Can't use REST API of self-hosted server - {"message":"invalid jwt","code":401} #434

Closed
opened 2025-11-20 05:11:20 -05:00 by saavagebueno · 3 comments
Owner

Originally created by @devopskupryk on GitHub (Sep 1, 2023).

Describe the problem
I get the same answer to every request:
{"message":"invalid jwt","code":401}

To Reproduce
Steps to reproduce the behavior:

  1. Deploy netbird with:
  • management.json:
{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.hidden.tech:3478",
            "Username": "",
            "Password": null
        }
    ],
    "TURNConfig": {
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.hidden.tech:3478",
                "Username": "self",
                "Password": "hidden"
            }
        ],
        "CredentialsTTL": "12h",
        "Secret": "secret",
        "TimeBasedCredentials": false
    },
    "Signal": {
        "Proto": "http",
        "URI": "netbird.hidden.tech:10000",
        "Username": "",
        "Password": null
    },
    "Datadir": "",
    "HttpConfig": {
        "Address": "0.0.0.0:33073",
        "AuthIssuer": "https://dex.hidden.tech",
        "AuthAudience": "netbird",
        "AuthKeysLocation": "https://dex.hidden.tech/keys",
        "AuthUserIDClaim": "email",
        "CertFile":"/etc/letsencrypt/live/netbird.hidden.tech/fullchain.pem",
        "CertKey":"/etc/letsencrypt/live/netbird.hidden.tech/privkey.pem",
        "OIDCConfigEndpoint":"https://dex.hidden.tech/.well-known/openid-configuration"
    },
    "IdpManagerConfig": {
        "ManagerType": "none",
        "ClientConfig": {
            "Issuer": "https://dex.hidden.tech",
            "TokenEndpoint": "https://dex.hidden.tech/token",
            "ClientID": "netbird",
            "ClientSecret": "hidden",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {}
     },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
          "Audience": "netbird-client",
          "Domain": "",
          "ClientID": "netbird-client",
          "TokenEndpoint": "https://dex.hidden.tech/token",
          "DeviceAuthEndpoint": "https://dex.hidden.tech/device/code",
          "Scope": "openid email groups profile offline_access",
          "UseIDToken": true
         }
    }
}
  • docker-compose.yaml:
version: "3"
services:
  #UI dashboard
  dashboard:
    image: wiretrustee/dashboard:latest
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    network_mode: host
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.hidden.tech:33073
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.hidden.tech:33073
      # OIDC
      - AUTH_AUDIENCE=netbird
      - AUTH_CLIENT_ID=netbird
      - AUTH_CLIENT_SECRET=hidden
      - AUTH_AUTHORITY=https://dex.hidden.tech
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid email groups profile offline_access
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=idToken
      # SSL
      - NGINX_SSL_PORT=443
      # Letsencrypt
      - LETSENCRYPT_DOMAIN=netbird.hidden.tech
      - LETSENCRYPT_EMAIL=nobody@hidden.tech
    volumes:
      - netbird-letsencrypt:/etc/letsencrypt/

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    ports:
      - 10000:80

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - netbird-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/netbird/management.json
    ports:
      - 33073:443 #API port
    command: [
      "--port", "443",
      "--log-level", "debug",
      "--log-file", "console",
      "--disable-anonymous-metrics=true",
      "--single-account-mode-domain=netbird.hidden.tech",
      "--dns-domain=vpn.hidden.tech"
      ]

  # Coturn
  coturn:
    image: coturn/coturn
    restart: unless-stopped
    domainname: netbird.hidden.tech
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

volumes:
  netbird-mgmt:
  netbird-signal:
  netbird-letsencrypt:
  1. Create a service user with admin role and personal access token for it:
    image

  2. Send a request:

curl -X GET https://netbird.hidden.tech:33073/api/users \
-H 'Accept: application/json' \
-H 'Authorization: Token nbp_hidden'
  1. Get a response:
    {"message":"invalid jwt","code":401}

