SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-09 09:42:12 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

Request failed with status code 401. Please refresh the page if the issue continues. token invalid #671

New Issue
Open
opened 2025-11-20 05:15:43 -05:00 by saavagebueno · 21 comments
saavagebueno commented 2025-11-20 05:15:43 -05:00
Owner
Copy Link

Originally created by @jkirkcaldy on GitHub (Mar 2, 2024).

Using authentik as auth provider. and Traefik as the reverse proxy.

These lines appear in the management logs:

2024-03-02T18:37:27Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-02T18:37:27Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2291633713: GET /api/users status 401
2024-03-02T18:37:27Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-02T18:37:27Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400

I have a red box with a warning message

Request failed with status code 401. Please refresh the page if the issue continues.
token invalid

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.example.co.uk:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.example.co.uk:3478",
                "Username": "self",
                "Password": "xxxx"
            }
        ]
    },
    "Signal": {
        "Proto": "http",
        "URI": "netbird.example.co.uk:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "H9HtkneUWN6/KdVlnOBo+9MtqHz9BliKx0Kuc3KbJJc=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "AuthAudience": "xxxx",
        "AuthIssuer": "https://authentik.example.co.uk/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://authentik.example.co.uk/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": true
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://authentik.example.co.uk/application/o/netbird",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "ClientID": "xxxx",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "xxxxx",
            "Username": "Netbird"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "xxxx",
            "ClientSecret": "",
            "Domain": "authentik.example.co.uk",
            "Audience": "xxxx",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "DeviceAuthEndpoint": "https://authentik.example.co.uk/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "xxxx",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "xxxx",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://authentik.example.co.uk/application/o/authorize/",
            "Scope": "openid profile email offline_access api groups",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": null,
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": null
    }
}

Compose file

version: "3"
services:
  #UI dashboard
  dashboard:
    image: wiretrustee/dashboard:latest
    restart: unless-stopped
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.co.uk:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.co.uk:443
      # OIDC
      - AUTH_AUDIENCE=xxxxx
      - AUTH_CLIENT_ID=xxxxx
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://authentik.example.co.uk/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.co.uk`)
    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - /mnt/user/appdata/netbird/signal:/var/lib/netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-signal.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=80
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - /mnt/user/appdata/netbird/management:/var/lib/netbird
      - /mnt/user/appdata/netbird/management/management.json:/etc/netbird/management.json
    command: [
      "--port", "443",
      "--log-file", "console",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.example.co.uk",
      "--dns-domain=netbird.selfhosted"
      ]
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-api.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/api`)
    - traefik.http.routers.netbird-api.service=netbird-api
    - traefik.http.services.netbird-api.loadbalancer.server.port=443

