SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-15 12:42:22 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

Unable to get azure token, statusCode 400 #678

New Issue
Closed
opened 2025-11-20 05:15:51 -05:00 by saavagebueno · 12 comments
saavagebueno commented 2025-11-20 05:15:51 -05:00
Owner
Copy Link

Originally created by @rqi14 on GitHub (Mar 4, 2024).

Describe the problem

Hi. I self-hosted using docker compose according to the tutorial. I used nginx as reverse proxy and entra id (azure) as IdP. I configured step by step but it gives me this error
WARN management/server/account.go:889: failed warming up cache due to error: unable to get azure token, statusCode 400

In the web interface, it keeps refreshing and complaints about these errors:

image

To Reproduce

Steps to reproduce the behavior:

  1. Setup reverse proxy, azure id according to tutorial
  2. Open https://netbird.FQDN/
  3. See error

Expected behavior

I should be able to run it without error

Are you using NetBird Cloud?

Self-host

NetBird version

0.26.2

NetBird status -d output:

If applicable, add the `netbird status -d' command output.

I don't have it but I can post the management container log here

management-1 | 2024-03-04T05:19:47Z INFO management/cmd/management.go:447: loading OIDC configuration from the provided IDP configuration endpoint https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:452: loaded OIDC configuration from the provided IDP configuration endpoint: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:454: overriding HttpConfig.AuthIssuer with a new value https://login.partner.microsoftonline.cn/<tenant-id>/v2.0, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0 management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:458: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:484: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:487: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize management-1 | 2024-03-04T05:19:48Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 management-1 | 2024-03-04T05:19:48Z INFO management/server/store.go:94: using SQLite store engine management-1 | 2024-03-04T05:22:42Z INFO management/cmd/management.go:447: loading OIDC configuration from the provided IDP configuration endpoint https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:452: loaded OIDC configuration from the provided IDP configuration endpoint: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:454: overriding HttpConfig.AuthIssuer with a new value https://login.partner.microsoftonline.cn/<tenant-id>/v2.0, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0 management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:458: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:484: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:487: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize management-1 | 2024-03-04T05:22:43Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 management-1 | 2024-03-04T05:22:43Z INFO management/server/store.go:94: using SQLite store engine management-1 | 2024-03-04T06:35:42Z INFO management/cmd/management.go:171: geo location service has been initialized from /var/lib/netbird/ management-1 | 2024-03-04T06:35:42Z INFO management/server/account.go:849: single account mode enabled, accounts number 0 management-1 | 2024-03-04T06:35:42Z WARN management/cmd/management.go:185: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing. management-1 | 2024-03-04T06:35:46Z WARN management/server/account.go:889: failed warming up cache due to error: Post "https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token": dial tcp: lookup login.partner.microsoftonline.cn on 127.0.0.11:53: read udp 127.0.0.1:39173->127.0.0.11:53: i/o timeout management-1 | Error: failed creating JWT validator: Get "https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys": dial tcp: lookup login.partner.microsoftonline.cn on 127.0.0.11:53: read udp 127.0.0.1:39173->127.0.0.11:53: i/o timeout management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:447: loading OIDC configuration from the provided IDP configuration endpoint https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:452: loaded OIDC configuration from the provided IDP configuration endpoint: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:454: overriding HttpConfig.AuthIssuer with a new value https://login.partner.microsoftonline.cn/<tenant-id>/v2.0, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0 management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:458: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:484: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:487: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize management-1 | 2024-03-04T06:35:48Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 management-1 | 2024-03-04T06:35:48Z INFO management/server/store.go:94: using SQLite store engine management-1 | 2024-03-04T06:35:49Z INFO management/cmd/management.go:171: geo location service has been initialized from /var/lib/netbird/ management-1 | 2024-03-04T06:35:49Z INFO management/server/account.go:849: single account mode enabled, accounts number 0 management-1 | 2024-03-04T06:35:49Z WARN management/cmd/management.go:185: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing. management-1 | 2024-03-04T06:35:49Z INFO management/cmd/management.go:286: running gRPC backward compatibility server: [::]:33073 management-1 | 2024-03-04T06:35:49Z INFO management/cmd/management.go:318: running HTTP server and gRPC server on the same port: [::]:443 management-1 | 2024-03-04T06:35:49Z WARN management/server/account.go:889: failed warming up cache due to error: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:35:49Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled management-1 | 2024-03-04T06:35:49Z ERRO management/server/sqlite_store.go:374: when getting account from the store: record not found management-1 | 2024-03-04T06:35:50Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:35:50Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-03-04T06:35:50Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4116581583: GET /api/peers status 401 management-1 | 2024-03-04T06:35:59Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled management-1 | 2024-03-04T06:36:00Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:36:00Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-03-04T06:36:00Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4067145076: GET /api/groups status 401 management-1 | 2024-03-04T06:36:10Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled management-1 | 2024-03-04T06:36:10Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:36:10Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-03-04T06:36:10Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1564696021: GET /api/users status 401

Screenshots

If applicable, add screenshots to help explain your problem.

image

Additional context

Add any other context about the problem here.

