2022-09-24 07:50:04,824 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-5) PrivacyIDEA Client: GET /validate/polltransaction 2022-09-24 07:50:04,824 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-5) PrivacyIDEA Client: transaction_id=00942768684158838260 2022-09-24 07:50:04,884 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: POST /validate/check 2022-09-24 07:50:04,884 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: user=yko_adm_user 2022-09-24 07:50:04,885 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: pass= 2022-09-24 07:50:04,885 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: transaction_id=00942768684158838260 2022-09-24 07:50:04,885 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: realm=***.com.admin 2022-09-24 07:50:04,987 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://2fa.***.com/...) PrivacyIDEA Client: /validate/check: { "detail": { "message": "Found matching challenge", "serial": "***", "threadid": 140429160433472 }, "id": 2, "jsonrpc": "2.0", "result": { "authentication": "ACCEPT", "status": true, "value": true }, "time": 1664005804.9552202, "version": "privacyIDEA 3.7.3", "versionnumber": "3.7.3", "signature": "rsa_sha256_pss:aeb77fe5037c16d9322dc6f9727c071ee65e2381f06e57fefdf2e7dae4730933f987ca70fa9bd66efc0d0c508945e41ce6095130abdb012a5a979d22f04f86eb115e00dd3eba2292afd7d7611282c5bedea94398c56d96e9e78053a8c05b264e1318f6c8bef3f004fb5af5b6d8bbdb65d44c8630374fd717a49aba43efa14d35f75e4190f5e38e4aaefda126f7c14a941153e5d5d84c1d4007ccbecb9295ff30c5b8c2f1bd2493041300b21dbf388918e370b30c012cb90e1863d312674d4d03324609390151941274ecebd9975f70ccf6aa99a9b32cc03ce58d696f900a2394d43d88223e9a1f372860bcb1c586e7e08b50e8bd9c918b6fc4578a20eb376cd1" } 2022-09-24 07:54:51,235 WARN [org.keycloak.services] (executor-thread-20) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request. ```

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 28, 2022):

I guess that this is unrelated to the device auth issue:

One thing I notice: I logged in with two users, but the cant see each other in users view:
But it is related to this. You probably skipped it in the Keycloak guide.

https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak#step-8-ensure-that-all-users-will-join-the-same-netbird-network-optional

@braginini commented on GitHub (Sep 28, 2022): I guess that this is unrelated to the device auth issue: > One thing I notice: I logged in with two users, but the cant see each other in users view: But it is related to this. You probably skipped it in the Keycloak guide. https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak#step-8-ensure-that-all-users-will-join-the-same-netbird-network-optional

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Sep 28, 2022):

Overall, I suggest that you go through the setup as per the guideline completing all the steps:

https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak

@braginini commented on GitHub (Sep 28, 2022): Overall, I suggest that you go through the setup as per the guideline completing all the steps: https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak

saavagebueno commented 2025-11-20 05:07:42 -05:00

Author

Owner

Copy Link

@pnowy commented on GitHub (Nov 15, 2022):

@ykorzikowski @braginini I've spent some time recently with setup the self-hosted NetBird based on Keycloak and in general everything works fine (GCP based) - just needed to struggle a little bit.

I'm waiting to be able to setup DNS (https://github.com/netbirdio/netbird/issues/373) maybe then I will put some instruction how to configure it in GCP env specific if it will useful for other people and project itself.

@braginini I think Keycloak addition to docker-compose version should be quite easy as it possible to import realm out-of-the-box so maybe we should add as a part of NetBird the specific docker-compose which configure NetBird + Keycloak in one shot.

During the installation I noticed that command for management component command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain=mynetbird.com"] should be updated - otherwise (at least in my case) the separated client were added to different account/tenant if empty. I think this part wasn't exactly described in the docs and configure script doesn't update it in the fly.

@braginini I have also 2 questions:

• do you know whether is it required to expose dashboard endpoint to public or will be enough to expose only management endpoint (33073) + udp ports (looking a ways to increase security)
• do you have any suggestions/documentation about HA setup related to server?