    - traefik.http.routers.netbird-management.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/management.ManagementService/`)
    - traefik.http.routers.netbird-management.service=netbird-management
    - traefik.http.services.netbird-management.loadbalancer.server.port=443
    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: netbird.example.co.uk
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf
Originally created by @jkirkcaldy on GitHub (Mar 2, 2024). Using authentik as auth provider. and Traefik as the reverse proxy. These lines appear in the management logs: ``` 2024-03-02T18:37:27Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-02T18:37:27Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2291633713: GET /api/users status 401 2024-03-02T18:37:27Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-02T18:37:27Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 ``` I have a red box with a warning message ``` Request failed with status code 401. Please refresh the page if the issue continues. token invalid ``` management.json ``` { "Stuns": [ { "Proto": "udp", "URI": "stun:netbird.example.co.uk:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:netbird.example.co.uk:3478", "Username": "self", "Password": "xxxx" } ] }, "Signal": { "Proto": "http", "URI": "netbird.example.co.uk:10000", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "H9HtkneUWN6/KdVlnOBo+9MtqHz9BliKx0Kuc3KbJJc=", "HttpConfig": { "LetsEncryptDomain": "", "AuthAudience": "xxxx", "AuthIssuer": "https://authentik.example.co.uk/application/o/netbird/", "AuthUserIDClaim": "", "AuthKeysLocation": "https://authentik.example.co.uk/application/o/netbird/jwks/", "OIDCConfigEndpoint": "https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": true }, "IdpManagerConfig": { "ManagerType": "authentik", "ClientConfig": { "Issuer": "https://authentik.example.co.uk/application/o/netbird", "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/", "ClientID": "xxxx", "ClientSecret": "", "GrantType": "client_credentials" }, "ExtraConfig": { "Password": "xxxxx", "Username": "Netbird" }, "Auth0ClientCredentials": null, "AzureClientCredentials": null, "KeycloakClientCredentials": null, "ZitadelClientCredentials": null }, "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "xxxx", "ClientSecret": "", "Domain": "authentik.example.co.uk", "Audience": "xxxx", "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/", "DeviceAuthEndpoint": "https://authentik.example.co.uk/application/o/device/", "AuthorizationEndpoint": "", "Scope": "openid", "UseIDToken": false, "RedirectURLs": null } }, "PKCEAuthorizationFlow": { "ProviderConfig": { "ClientID": "xxxx", "ClientSecret": "", "Domain": "", "Audience": "xxxx", "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/", "DeviceAuthEndpoint": "", "AuthorizationEndpoint": "https://authentik.example.co.uk/application/o/authorize/", "Scope": "openid profile email offline_access api groups", "UseIDToken": false, "RedirectURLs": [ "http://localhost:53000" ] } }, "StoreConfig": { "Engine": "sqlite" }, "ReverseProxy": { "TrustedHTTPProxies": null, "TrustedHTTPProxiesCount": 0, "TrustedPeers": null } } ``` Compose file ``` version: "3" services: #UI dashboard dashboard: image: wiretrustee/dashboard:latest restart: unless-stopped #ports: # - 80:80 # - 443:443 environment: # Endpoints - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.co.uk:443 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.co.uk:443 # OIDC - AUTH_AUDIENCE=xxxxx - AUTH_CLIENT_ID=xxxxx - AUTH_CLIENT_SECRET= - AUTH_AUTHORITY=https://authentik.example.co.uk/application/o/netbird/ - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - AUTH_REDIRECT_URI= - AUTH_SILENT_REDIRECT_URI= - NETBIRD_TOKEN_SOURCE=accessToken labels: - traefik.enable=true - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.co.uk`) - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80 # Signal signal: image: netbirdio/signal:latest restart: unless-stopped volumes: - /mnt/user/appdata/netbird/signal:/var/lib/netbird labels: - traefik.enable=true - traefik.http.routers.netbird-signal.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/signalexchange.SignalExchange/`) - traefik.http.services.netbird-signal.loadbalancer.server.port=80 - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c # Management management: image: netbirdio/management:latest restart: unless-stopped depends_on: - dashboard volumes: - /mnt/user/appdata/netbird/management:/var/lib/netbird - /mnt/user/appdata/netbird/management/management.json:/etc/netbird/management.json command: [ "--port", "443", "--log-file", "console", "--disable-anonymous-metrics=false", "--single-account-mode-domain=netbird.example.co.uk", "--dns-domain=netbird.selfhosted" ] labels: - traefik.enable=true - traefik.http.routers.netbird-api.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/api`) - traefik.http.routers.netbird-api.service=netbird-api - traefik.http.services.netbird-api.loadbalancer.server.port=443 - traefik.http.routers.netbird-management.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/management.ManagementService/`) - traefik.http.routers.netbird-management.service=netbird-management - traefik.http.services.netbird-management.loadbalancer.server.port=443 - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c # Coturn coturn: image: coturn/coturn:latest restart: unless-stopped domainname: netbird.example.co.uk volumes: - ./turnserver.conf:/etc/turnserver.conf:ro # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro # - ./cert.pem:/etc/coturn/certs/cert.pem:ro network_mode: host command: - -c /etc/turnserver.conf ``` </details>
saavagebueno added the waiting-feedbackself-hostinggetting-started labels 2025-11-20 05:15:44 -05:00
saavagebueno commented 2025-11-20 05:15:44 -05:00
Author
Owner
Copy Link

@jkirkcaldy commented on GitHub (Mar 4, 2024):

I believe this is related to Authentik requiring the "offline access" request.

image

If I select offline access in the netbird provider/scopes in authentik, I get this error in the console in netbird:
image

Deselecting it in authentik results in the invalid token message.

