How to remove groups that issued by JWT ? #1965

Closed
opened 2025-11-20 06:10:18 -05:00 by saavagebueno · 8 comments
Owner

Originally created by @laweschan on GitHub (Jun 16, 2025).

Describe the problem

using v0.46.0 docker image, default sqlite
why enable JWT group sync features. specific group will be created.
however I can't remove the group and it shows "This group is issued by JWT and cannot be deleted.

To Reproduce

Steps to reproduce the behavior:

  1. Disable "JWT group sync"
  2. Remove all peers "assigned groups", remove Access Control --> Policies contain that group
  3. Remove Users contains that group
  4. Group --> delete (grey in color) , shows "This group is issued by JWT and cannot be deleted."
  5. even restart all containers, no lunck

Expected behavior

there should be a way to remove groups that no longer be used.

Are you using NetBird Cloud?

self-host NetBird's control plane.

NetBird version
0.46.0

Debug output

Image

Originally created by @laweschan on GitHub (Jun 16, 2025). **Describe the problem** using v0.46.0 docker image, default sqlite why enable JWT group sync features. specific group will be created. however I can't remove the group and it shows "This group is issued by JWT and cannot be deleted. **To Reproduce** Steps to reproduce the behavior: 1. Disable "JWT group sync" 2. Remove all peers "assigned groups", remove Access Control --> Policies contain that group 3. Remove Users contains that group 4. Group --> delete (grey in color) , shows "This group is issued by JWT and cannot be deleted." 5. even restart all containers, no lunck **Expected behavior** there should be a way to remove groups that no longer be used. **Are you using NetBird Cloud?** self-host NetBird's control plane. **NetBird version** 0.46.0 **Debug output** ![Image](https://github.com/user-attachments/assets/b55d4f0b-35f2-48d6-9659-be4fb6bb2a10)
saavagebueno added the bugfeature-requestmanagement-serviceidp labels 2025-11-20 06:10:18 -05:00
Author
Owner

@washcroft commented on GitHub (Jun 17, 2025):

+1

Also, removing a single user from a JWT group has no effect, after saving the changes on a user, refresh the UI and the group is back.

What should happen if a user logs in and no longer has some JWT groups they previously had the last time they logged in? I think it should remove the groups from them, but it doesn't, and worse you can't manually remove them from those old groups either due to the above.

@washcroft commented on GitHub (Jun 17, 2025): +1 Also, removing a single user from a JWT group has no effect, after saving the changes on a user, refresh the UI and the group is back. What should happen if a user logs in and no longer has some JWT groups they previously had the last time they logged in? I think it should remove the groups from them, but it doesn't, and worse you can't manually remove them from those old groups either due to the above.
Author
Owner

@TheTrickeyOne commented on GitHub (Jun 24, 2025):

Bump. Same issue here. I am using Authentik as my IdP and all the groups from Authentik populated in Netbird. I am still learning Authentik, so I should be filtering before I send, but it's too late now as there is no way (I can find) to clean up my mess already made.

@TheTrickeyOne commented on GitHub (Jun 24, 2025): Bump. Same issue here. I am using Authentik as my IdP and all the groups from Authentik populated in Netbird. I am still learning Authentik, so I should be filtering before I send, but it's too late now as there is no way (I can find) to clean up my mess already made.
Author
Owner

@mrlhansen commented on GitHub (Jul 3, 2025):

+1 from here as well. Not being able to delete JWT groups after disabling JWT sync is definitely not ideal.

@mrlhansen commented on GitHub (Jul 3, 2025): +1 from here as well. Not being able to delete JWT groups after disabling JWT sync is definitely not ideal.
Author
Owner

@MichaelUray commented on GitHub (Jul 19, 2025):

Same problem here,
as well as orphaned groups after renaming a group in the idP. It only refers to the groups via the name but not with any unique group id, or is there a setting which would do that?

@MichaelUray commented on GitHub (Jul 19, 2025): Same problem here, as well as orphaned groups after renaming a group in the idP. It only refers to the groups via the name but not with any unique group id, or is there a setting which would do that?
Author
Owner

@BenGithub900 commented on GitHub (Aug 22, 2025):

Same issue here

@BenGithub900 commented on GitHub (Aug 22, 2025): Same issue here
Author
Owner

@Arsolitt commented on GitHub (Sep 9, 2025):

+1

@Arsolitt commented on GitHub (Sep 9, 2025): +1
Author
Owner

@nmapx commented on GitHub (Sep 10, 2025):

+1

@nmapx commented on GitHub (Sep 10, 2025): +1
Author
Owner

@nazarewk commented on GitHub (Sep 10, 2025):

FYI: this is purely a frontend restriction that will be addressed soon in https://github.com/netbirdio/dashboard/pull/487

@nazarewk commented on GitHub (Sep 10, 2025): FYI: this is purely a frontend restriction that will be addressed soon in https://github.com/netbirdio/dashboard/pull/487
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1965