  2. docker compose logs management:

infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:254: acquiring global lock
infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:264: took 651ns to acquire global lock
infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:260: released global lock in 105.762µs
infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:274: acquiring lock for account hidden
infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:248: took 2 ms to persist the FileStore
infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:282: released lock for account hidden in 3.638646ms
infrastructure_files-management-1  | 2023-09-01T14:05:01Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 970486762: GET /api/users status 401
infrastructure_files-management-1  | 2023-09-01T14:05:01Z DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 4 ms and finished with status 401

Expected behavior
Get a json with list of users

Originally created by @devopskupryk on GitHub (Sep 1, 2023). **Describe the problem** I get the same answer to every request: {"message":"invalid jwt","code":401} **To Reproduce** Steps to reproduce the behavior: 1. Deploy netbird with: - management.json: ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.hidden.tech:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:netbird.hidden.tech:3478", "Username": "self", "Password": "hidden" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Signal": { "Proto": "http", "URI": "netbird.hidden.tech:10000", "Username": "", "Password": null }, "Datadir": "", "HttpConfig": { "Address": "0.0.0.0:33073", "AuthIssuer": "https://dex.hidden.tech", "AuthAudience": "netbird", "AuthKeysLocation": "https://dex.hidden.tech/keys", "AuthUserIDClaim": "email", "CertFile":"/etc/letsencrypt/live/netbird.hidden.tech/fullchain.pem", "CertKey":"/etc/letsencrypt/live/netbird.hidden.tech/privkey.pem", "OIDCConfigEndpoint":"https://dex.hidden.tech/.well-known/openid-configuration" }, "IdpManagerConfig": { "ManagerType": "none", "ClientConfig": { "Issuer": "https://dex.hidden.tech", "TokenEndpoint": "https://dex.hidden.tech/token", "ClientID": "netbird", "ClientSecret": "hidden", "GrantType": "client_credentials" }, "ExtraConfig": {} }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "netbird-client", "Domain": "", "ClientID": "netbird-client", "TokenEndpoint": "https://dex.hidden.tech/token", "DeviceAuthEndpoint": "https://dex.hidden.tech/device/code", "Scope": "openid email groups profile offline_access", "UseIDToken": true } } } ``` - docker-compose.yaml: ``` version: "3" services: #UI dashboard dashboard: image: wiretrustee/dashboard:latest restart: unless-stopped ports: - 80:80 - 443:443 network_mode: host environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.hidden.tech:33073 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.hidden.tech:33073 # OIDC - AUTH_AUDIENCE=netbird - AUTH_CLIENT_ID=netbird - AUTH_CLIENT_SECRET=hidden - AUTH_AUTHORITY=https://dex.hidden.tech - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid email groups profile offline_access - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=idToken # SSL - NGINX_SSL_PORT=443 # Letsencrypt - LETSENCRYPT_DOMAIN=netbird.hidden.tech - LETSENCRYPT_EMAIL=nobody@hidden.tech volumes: - netbird-letsencrypt:/etc/letsencrypt/ # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - netbird-signal:/var/lib/netbird ports: - 10000:80 # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - netbird-mgmt:/var/lib/netbird - netbird-letsencrypt:/etc/letsencrypt:ro - ./management.json:/etc/netbird/management.json ports: - 33073:443 #API port command: [ "--port", "443", "--log-level", "debug", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain=netbird.hidden.tech", "--dns-domain=vpn.hidden.tech" ] # Coturn coturn: image: coturn/coturn restart: unless-stopped domainname: netbird.hidden.tech volumes: - ./turnserver.conf:/etc/turnserver.conf:ro network_mode: host command: - -c /etc/turnserver.conf volumes: netbird-mgmt: netbird-signal: netbird-letsencrypt: ``` 2. Create a service user with admin role and personal access token for it: ![image](https://github.com/netbirdio/netbird/assets/105593788/6401d3f2-0ff2-4369-bb53-124c53c549a7) 3. Send a request: ``` curl -X GET https://netbird.hidden.tech:33073/api/users \ -H 'Accept: application/json' \ -H 'Authorization: Token nbp_hidden' ``` 4. Get a response: `{"message":"invalid jwt","code":401}` 5. docker compose logs management: ``` infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:254: acquiring global lock infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:264: took 651ns to acquire global lock infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:260: released global lock in 105.762µs infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:274: acquiring lock for account hidden infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:248: took 2 ms to persist the FileStore infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/file_store.go:282: released lock for account hidden in 3.638646ms infrastructure_files-management-1 | 2023-09-01T14:05:01Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 970486762: GET /api/users status 401 infrastructure_files-management-1 | 2023-09-01T14:05:01Z DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 4 ms and finished with status 401 ``` **Expected behavior** Get a json with list of users
Author
Owner