@jkirkcaldy commented on GitHub (Mar 4, 2024): I believe this is related to Authentik requiring the "offline access" request. ![image](https://github.com/netbirdio/netbird/assets/26098592/0bb09654-1b55-4a90-9a64-9ac26ad0ac05) If I select offline access in the netbird provider/scopes in authentik, I get this error in the console in netbird: ![image](https://github.com/netbirdio/netbird/assets/26098592/00fdaaff-30a6-48ce-9fdc-4e39f9de7be1) Deselecting it in authentik results in the invalid token message.
saavagebueno commented 2025-11-20 05:15:44 -05:00
Author
Owner
Copy Link

@sgtaziz commented on GitHub (Mar 4, 2024):

Can confirm the same behavior on my side on Authentik 2024.2.1. It was working fine before the update. My existing authenticated clients continue to work, but I cannot authenticate any new ones. https://github.com/netbirdio/netbird/issues/1531 seems to be related, I tried the suggested fix there as well but unfortunately the issue still exists.

EDIT:
Looks like it's an upstream authentik issue. Fix was applied 5 days ago but still hasn't been released, should be fixed in 2024.2.2 (See https://github.com/goauthentik/authentik/pull/8731 and https://github.com/goauthentik/authentik/issues/8660).

@sgtaziz commented on GitHub (Mar 4, 2024): Can confirm the same behavior on my side on Authentik 2024.2.1. It was working fine before the update. My existing authenticated clients continue to work, but I cannot authenticate any new ones. https://github.com/netbirdio/netbird/issues/1531 seems to be related, I tried the suggested fix there as well but unfortunately the issue still exists. EDIT: Looks like it's an upstream authentik issue. Fix was applied 5 days ago but still hasn't been released, should be fixed in 2024.2.2 (See https://github.com/goauthentik/authentik/pull/8731 and https://github.com/goauthentik/authentik/issues/8660).
saavagebueno commented 2025-11-20 05:15:45 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Mar 8, 2024):

2024.2.2 has been released, did you have the chance to test it?

@mlsmaycon commented on GitHub (Mar 8, 2024): 2024.2.2 has been released, did you have the chance to test it?
saavagebueno commented 2025-11-20 05:15:45 -05:00
Author
Owner
Copy Link

@jkirkcaldy commented on GitHub (Mar 11, 2024):

Yes, still not working for me.
image

In the iOS app I am getting an authentik, invalid redirect URI error also.
the redirect URI are set as:
image

@jkirkcaldy commented on GitHub (Mar 11, 2024): Yes, still not working for me. ![image](https://github.com/netbirdio/netbird/assets/26098592/cc9020ef-c14e-42fe-a654-b586701dcc24) In the iOS app I am getting an authentik, invalid redirect URI error also. the redirect URI are set as: ![image](https://github.com/netbirdio/netbird/assets/26098592/8ab8f05e-c737-4c1f-9d31-f85746c03108)
saavagebueno commented 2025-11-20 05:15:45 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Mar 17, 2024):

@sgtaziz can you share the logs from your management service container?

@mlsmaycon commented on GitHub (Mar 17, 2024): @sgtaziz can you share the logs from your management service container?
saavagebueno commented 2025-11-20 05:15:45 -05:00
Author
Owner
Copy Link

@sgtaziz commented on GitHub (Mar 17, 2024):

@mlsmaycon Everything is working from my side now. For me, it was 2 seperate issues:

  1. I had offline_access scope enabled, which was not working correctly in Authentik 2024.2.1. This issue was resolved in 2024.2.2
  2. When I disabled offline_access scope in 2024.2.1 (and in 2024.2.2), I still had the 401 error. This was actually completely unrelated, and was caused by incorrect credentials to my netbird service account. I deleted the account and recreated it, and it was working perfectly after. I suggest you try the same @jkirkcaldy!
@sgtaziz commented on GitHub (Mar 17, 2024): @mlsmaycon Everything is working from my side now. For me, it was 2 seperate issues: 1. I had `offline_access` scope enabled, which was not working correctly in Authentik 2024.2.1. This issue was resolved in 2024.2.2 2. When I disabled `offline_access` scope in 2024.2.1 (and in 2024.2.2), I still had the 401 error. This was actually completely unrelated, and was caused by incorrect credentials to my `netbird` service account. I deleted the account and recreated it, and it was working perfectly after. I suggest you try the same @jkirkcaldy!
saavagebueno commented 2025-11-20 05:15:45 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Mar 17, 2024):

thanks for confirming @sgtaziz.