Thanks!

@pnowy commented on GitHub (Nov 15, 2022): @ykorzikowski @braginini I've spent some time recently with setup the self-hosted NetBird based on Keycloak and in general everything works fine (GCP based) - just needed to struggle a little bit. I'm waiting to be able to setup DNS (https://github.com/netbirdio/netbird/issues/373) maybe then I will put some instruction how to configure it in GCP env specific if it will useful for other people and project itself. @braginini I think Keycloak addition to `docker-compose` version should be quite easy as it possible to import realm out-of-the-box so maybe we should add as a part of NetBird the specific docker-compose which configure NetBird + Keycloak in one shot. During the installation I noticed that command for management component `command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain=mynetbird.com"]` should be updated - otherwise (at least in my case) the separated client were added to different account/tenant if empty. I think this part wasn't exactly described in the docs and configure script doesn't update it in the fly. @braginini I have also 2 questions: - do you know whether is it required to expose dashboard endpoint to public or will be enough to expose only management endpoint (33073) + udp ports (looking a ways to increase security) - do you have any suggestions/documentation about HA setup related to server? Thanks!

saavagebueno commented 2025-11-20 05:07:43 -05:00

Author

Owner

Copy Link

@pnowy commented on GitHub (Nov 15, 2022):

Ok - I checked and it seems that UI (dashboard) don't have to be exposed with Keycloak - the realm is enough to authenticate the user/machine.

@pnowy commented on GitHub (Nov 15, 2022): Ok - I checked and it seems that UI (dashboard) don't have to be exposed with Keycloak - the realm is enough to authenticate the user/machine.

saavagebueno commented 2025-11-20 05:07:43 -05:00

Author

Owner

Copy Link

@braginini commented on GitHub (Nov 15, 2022):

Hey @pnowy
We thought of adding Authentik to docker-compose. But Keycloak should be a good option as well.
The alternative was to embed a very simple IdP implemented with Zitadel.

It is not required exposing the dashboard, but you will need to manage the SSL certificates on your own because Letsencrypt validates certs dynamically.

As for the HA availability. No advice in particular, but we planned that for Q1'23. We just refactored the storage interface to be able to embed HA storages.

@braginini commented on GitHub (Nov 15, 2022): Hey @pnowy We thought of adding Authentik to docker-compose. But Keycloak should be a good option as well. The alternative was to embed a very simple IdP implemented with Zitadel. It is not required exposing the dashboard, but you will need to manage the SSL certificates on your own because Letsencrypt validates certs dynamically. As for the HA availability. No advice in particular, but we planned that for Q1'23. We just refactored the storage interface to be able to embed HA storages.

saavagebueno commented 2025-11-20 05:07:43 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Apr 28, 2023):

After updating everything to the most recent 0.17.0 I re-tried the device authorization with my keycloak instance. In the meantime I also updated keycloak to 22.0.1.

I get the "Device Login Successful" like in the Expected Result section, but the terminal is still waiting for the response (so there is never a connection being established).

I recreate the netbird-client in keycloak and checked my configuration but I am not able to find the issue.

keycloak.log (after first successfull message, I can't retry it with same device code. Otherwise I get the following error)

2023-04-28 22:11:38,067 WARN  [org.keycloak.events] (executor-thread-30) type=OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=80.141.**.**, error=invalid_oauth2_user_code, reason='device code not found (it may already have been used)'

/var/log/netbird/client.log

2023-04-29T00:12:11+02:00 WARN client/server/server.go:119: failed login: rpc error: code = InvalidArgument desc = invalid setup-key or no sso information provided, err: invalid UUID length: 0

