Cannot login with Google Workspaces as IDP #653

New Issue

saavagebueno · 2025-11-20T05:15:22-05:00

saavagebueno commented

2025-11-20 05:15:22 -05:00

Originally created by @kamikazechaser on GitHub (Feb 23, 2024).

Describe the problem

I have setup a self-hosted server as per the guide. I can login with my Google Workspace account to the dashboard. However, the netbird up --management-url $DOMAIN fails with:

2024-02-23T19:07:00+03:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.427649012s due to error rpc error: code = Unknown desc = the management server, $DOMAIN:443, does not support SSO providers, please update your server or use Setup Keys to login

I also attempted to use the android app, it prompted me for a Setup Key which I created and pasted into the app. App returned:

Error setup key address

On the server, I saw these logs from the dashboard container in both instances:

dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:19 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:20 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:29 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:31 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:33 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:36 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:40 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:48 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:02:52 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:06:58 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:06:59 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:00 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:02 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:02 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:03 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"
dashboard-1   | 172.18.0.2 - - [23/Feb/2024:16:07:06 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X"

To Reproduce

Attempt to add a device using Debain CLI or Android App on a self hosted instance using Google IDP.

Expected behavior

Successfully add a device.

Are you using NetBird Cloud?

Self-hosted

NetBird version

netbird version

0.26.0 both client and server (signal, management).
netbirdio/dashboard:v2.1.1

Additional context

$DOMAIN - a subdomain that I use
xxx - redacted secret value

Dashboard env:

NETBIRD_MGMT_API_ENDPOINT=$DOMAIN
NETBIRD_MGMT_GRPC_API_ENDPOINT=$DOMAIN
AUTH_AUDIENCE=xxx.apps.googleusercontent.com
AUTH_CLIENT_ID=xxx.apps.googleusercontent.com
AUTH_CLIENT_SECRET=xxx
AUTH_AUTHORITY=https://accounts.google.com
USE_AUTH0=false
AUTH_SUPPORTED_SCOPES=openid profile email
AUTH_REDIRECT_URI=/auth
AUTH_SILENT_REDIRECT_URI=/silent-auth
NETBIRD_TOKEN_SOURCE=idToken

management.json

{
  "Stuns": [
    {
      "Proto": "udp",
      "URI": "stun:$DOMAIN:3478",
      "Username": "",
      "Password": null
    }
  ],
  "TURNConfig": {
    "Turns": [
      {
        "Proto": "udp",
        "URI": "turn:$DOMAIN:3478",
        "Username": "self",
        "Password": "xxx"
      }
    ],
    "CredentialsTTL": "12h",
    "Secret": "secret",
    "TimeBasedCredentials": false
  },
  "Signal": {
    "Proto": "http",
    "URI": "$DOMAIN",
    "Username": "",
    "Password": null
  },
  "Datadir": "",
  "DataStoreEncryptionKey": "",
  "StoreConfig": {
    "Engine": "jsonfile"
  },
  "HttpConfig": {
    "Address": "0.0.0.0",
    "AuthIssuer": "https://accounts.google.com",
    "AuthAudience": "xxx.apps.googleusercontent.com",
    "AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs",
    "AuthUserIDClaim": "",
    "IdpSignKeyRefreshEnabled": false,
    "OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "ManagerType": "google",
    "ClientConfig": {
      "Issuer": "https://accounts.google.com",
      "TokenEndpoint": "https://oauth2.googleapis.com/token",
      "ClientID": "xxx.apps.googleusercontent.com",
      "ClientSecret": "",
      "GrantType": "client_credentials"
    },
    "ExtraConfig": {
      "CustomerId": "xxx",
      "ServiceAccountKey": "base64-encoded-xxx"
    },
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "KeycloakClientCredentials": null,
    "ZitadelClientCredentials": null
  },
  "DeviceAuthorizationFlow": {
    "Provider": "none",
    "ProviderConfig": {
      "Audience": "xxx.apps.googleusercontent.com",
      "AuthorizationEndpoint": "",
      "Domain": "",
      "ClientID": "",
      "ClientSecret": "",
      "TokenEndpoint": "https://oauth2.googleapis.com/token",
      "DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code",
      "Scope": "openid",
      "UseIDToken": false,
      "RedirectURLs": null
    }
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "xxx.apps.googleusercontent.com",
      "ClientID": "xxx.apps.googleusercontent.com",
      "ClientSecret": "xxx",
      "Domain": "",
      "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
      "TokenEndpoint": "https://oauth2.googleapis.com/token",
      "Scope": "openid profile email",
      "RedirectURLs": [
        "https://$DOMAIN/auth",
        "https://$DOMAIN/silent-auth",
        "http://localhost:53000"
      ],
      "UseIDToken": true
    }
  }
}

openid-configuration.json:

{
 "issuer": "https://accounts.google.com",
 "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
 "device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
 "token_endpoint": "https://oauth2.googleapis.com/token",
 "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
 "revocation_endpoint": "https://oauth2.googleapis.com/revoke",
 "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
 "response_types_supported": [
  "code",
  "token",
  "id_token",
  "code token",
  "code id_token",
  "token id_token",
  "code token id_token",
  "none"
 ],
 "subject_types_supported": [
  "public"
 ],
 "id_token_signing_alg_values_supported": [
  "RS256"
 ],
 "scopes_supported": [
  "openid",
  "email",
  "profile"
 ],
 "token_endpoint_auth_methods_supported": [
  "client_secret_post",
  "client_secret_basic"
 ],
 "claims_supported": [
  "aud",
  "email",
  "email_verified",
  "exp",
  "family_name",
  "given_name",
  "iat",
  "iss",
  "name",
  "picture",
  "sub"
 ],
 "code_challenge_methods_supported": [
  "plain",
  "S256"
 ],
 "grant_types_supported": [
  "authorization_code",
  "refresh_token",
  "urn:ietf:params:oauth:grant-type:device_code",
  "urn:ietf:params:oauth:grant-type:jwt-bearer"
 ]
}

Originally created by @kamikazechaser on GitHub (Feb 23, 2024). **Describe the problem** I have setup a self-hosted server as per the guide. I can login with my Google Workspace account to the dashboard. However, the `netbird up --management-url $DOMAIN` fails with: ```bash 2024-02-23T19:07:00+03:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.427649012s due to error rpc error: code = Unknown desc = the management server, $DOMAIN:443, does not support SSO providers, please update your server or use Setup Keys to login ``` I also attempted to use the android app, it prompted me for a Setup Key which I created and pasted into the app. App returned: ``` Error setup key address ``` On the server, I saw these logs from the `dashboard` container in both instances: ```bash dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:19 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:20 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:29 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:31 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:33 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:36 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:40 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:48 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:02:52 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:06:58 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:06:59 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:07:00 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:07:02 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:07:02 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:07:03 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" dashboard-1 | 172.18.0.2 - - [23/Feb/2024:16:07:06 +0000] "POST /management.ManagementService/GetServerKey HTTP/1.1" 404 1665 "-" "grpc-go/1.56.3" "X.X.X.X" ``` **To Reproduce** Attempt to add a device using Debain CLI or Android App on a self hosted instance using Google IDP. **Expected behavior** Successfully add a device. **Are you using NetBird Cloud?** Self-hosted **NetBird version** `netbird version` - `0.26.0` both client and server (signal, management). - netbirdio/dashboard:v2.1.1 **Additional context** - $DOMAIN - a subdomain that I use - xxx - redacted secret value Dashboard env: ```bash NETBIRD_MGMT_API_ENDPOINT=$DOMAIN NETBIRD_MGMT_GRPC_API_ENDPOINT=$DOMAIN AUTH_AUDIENCE=xxx.apps.googleusercontent.com AUTH_CLIENT_ID=xxx.apps.googleusercontent.com AUTH_CLIENT_SECRET=xxx AUTH_AUTHORITY=https://accounts.google.com USE_AUTH0=false AUTH_SUPPORTED_SCOPES=openid profile email AUTH_REDIRECT_URI=/auth AUTH_SILENT_REDIRECT_URI=/silent-auth NETBIRD_TOKEN_SOURCE=idToken ``` management.json ```json { "Stuns": [ { "Proto": "udp", "URI": "stun:$DOMAIN:3478", "Username": "", "Password": null } ], "TURNConfig": { "Turns": [ { "Proto": "udp", "URI": "turn:$DOMAIN:3478", "Username": "self", "Password": "xxx" } ], "CredentialsTTL": "12h", "Secret": "secret", "TimeBasedCredentials": false }, "Signal": { "Proto": "http", "URI": "$DOMAIN", "Username": "", "Password": null }, "Datadir": "", "DataStoreEncryptionKey": "", "StoreConfig": { "Engine": "jsonfile" }, "HttpConfig": { "Address": "0.0.0.0", "AuthIssuer": "https://accounts.google.com", "AuthAudience": "xxx.apps.googleusercontent.com", "AuthKeysLocation": "https://www.googleapis.com/oauth2/v3/certs", "AuthUserIDClaim": "", "IdpSignKeyRefreshEnabled": false, "OIDCConfigEndpoint": "https://accounts.google.com/.well-known/openid-configuration" }, "IdpManagerConfig": { "ManagerType": "google", "ClientConfig": { "Issuer": "https://accounts.google.com", "TokenEndpoint": "https://oauth2.googleapis.com/token", "ClientID": "xxx.apps.googleusercontent.com", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "CustomerId": "xxx", "ServiceAccountKey": "base64-encoded-xxx" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "Audience": "xxx.apps.googleusercontent.com", "AuthorizationEndpoint": "", "Domain": "", "ClientID": "", "ClientSecret": "", "TokenEndpoint": "https://oauth2.googleapis.com/token", "DeviceAuthEndpoint": "https://oauth2.googleapis.com/device/code", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "Audience": "xxx.apps.googleusercontent.com", "ClientID": "xxx.apps.googleusercontent.com", "ClientSecret": "xxx", "Domain": "", "AuthorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth", "TokenEndpoint": "https://oauth2.googleapis.com/token", "Scope": "openid profile email", "RedirectURLs": [ "https://$DOMAIN/auth", "https://$DOMAIN/silent-auth", "http://localhost:53000" ], "UseIDToken": true } } } ``` openid-configuration.json: ```json { "issuer": "https://accounts.google.com", "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth", "device_authorization_endpoint": "https://oauth2.googleapis.com/device/code", "token_endpoint": "https://oauth2.googleapis.com/token", "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo", "revocation_endpoint": "https://oauth2.googleapis.com/revoke", "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs", "response_types_supported": [ "code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "scopes_supported": [ "openid", "email", "profile" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "claims_supported": [ "aud", "email", "email_verified", "exp", "family_name", "given_name", "iat", "iss", "name", "picture", "sub" ], "code_challenge_methods_supported": [ "plain", "S256" ], "grant_types_supported": [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:jwt-bearer" ] } ```