@jkirkcaldy can you share the logs from your management service container?

@mlsmaycon commented on GitHub (Mar 17, 2024): thanks for confirming @sgtaziz. @jkirkcaldy can you share the logs from your management service container?
saavagebueno commented 2025-11-20 05:15:45 -05:00
Author
Owner
Copy Link

@jkirkcaldy commented on GitHub (Mar 25, 2024):

Same issues after re-creating the netbird user in Authentik.

These are the management logs:

2024-03-25T15:47:50Z INFO management/cmd/management.go:449: loading OIDC configuration from the provided IDP configuration endpoint https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration
2024-03-25T15:47:51Z INFO management/cmd/management.go:454: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration
2024-03-25T15:47:51Z INFO management/cmd/management.go:456: overriding HttpConfig.AuthIssuer with a new value https://authentik.example.co.uk/application/o/netbird/, previously configured value: https://authentik.example.co.uk/application/o/netbird/
2024-03-25T15:47:51Z INFO management/cmd/management.go:460: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://authentik.example.co.uk/application/o/netbird/jwks/, previously configured value: https://authentik.example.co.uk/application/o/netbird/jwks/
2024-03-25T15:47:51Z INFO management/cmd/management.go:465: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/
2024-03-25T15:47:51Z INFO management/cmd/management.go:468: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://authentik.example.co.uk/application/o/device/, previously configured value: https://authentik.example.co.uk/application/o/device/
2024-03-25T15:47:51Z INFO management/cmd/management.go:476: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: authentik.example.co.uk, previously configured value: authentik.example.co.uk
2024-03-25T15:47:51Z INFO management/cmd/management.go:486: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/
2024-03-25T15:47:51Z INFO management/cmd/management.go:489: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://authentik.example.co.uk/application/o/authorize/, previously configured value: https://authentik.example.co.uk/application/o/authorize/
2024-03-25T15:47:51Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
2024-03-25T15:47:51Z INFO management/server/store.go:92: using SQLite store engine
2024-03-25T15:47:52Z INFO management/cmd/management.go:172: geo location service has been initialized from /var/lib/netbird/
2024-03-25T15:47:52Z INFO management/server/account.go:848: single account mode enabled, accounts number 1
2024-03-25T15:47:52Z WARN management/cmd/management.go:186: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.
2024-03-25T15:47:52Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400
2024-03-25T15:47:52Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073
2024-03-25T15:47:52Z INFO management/cmd/management.go:319: management server version 0.26.3
2024-03-25T15:47:52Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443
2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:10Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:10Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:10Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2097093298: GET /api/users status 401
2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1411618969: GET /api/users status 401
2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2393209750: GET /api/groups status 401
2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3916251322: GET /api/users status 401
@jkirkcaldy commented on GitHub (Mar 25, 2024): Same issues after re-creating the netbird user in Authentik. These are the management logs: ``` 2024-03-25T15:47:50Z INFO management/cmd/management.go:449: loading OIDC configuration from the provided IDP configuration endpoint https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration 2024-03-25T15:47:51Z INFO management/cmd/management.go:454: loaded OIDC configuration from the provided IDP configuration endpoint: https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration 2024-03-25T15:47:51Z INFO management/cmd/management.go:456: overriding HttpConfig.AuthIssuer with a new value https://authentik.example.co.uk/application/o/netbird/, previously configured value: https://authentik.example.co.uk/application/o/netbird/ 2024-03-25T15:47:51Z INFO management/cmd/management.go:460: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://authentik.example.co.uk/application/o/netbird/jwks/, previously configured value: https://authentik.example.co.uk/application/o/netbird/jwks/ 2024-03-25T15:47:51Z INFO management/cmd/management.go:465: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/ 2024-03-25T15:47:51Z INFO management/cmd/management.go:468: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://authentik.example.co.uk/application/o/device/, previously configured value: https://authentik.example.co.uk/application/o/device/ 2024-03-25T15:47:51Z INFO management/cmd/management.go:476: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: authentik.example.co.uk, previously configured value: authentik.example.co.uk 2024-03-25T15:47:51Z INFO management/cmd/management.go:486: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://authentik.example.co.uk/application/o/token/, previously configured value: https://authentik.example.co.uk/application/o/token/ 2024-03-25T15:47:51Z INFO management/cmd/management.go:489: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://authentik.example.co.uk/application/o/authorize/, previously configured value: https://authentik.example.co.uk/application/o/authorize/ 2024-03-25T15:47:51Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 2024-03-25T15:47:51Z INFO management/server/store.go:92: using SQLite store engine 2024-03-25T15:47:52Z INFO management/cmd/management.go:172: geo location service has been initialized from /var/lib/netbird/ 2024-03-25T15:47:52Z INFO management/server/account.go:848: single account mode enabled, accounts number 1 2024-03-25T15:47:52Z WARN management/cmd/management.go:186: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing. 2024-03-25T15:47:52Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400 2024-03-25T15:47:52Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073 2024-03-25T15:47:52Z INFO management/cmd/management.go:319: management server version 0.26.3 2024-03-25T15:47:52Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443 2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-25T15:48:10Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-25T15:48:10Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-25T15:48:10Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2097093298: GET /api/users status 401 2024-03-25T15:48:10Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1411618969: GET /api/users status 401 2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2393209750: GET /api/groups status 401 2024-03-25T15:48:11Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-25T15:48:11Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-25T15:48:11Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-25T15:48:11Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3916251322: GET /api/users status 401 ```
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@vincent-lg18 commented on GitHub (Mar 26, 2024):