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.***.com:3478",
            "Username": "",
            "Password": null
        }
    ],
    "TURNConfig": {
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.***.com:3478",
                "Username": "self",
                "Password": "***"
            }
        ],
        "CredentialsTTL": "12h",
        "Secret": "secret",
        "TimeBasedCredentials": false
    },
    "Signal": {
        "Proto": "https",
        "URI": "netbird.***.com:10000",
        "Username": "",
        "Password": null
    },
    "Datadir": "",
    "HttpConfig": {
        "Address": "0.0.0.0:80",
        "AuthIssuer": "https://sso.***.com/realms/master",
        "AuthAudience": "netbird-client",
        "AuthKeysLocation": "https://sso.***.com/realms/master/protocol/openid-connect/certs",
        "disabled_CertFile":"/etc/letsencrypt/live/netbird.***.com/fullchain.pem",
        "disabled_CertKey":"/etc/letsencrypt/live/netbird.***.com/privkey.pem",
        "OIDCConfigEndpoint":"https://sso.***.com/realms/master/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
      "ManagerType":  "keycloak",
      "KeycloakClientCredentials": {
        "ClientID": "netbird-backend",
        "ClientSecret": "***",
        "GrantType": "client_credentials",
        "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
        "AdminEndpoint": "https://sso.***.com/admin/realms/master"
      }
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
          "Audience": "netbird-client",
          "Domain": "",
          "ClientID": "netbird-client",
          "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
          "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device",
          "Scope": "openid",
          "UseIDToken": false
         }
    }
}

@ykorzikowski commented on GitHub (Apr 28, 2023): After updating everything to the most recent 0.17.0 I re-tried the device authorization with my keycloak instance. In the meantime I also updated keycloak to 22.0.1. I get the "Device Login Successful" like in the Expected Result section, but the terminal is still waiting for the response (so there is never a connection being established). I recreate the netbird-client in keycloak and checked my configuration but I am not able to find the issue. keycloak.log (after first successfull message, I can't retry it with same device code. Otherwise I get the following error) ``` 2023-04-28 22:11:38,067 WARN [org.keycloak.events] (executor-thread-30) type=OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=80.141.**.**, error=invalid_oauth2_user_code, reason='device code not found (it may already have been used)' ``` /var/log/netbird/client.log ``` 2023-04-29T00:12:11+02:00 WARN client/server/server.go:119: failed login: rpc error: code = InvalidArgument desc = invalid setup-key or no sso information provided, err: invalid UUID length: 0 ``` management.json ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.***.com:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:netbird.***.com:3478", "Username": "self", "Password": "***" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Signal": { "Proto": "https", "URI": "netbird.***.com:10000", "Username": "", "Password": null }, "Datadir": "", "HttpConfig": { "Address": "0.0.0.0:80", "AuthIssuer": "https://sso.***.com/realms/master", "AuthAudience": "netbird-client", "AuthKeysLocation": "https://sso.***.com/realms/master/protocol/openid-connect/certs", "disabled_CertFile":"/etc/letsencrypt/live/netbird.***.com/fullchain.pem", "disabled_CertKey":"/etc/letsencrypt/live/netbird.***.com/privkey.pem", "OIDCConfigEndpoint":"https://sso.***.com/realms/master/.well-known/openid-configuration" }, "IdpManagerConfig": { "ManagerType": "keycloak", "KeycloakClientCredentials": { "ClientID": "netbird-backend", "ClientSecret": "***", "GrantType": "client_credentials", "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token", "AdminEndpoint": "https://sso.***.com/admin/realms/master" } }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "netbird-client", "Domain": "", "ClientID": "netbird-client", "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device", "Scope": "openid", "UseIDToken": false } } } ```

saavagebueno commented 2025-11-20 05:07:43 -05:00

Author

Owner

Copy Link

@nazarewk commented on GitHub (Apr 17, 2025):

@ykorzikowski could you confirm whether this is still an issue for you using recent NetBird versions?