saavagebueno added the triage-needed label 2025-11-20 05:15:22 -05:00

saavagebueno commented

2025-11-20 05:15:23 -05:00

@joshuahigginson1 commented on GitHub (Mar 1, 2024):

Hi KamikazeChaser, we've successfully integrated Google SSO by following our guide. Give me 5 minutes, and I'll dig out our management.json config for you.

@joshuahigginson1 commented on GitHub (Mar 1, 2024): Hi KamikazeChaser, we've successfully integrated Google SSO by following our guide. Give me 5 minutes, and I'll dig out our management.json config for you.

saavagebueno commented

2025-11-20 05:15:23 -05:00

@joshuahigginson1 commented on GitHub (Mar 1, 2024):

It is worth noting that we use Terraform for our deployment of Netbird, so if you see any unusual syntax, give me a shout.

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:******:443",
            "Username": "*******",
            "Password": "*******"
        },
        {
            "Proto": "tcp",
            "URI": "stun:*********:443",
            "Username": "*******",
            "Password": "********"
        }
    ],
    "TURNConfig": {
        "Turns": [
            {
                "Proto": "dtls",
                "URI": "turns:******:5349",
                "Username": "******",
                "Password": "******"
            }
        ],
        "CredentialsTTL": "12h",
        "Secret": "********",
        "TimeBasedCredentials": false
    },
    "Signal": {
        "Proto": "https",
        "URI": "access.${data.aws_route53_zone.netbird_hosted_zone.name}:443",
        "Username": "",
        "Password": null
    },
    "StoreConfig": {
        "Engine": "jsonfile"
    },
    "HttpConfig": {
        "Address": "0.0.0.0:443",
        "AuthAudience": "$OIDC_CLIENT_ID",
        "AuthUserIDClaim": "sub",
        "OIDCConfigEndpoint": "${var.oidc_configuration_endpoint}"
    },
    "IdpManagerConfig": {
        "ManagerType": "${var.netbird_management_idp}",
        "ClientConfig": {
            "Issuer": "${local.oidc_openid_configuration.issuer}",
            "TokenEndpoint": "${local.oidc_openid_configuration.token_endpoint}",
            "ClientID": "$OIDC_CLIENT_ID",
            "ClientSecret": "$OIDC_CLIENT_SECRET",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "CustomerId": "$GOOGLE_WORKSPACE_CUSTOMER_ID",
            "ServiceAccountKey": "$GOOGLE_WORKSPACE_SA_KEY"
        }
    },
    "DeviceAuthorizationFlow": {
        "Provider": "none",
        "ProviderConfig": {
            "Audience": "$OIDC_CLIENT_ID",
            "ClientID": "$OIDC_CLIENT_ID",
            "ClientSecret": "$OIDC_CLIENT_SECRET",
            "Scope": "${local.oidc_supported_scopes}",
            "UseIDToken": true
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "Audience": "$OIDC_CLIENT_ID",
            "ClientID": "$OIDC_CLIENT_ID",
            "ClientSecret": "$OIDC_CLIENT_SECRET",
            "DeviceAuthEndpoint": "${local.oidc_openid_configuration.device_authorization_endpoint}",
            "Scope": "${local.oidc_supported_scopes}",
            "RedirectURLs": [
                "http://localhost:53000/"
            ],
            "UseIDToken": true
        }
    }
}