@pascal-fischer commented on GitHub (Sep 1, 2023):

Hi, thanks for pointing out this issue. We already found the root cause and will be creating a fix soon.

@pascal-fischer commented on GitHub (Sep 1, 2023): Hi, thanks for pointing out this issue. We already found the root cause and will be creating a fix soon.
Author
Owner

@devopskupryk commented on GitHub (Sep 11, 2023):

Hi,
I've checked the release 0.23.0.
Issue regarding the access to REST API has been solved.
Thanks.

BTW,
maybe are you going to add to API an ability to specify a name of a resources instead its id and block an ability to create resources with the same names?

For example in your example (https://docs.netbird.io/ipa/resources/setup-keys#create-a-setup-key) the name of the group "devs" specified in the field "auto_groups" :
image
but this way doesn't work - group won't be found.

The id of the group must be specified instead its name.
The same situation with other resources like rules and policies - I must specify id of sources and destinations instead thairs names.

Also it's possible to create more then one resources with the same name.
If I need get id of some resource by its name I can't be sure that I will get the id of resource I need.

So, specified issues limits ability to use IaC approach and make it very inconvenient.

@devopskupryk commented on GitHub (Sep 11, 2023): Hi, I've checked the release 0.23.0. Issue regarding the access to REST API has been solved. Thanks. BTW, maybe are you going to add to API an ability to specify a name of a resources instead its id and block an ability to create resources with the same names? For example in your example (https://docs.netbird.io/ipa/resources/setup-keys#create-a-setup-key) the name of the group "devs" specified in the field "auto_groups" : ![image](https://github.com/netbirdio/netbird/assets/105593788/5f8e822f-854b-44ad-acf1-a0fd09c751ac) but this way doesn't work - group won't be found. The id of the group must be specified instead its name. The same situation with other resources like rules and policies - I must specify id of sources and destinations instead thairs names. Also it's possible to create more then one resources with the same name. If I need get id of some resource by its name I can't be sure that I will get the id of resource I need. So, specified issues limits ability to use IaC approach and make it very inconvenient.
Author
Owner

@pascal-fischer commented on GitHub (Sep 13, 2023):

That's nice to hear.

Regarding the uniqueness of names... that's something we already agreed is necessary and will be implemented. I can not give an exact estimate of when.

About the ability of identifying a resource by its name... I agree it would be helpful but is not possible in the APIs current form. We will keep it in mind for the next version of the API. With the unique names it should be possible to have a proper lookup of name to id for further use within the API.

@pascal-fischer commented on GitHub (Sep 13, 2023): That's nice to hear. Regarding the uniqueness of names... that's something we already agreed is necessary and will be implemented. I can not give an exact estimate of when. About the ability of identifying a resource by its name... I agree it would be helpful but is not possible in the APIs current form. We will keep it in mind for the next version of the API. With the unique names it should be possible to have a proper lookup of name to id for further use within the API.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#434