@nazarewk commented on GitHub (Apr 17, 2025): @ykorzikowski could you confirm whether this is still an issue for you using recent NetBird versions?

saavagebueno commented 2025-11-20 05:07:43 -05:00

Author

Owner

Copy Link

@ykorzikowski commented on GitHub (Apr 17, 2025):

I think it was fixed by using PKCEAuthorizationFlow instead of DeviceAuthorizationFlow. So its not a problem anymore :)

    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "ClientID": "",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "",
            "TokenEndpoint": "",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "",
            "Scope": "",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "netbird-client",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "netbird-client",
            "TokenEndpoint": "https://sso.XXX.XXX/realms/master/protocol/openid-connect/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://sso.XXX.XXX/realms/master/protocol/openid-connect/auth",
            "Scope": "openid profile email offline_access api",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },

@ykorzikowski commented on GitHub (Apr 17, 2025): I think it was fixed by using PKCEAuthorizationFlow instead of DeviceAuthorizationFlow. So its not a problem anymore :) ``` "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "ClientID": "", "ClientSecret": "", "Domain": "", "Audience": "", "TokenEndpoint": "", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "", "Scope": "", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "netbird-client", "ClientSecret": "", "Domain": "", "Audience": "netbird-client", "TokenEndpoint": "https://sso.XXX.XXX/realms/master/protocol/openid-connect/token", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://sso.XXX.XXX/realms/master/protocol/openid-connect/auth", "Scope": "openid profile email offline_access api", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/aws-sdk-e0d7f0be02