I had exactly the same problem until I changed a few things:

  1. you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings.
    image

  2. the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the Directory > Tokens and App passwords menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the Directory > Users menu.
    image

@vincent-lg18 commented on GitHub (Mar 26, 2024): I had exactly the same problem until I changed a few things: 1. you have to bind the Netbird user to the Netbird application in the menu `Applications > Applications > Netbird > Policy / Group / User Bindings`. ![image](https://github.com/netbirdio/netbird/assets/57795966/ee4c1cd4-5c13-4ffd-8fcd-7c988f0487ea) 2. the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the `Directory > Tokens and App passwords` menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the `Directory > Users` menu. ![image](https://github.com/netbirdio/netbird/assets/57795966/b66573f1-0279-45ef-ad84-a0a26feb6347)
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@jkirkcaldy commented on GitHub (Mar 26, 2024):

Ok, I've tried changing these settings and I'm still getting the same result:

2024-03-26T14:43:45Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400
2024-03-26T14:43:46Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073
2024-03-26T14:43:46Z INFO management/cmd/management.go:319: management server version 0.26.3
2024-03-26T14:43:46Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443
2024-03-26T14:44:12Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:12Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:12Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:12Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1102790954: GET /api/users status 401
2024-03-26T14:44:13Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:14Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:14Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:14Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:14Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3549645181: GET /api/users status 401
2024-03-26T14:44:15Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2353810366: GET /api/groups status 401
2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3963034838: GET /api/users status 401

For what it's worth, I'm getting a different error in the iOS app. I'm getting an redirect URI error error inside authentik and it doesn't return me to the app.