@joshuahigginson1 commented on GitHub (Mar 1, 2024): It is worth noting that we use Terraform for our deployment of Netbird, so if you see any unusual syntax, give me a shout. ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:******:443", "Username": "*******", "Password": "*******" }, { "Proto": "tcp", "URI": "stun:*********:443", "Username": "*******", "Password": "********" } ], "TURNConfig": { "Turns": [ { "Proto": "dtls", "URI": "turns:******:5349", "Username": "******", "Password": "******" } ], "CredentialsTTL": "12h", "Secret": "********", "TimeBasedCredentials": false }, "Signal": { "Proto": "https", "URI": "access.${data.aws_route53_zone.netbird_hosted_zone.name}:443", "Username": "", "Password": null }, "StoreConfig": { "Engine": "jsonfile" }, "HttpConfig": { "Address": "0.0.0.0:443", "AuthAudience": "$OIDC_CLIENT_ID", "AuthUserIDClaim": "sub", "OIDCConfigEndpoint": "${var.oidc_configuration_endpoint}" }, "IdpManagerConfig": { "ManagerType": "${var.netbird_management_idp}", "ClientConfig": { "Issuer": "${local.oidc_openid_configuration.issuer}", "TokenEndpoint": "${local.oidc_openid_configuration.token_endpoint}", "ClientID": "$OIDC_CLIENT_ID", "ClientSecret": "$OIDC_CLIENT_SECRET", "GrantType": "client_credentials" }, "ExtraConfig": { "CustomerId": "$GOOGLE_WORKSPACE_CUSTOMER_ID", "ServiceAccountKey": "$GOOGLE_WORKSPACE_SA_KEY" } }, "DeviceAuthorizationFlow": { "Provider": "none", "ProviderConfig": { "Audience": "$OIDC_CLIENT_ID", "ClientID": "$OIDC_CLIENT_ID", "ClientSecret": "$OIDC_CLIENT_SECRET", "Scope": "${local.oidc_supported_scopes}", "UseIDToken": true } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "Audience": "$OIDC_CLIENT_ID", "ClientID": "$OIDC_CLIENT_ID", "ClientSecret": "$OIDC_CLIENT_SECRET", "DeviceAuthEndpoint": "${local.oidc_openid_configuration.device_authorization_endpoint}", "Scope": "${local.oidc_supported_scopes}", "RedirectURLs": [ "http://localhost:53000/" ], "UseIDToken": true } } } ```

saavagebueno commented

2025-11-20 05:15:23 -05:00

@nazarewk commented on GitHub (Apr 23, 2025):

@kamikazechaser is this still an issue for you?

@nazarewk commented on GitHub (Apr 23, 2025): @kamikazechaser is this still an issue for you?

Sign in to join this conversation.

Branches Tags

main

embedded-vnc

fix-dns-fallback-self-loop

claude/webtransport-relay-wasm-mUjY9

claude/vnc-udp-feasibility-6KB1U

readme-cleanup

client/capture-dns-forwarder-port

fix-ssh-authorized-users-multi-rule

fix/wireguard-port-zero

windows-dns-firewall

ui-refactor

fix/wgport-config

feature/refactor-clusters

fix/rosenpass

drop-candidateviaroutes-filter

e2e-windows-dns-combined

refactor-combined

wasm-websocket-dial

feature/affected-peers

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

reduce-embed-wg-pool

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

wasm-js-func-release

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#653