dependabot/github_actions/actions-1b76ec1a46

dependabot/go_modules/pion-04391f0276

dependabot/go_modules/otel-e34c790afd

dependabot/go_modules/testcontainers-9a9ed843ba

dependabot/go_modules/gorm-2271c8195b

dependabot/go_modules/wireguard-dbd6b95108

feature/affected-peers

mdm_integration

ui-refactor

ui-refactor-gtk3

fix/preserve-posture-checks-on-config-update

update-go-mod-toolchain

wasm-websocket-dial

feature/affected-peers-grpc

profile-id-name

remove-deprecated-remote-peers

profile-id

lazyconn-first-packet-fix-v2

claude/focused-gates-VMTgb

feature/immediate-handshake-on-endpoint-change

refactor/mgmt-bootstrap

peer-acl-multi-source

relay-transport-observability

dependabot/go_modules/github.com/quic-go/quic-go-0.59.1

fix/ios-login-expiry-blackhole

fix/ios-debug-bundle

fix/exit-node-v6-deselect-propagation

ui-tray-linux-leftclick

dependabot/go_modules/github.com/rs/cors-1.11.1

dependabot/go_modules/github.com/ebitengine/purego-0.10.1

dependabot/go_modules/github.com/c-robinson/iplib-1.0.8

dependabot/go_modules/github.com/redis/go-redis/v9-9.20.0

dependabot/go_modules/github.com/cilium/ebpf-0.21.0

dependabot/go_modules/github.com/coreos/go-iptables-0.8.0

dependabot/go_modules/golang.org/x/mod-0.36.0

dependabot/go_modules/github.com/spf13/pflag-1.0.10

dependabot/go_modules/github.com/fsnotify/fsnotify-1.10.1

fix/ctx-enrichment

nmap/components-impl

daemon-owner

dependabot/go_modules/github.com/crowdsecurity/crowdsec-1.7.8

client-json-socket

feature/android-client-ssh

feature/ios-ssh

embedded-vnc

worktree-accept-ra-forwarding

nmap/combined-deploy

task/align_protobuff_toolset

feature/session-extend

add-json-yaml-flags

refactor/ephemeral-cleanup

claude/webtransport-relay-wasm-mUjY9

claude/vnc-udp-feasibility-6KB1U

fix-ssh-authorized-users-multi-rule

windows-dns-firewall

fix/wgport-config

drop-candidateviaroutes-filter

e2e-windows-dns-combined

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

v0.72.2

v0.72.1

v0.72.0

v0.71.4

v0.71.3

v0.71.2

v0.71.1

v0.71.0

v0.70.5

v0.70.4

v0.70.3

v0.70.2

v0.70.1

v0.70.0

v0.69.0

v0.68.3

v0.68.2

v0.68.1

v0.68.0

v0.67.4

v0.67.3

v0.67.2

v0.67.1

v0.67.0

v0.66.4

v0.66.3

v0.66.2

v0.66.1

v0.66.0

v0.65.3

v0.65.2

v0.65.1

v0.65.0

v0.64.6

v0.64.5

v0.64.4

v0.64.3

v0.64.2

v0.64.1

v0.64.0

v0.63.0

v0.62.3

v0.62.2

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.9

v0.60.8

v0.60.7

v0.60.6

v0.60.5

v0.60.4

v0.60.3

v0.60.2

v0.60.1

v0.60.0

v0.59.13

v0.59.12

v0.59.11

v0.59.10

v0.59.9

v0.59.8

v0.59.7

v0.59.6

v0.59.5

v0.59.4

v0.59.3

v0.59.2

v0.59.1

v0.59.0

v0.58.2

v0.58.1

v0.58.0

v0.57.1

v0.57.0

v0.56.1

v0.56.0

v0.55.1

v0.55.0

v0.54.2

v0.54.1

v0.54.0

v0.53.0

v0.52.2

v0.52.1

v0.52.0

v0.51.2

v0.51.1

v0.51.0

v0.50.3

v0.50.2

v0.50.1

v0.50.0

v0.49.0

v0.48.0-dev2

v0.48.0

v0.47.2

v0.47.1

v0.47.0

v0.46.0

v0.45.3

v0.45.2

v0.45.1

v0.45.0

v0.44.0

v0.43.3

v0.43.2

v0.43.1

v0.43.0

v0.42.0

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.1

v0.40.0

v0.39.2

v0.39.1

v0.39.0

v0.38.2

v0.38.1

v0.38.0

v0.37.2

v0.37.1

v0.37.0

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.2

v0.35.1

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.4

v0.29.3

0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.10

v0.27.9

v0.27.8

v0.27.7

v0.27.6

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.7

v0.26.6

v0.26.5

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.9

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.9

v0.23.8

v0.23.7

v0.23.6

v0.23.5

v0.23.4

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.7

v0.22.6

v0.22.5

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.11

v0.21.10

v0.21.9

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.10

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.11

v0.5.10

v0.5.1

v0.5.0

v0.4.0

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2-beta.1

v0.2.1-beta.5

v0.2.0-beta.5

v0.2.0-beta.4

v0.2.0-beta.3

v0.2.0-beta.2

v0.2.0-beta.1

v0.1.0-beta.3

v0.1.0-beta.2

v0.1.0-beta.1

v0.1.0-rc.2

v0.1.0-rc-1

v0.0.8-hotfix-1

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

v0.0.0

Labels

Clear labels

2021 Q4

2022 Q1

2022 Q1

accessibility

acl

agent

agent

Android

Android

api

authentik

automation

azure

battery-usage

bug

cache

client

client-ui

cloud

cloud-only

cloudflare

community

compatibility

config-idp

config-issue

connection

contribution

coturn

cross-vpn

dashboard

data-usage

distribution

dns

docker

documentation

duplicate

enhancement

enhancement

event-stream

feature-request

freebsd

getting-started

go

good first issue

gui

help wanted

home-assistant

idp

inconsistency

integration

integrations

ios

ipv6

jwt

k8s

keycloak

linux

login

macos

management-service

missing-docs

mobile

moved-internal

needs-review

netbird-ui

networking

new-platform

nginx

notification

okta

openwrt

packaging

peer-management

peer-management

peer-management

performance

postgres

posture-checks

psk

pull-request

Mirrored from GitHub Pull Request

question

refactor

relay

release

rfc

routes

security

security-related

self-hosting

server

signal

sleep-issue

ssh

ssl

status

store

synology

system-compatibility-issue

test-suite

third-party-integration

triage

triage-needed

troubleshooting

UX

waiting-feedback

windows

wontfix

zitadel

No Label bug idp waiting-feedback

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

saavagebueno

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#189