@jkirkcaldy commented on GitHub (Mar 26, 2024): Ok, I've tried changing these settings and I'm still getting the same result: ``` 2024-03-26T14:43:45Z WARN management/server/account.go:888: failed warming up cache due to error: unable to get authentik token, statusCode 400 2024-03-26T14:43:46Z INFO management/cmd/management.go:287: running gRPC backward compatibility server: [::]:33073 2024-03-26T14:43:46Z INFO management/cmd/management.go:319: management server version 0.26.3 2024-03-26T14:43:46Z INFO management/cmd/management.go:320: running HTTP server and gRPC server on the same port: [::]:443 2024-03-26T14:44:12Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-26T14:44:12Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-26T14:44:12Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-26T14:44:12Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1102790954: GET /api/users status 401 2024-03-26T14:44:13Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-26T14:44:14Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-26T14:44:14Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-26T14:44:14Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-26T14:44:14Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3549645181: GET /api/users status 401 2024-03-26T14:44:15Z INFO management/server/account.go:1582: overriding JWT Domain and DomainCategory claims since single account mode is enabled 2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2353810366: GET /api/groups status 401 2024-03-26T14:44:15Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400 2024-03-26T14:44:15Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-03-26T14:44:15Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3963034838: GET /api/users status 401 ``` For what it's worth, I'm getting a different error in the iOS app. I'm getting an `redirect URI error` error inside authentik and it doesn't return me to the app.
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@Codixer commented on GitHub (May 23, 2024):

I had exactly the same problem until I changed a few things:

  1. you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings.
    image
  2. the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the Directory > Tokens and App passwords menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the Directory > Users menu.
    image

This worked for me, I updated to the latest version of Authentik and updated netbird (both the git and the docker files). gave a user bind to the application for the Netbird account and BOOM. It authenticated me.

If you want, I could check with you through Discord (codixer) if you'd like. @jkirkcaldy

@Codixer commented on GitHub (May 23, 2024): > I had exactly the same problem until I changed a few things: > > 1. you have to bind the Netbird user to the Netbird application in the menu `Applications > Applications > Netbird > Policy / Group / User Bindings`. > ![image](https://private-user-images.githubusercontent.com/57795966/316889017-ee4c1cd4-5c13-4ffd-8fcd-7c988f0487ea.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY0ODYxNTEsIm5iZiI6MTcxNjQ4NTg1MSwicGF0aCI6Ii81Nzc5NTk2Ni8zMTY4ODkwMTctZWU0YzFjZDQtNWMxMy00ZmZkLThmY2QtN2M5ODhmMDQ4N2VhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MjMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTIzVDE3MzczMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTU5YTg3ODg1MWFhNGQzZDkwYTEwZGQ5ZTgxMDE3ODNjYzYyMDRhZTQxN2MwZWIyYWY4ZWFjYmI3YzQ2YWE5YjYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.KLVbc2zcRVDPxlx4vu8nHROyRIvB0uDNgDgzFB7zB4E) > 2. the "password" field associated with the Netbird user in the management.json file must be an App password, which can be created in the `Directory > Tokens and App passwords` menu. Do not use the Netbird user password that you may have created when creating the Netbird user in the `Directory > Users` menu. > ![image](https://private-user-images.githubusercontent.com/57795966/316888591-b66573f1-0279-45ef-ad84-a0a26feb6347.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY0ODYxNTEsIm5iZiI6MTcxNjQ4NTg1MSwicGF0aCI6Ii81Nzc5NTk2Ni8zMTY4ODg1OTEtYjY2NTczZjEtMDI3OS00NWVmLWFkODQtYTBhMjZmZWI2MzQ3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MjMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTIzVDE3MzczMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWJhYjA0MDVkNWE2Yzk1N2I2ZThlNjA4OTllZTc4YWM1OTc4YWIxMGVhNzY3MGE1MjAzZjU5YzUxYzc2NzdhNDgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.xBYISjLMnr3jP0rhPHjtwcuWe_eGAWyvTpSJUYCBM5Q) This worked for me, I updated to the latest version of Authentik and updated netbird (both the git and the docker files). gave a user bind to the application for the Netbird account and BOOM. It authenticated me. If you want, I could check with you through Discord (codixer) if you'd like. @jkirkcaldy
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@ne0YT commented on GitHub (Dec 16, 2024):

@Codixer THANK YOU!
"you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings."

this is not in the docs. it fixed the issue for me.

@ne0YT commented on GitHub (Dec 16, 2024): @Codixer THANK YOU! "you have to bind the Netbird user to the Netbird application in the menu Applications > Applications > Netbird > Policy / Group / User Bindings." this is not in the docs. it fixed the issue for me.
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@Archgeus commented on GitHub (Dec 26, 2024):

Using latest version of Netbird and latest version of Authentik (2024.12.1) at the current date. Unfortunately, all the suggestions listed by the folks doesn't work for me.

2024-12-26T18:41:25Z ERRO [context: HTTP, requestID: xxx-xxx-xxx-xxx] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: 403 Forbidden
2024-12-26T18:41:25Z ERRO [context: HTTP, requestID: xxx-xxx-xxx-xxx] management/server/http/util/util.go:85: got a handler error: token invalid
2024-12-26T18:41:25Z ERRO [context: HTTP, requestID: xxx-xxx-xxx-xxx] management/server/telemetry/http_api_metrics.go:168: HTTP response xxx-xxx-xxx-xxx: GET /api/users status 401
@Archgeus commented on GitHub (Dec 26, 2024): Using latest version of Netbird and latest version of Authentik (2024.12.1) at the current date. Unfortunately, all the suggestions listed by the folks doesn't work for me. ``` 2024-12-26T18:41:25Z ERRO [context: HTTP, requestID: xxx-xxx-xxx-xxx] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: 403 Forbidden 2024-12-26T18:41:25Z ERRO [context: HTTP, requestID: xxx-xxx-xxx-xxx] management/server/http/util/util.go:85: got a handler error: token invalid 2024-12-26T18:41:25Z ERRO [context: HTTP, requestID: xxx-xxx-xxx-xxx] management/server/telemetry/http_api_metrics.go:168: HTTP response xxx-xxx-xxx-xxx: GET /api/users status 401 ```
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@Akruidenberg commented on GitHub (Dec 30, 2024):

Having the same problem.
UPDATE: see https://github.com/goauthentik/authentik/issues/12368
Fixed, finally!

@Akruidenberg commented on GitHub (Dec 30, 2024): Having the same problem. UPDATE: see https://github.com/goauthentik/authentik/issues/12368 Fixed, finally!
saavagebueno commented 2025-11-20 05:15:46 -05:00
Author
Owner
Copy Link

@carsten-re commented on GitHub (Dec 31, 2024):

I ran into the same problems with 400 and 401 errors.
None of the above solutions helped me.
My issue was, that I had created the Netbird service account through Users --> Create --> Service Account.
What solved it, was to create the Service Account through Users --> "Create Service account"

image

I think the difference is, that the the user path is "users" instead of "goauthentik.io/service-accounts".

@carsten-re commented on GitHub (Dec 31, 2024): I ran into the same problems with 400 and 401 errors. None of the above solutions helped me. My issue was, that I had created the Netbird service account through Users --> Create --> Service Account. What solved it, was to create the Service Account through Users --> "Create Service account" ![image](https://github.com/user-attachments/assets/f620d82c-a50a-4a43-b085-9316d3e781c5) I think the difference is, that the the user path is "users" instead of "goauthentik.io/service-accounts".
saavagebueno commented 2025-11-20 05:15:47 -05:00
Author
Owner
Copy Link

@nazarewk commented on GitHub (Apr 28, 2025):

Hello @jkirkcaldy,

We're currently reviewing our open issues and would like to verify if this problem still exists in the latest NetBird version.

Could you please confirm if the issue is still there?

We may close this issue temporarily if we don't hear back from you within 2 weeks, but feel free to reopen it with updated information.

Thanks for your contribution to improving the project!

@nazarewk commented on GitHub (Apr 28, 2025): Hello @jkirkcaldy, We're currently reviewing our open issues and would like to verify if this problem still exists in the [latest NetBird version](https://github.com/netbirdio/netbird/releases). Could you please confirm if the issue is still there? We may close this issue temporarily if we don't hear back from you within **2 weeks**, but feel free to reopen it with updated information. Thanks for your contribution to improving the project!
saavagebueno commented 2025-11-20 05:15:47 -05:00
Author
Owner
Copy Link

@Deniom3 commented on GitHub (May 10, 2025):

У меня была точно такая же проблема, пока я не изменил несколько вещей:

  1. вам нужно привязать пользователя Netbird к приложению Netbird в меню Applications > Applications > Netbird > Policy / Group / User Bindings.
    image
  2. поле «пароль», связанное с пользователем Netbird в файле management.json, должно быть паролем приложения, который можно создать в меню Directory > Tokens and App passwords. Не используйте пароль пользователя Netbird, который вы могли создать при создании пользователя Netbird в меню Directory > Users.
    image

Thank you. During a new installation, these steps in addition to the main documentation helped.

Please make clarifications to the documentation.
Authentik version 2025.4.0 netbird 0.43.3

@Deniom3 commented on GitHub (May 10, 2025): > У меня была точно такая же проблема, пока я не изменил несколько вещей: > > 1. вам нужно привязать пользователя Netbird к приложению Netbird в меню `Applications > Applications > Netbird > Policy / Group / User Bindings`. > ![image](https://github.com/netbirdio/netbird/assets/57795966/ee4c1cd4-5c13-4ffd-8fcd-7c988f0487ea) > 2. поле «пароль», связанное с пользователем Netbird в файле management.json, должно быть паролем приложения, который можно создать в меню `Directory > Tokens and App passwords`. Не используйте пароль пользователя Netbird, который вы могли создать при создании пользователя Netbird в меню `Directory > Users`. > ![image](https://github.com/netbirdio/netbird/assets/57795966/b66573f1-0279-45ef-ad84-a0a26feb6347) Thank you. During a new installation, these steps in addition to the main documentation helped. Please make clarifications to the documentation. Authentik version 2025.4.0 netbird 0.43.3
saavagebueno commented 2025-11-20 05:15:47 -05:00
Author
Owner
Copy Link

@Danpiel commented on GitHub (May 15, 2025):

I tried all fixes proposed above, and still encountering this issue.

@Danpiel commented on GitHub (May 15, 2025): I tried all fixes proposed above, and still encountering this issue.
saavagebueno commented 2025-11-20 05:15:47 -05:00
Author
Owner
Copy Link

@Codixer commented on GitHub (May 16, 2025):

I tried all fixes proposed above, and still encountering this issue.

What is the issue now? (Logs, errors, etc)

@Codixer commented on GitHub (May 16, 2025): > I tried all fixes proposed above, and still encountering this issue. What is the issue now? (Logs, errors, etc)
saavagebueno commented 2025-11-20 05:15:47 -05:00
Author
Owner
Copy Link

@JMNRA commented on GitHub (May 29, 2025):

I had the same issue and found the fix in the authentik docs .

All I needed to add were these two scopes:

authentik Default OAuth Mapping: OpenID 'offline_access'  
authentik Default OAuth Mapping: authentik API access

Image

After adding them, everything worked fine. I think it would be really helpful to include this in the NetBird docs too, so others don’t get stuck on this part.

@JMNRA commented on GitHub (May 29, 2025): I had the same issue and found the fix in the [authentik docs ](https://docs.goauthentik.io/integrations/services/netbird/). All I needed to add were these two scopes: authentik Default OAuth Mapping: OpenID 'offline_access' authentik Default OAuth Mapping: authentik API access ![Image](https://github.com/user-attachments/assets/642bf885-f3b7-48f8-a6d3-350b5c6c875b) After adding them, everything worked fine. I think it would be really helpful to include this in the NetBird docs too, so others don’t get stuck on this part.
saavagebueno commented 2025-11-20 05:15:47 -05:00
Author
Owner
Copy Link

@scr4tchy commented on GitHub (Jun 1, 2025):

I also added those scopes, but no luck.

I also found that NETBIRD_IDP_MGMT_EXTRA_USERNAME and NETBIRD_IDP_MGMT_EXTRA_PASSWORD are never used in the code... Can you confirm whether your setup works without a Service Account?

@scr4tchy commented on GitHub (Jun 1, 2025): I also added those scopes, but no luck. I also found that `NETBIRD_IDP_MGMT_EXTRA_USERNAME` and `NETBIRD_IDP_MGMT_EXTRA_PASSWORD` are never used in the code... Can you confirm whether your setup works without a Service Account?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label getting-started self-hosting waiting-feedback
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#671
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?