I used microsoft 365 operated by 21vianet so the endpoint url is slightly different.

In entra id management centre, it gives me this error:

500011
	
The resource principal named {name} was not found in the tenant named {tenant}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

	
Developer error - the app requested access to a resource (application) that isn't installed in your tenant. If you expect the app to be installed, you may need to provide administrator permissions to add it. Check with the developers of the resource and application to understand what the right setup for your tenant is.

Below is my setup.env

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.example.com"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="<application-id>"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="<application-id>"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://<application-id>/api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
NETBIRD_AUTH_USER_ID_CLAIM="oid"
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="azure"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET="<client-secret>"
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=true
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
NETBIRD_IDP_MGMT_EXTRA_OBJECT_ID="<object-id-of-application-azure>"
NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://microsoftgraph.chinacloudapi.cn/v1.0"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=true
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.example.com
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443
Originally created by @rqi14 on GitHub (Mar 4, 2024). **Describe the problem** Hi. I self-hosted using docker compose according to the tutorial. I used nginx as reverse proxy and entra id (azure) as IdP. I configured step by step but it gives me this error `WARN management/server/account.go:889: failed warming up cache due to error: unable to get azure token, statusCode 400` In the web interface, it keeps refreshing and complaints about these errors: ![image](https://github.com/netbirdio/netbird/assets/26152437/0329f47a-170e-40c9-95bb-58bc74f1de2c) **To Reproduce** Steps to reproduce the behavior: 1. Setup reverse proxy, azure id according to tutorial 2. Open https://netbird.FQDN/ 3. See error **Expected behavior** I should be able to run it without error **Are you using NetBird Cloud?** Self-host **NetBird version** `0.26.2` **NetBird status -d output:** If applicable, add the `netbird status -d' command output. I don't have it but I can post the management container log here `management-1 | 2024-03-04T05:19:47Z INFO management/cmd/management.go:447: loading OIDC configuration from the provided IDP configuration endpoint https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:452: loaded OIDC configuration from the provided IDP configuration endpoint: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:454: overriding HttpConfig.AuthIssuer with a new value https://login.partner.microsoftonline.cn/<tenant-id>/v2.0, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0 management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:458: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:484: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token management-1 | 2024-03-04T05:19:48Z INFO management/cmd/management.go:487: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize management-1 | 2024-03-04T05:19:48Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 management-1 | 2024-03-04T05:19:48Z INFO management/server/store.go:94: using SQLite store engine management-1 | 2024-03-04T05:22:42Z INFO management/cmd/management.go:447: loading OIDC configuration from the provided IDP configuration endpoint https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:452: loaded OIDC configuration from the provided IDP configuration endpoint: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:454: overriding HttpConfig.AuthIssuer with a new value https://login.partner.microsoftonline.cn/<tenant-id>/v2.0, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0 management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:458: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:484: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token management-1 | 2024-03-04T05:22:43Z INFO management/cmd/management.go:487: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize management-1 | 2024-03-04T05:22:43Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 management-1 | 2024-03-04T05:22:43Z INFO management/server/store.go:94: using SQLite store engine management-1 | 2024-03-04T06:35:42Z INFO management/cmd/management.go:171: geo location service has been initialized from /var/lib/netbird/ management-1 | 2024-03-04T06:35:42Z INFO management/server/account.go:849: single account mode enabled, accounts number 0 management-1 | 2024-03-04T06:35:42Z WARN management/cmd/management.go:185: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing. management-1 | 2024-03-04T06:35:46Z WARN management/server/account.go:889: failed warming up cache due to error: Post "https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token": dial tcp: lookup login.partner.microsoftonline.cn on 127.0.0.11:53: read udp 127.0.0.1:39173->127.0.0.11:53: i/o timeout management-1 | Error: failed creating JWT validator: Get "https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys": dial tcp: lookup login.partner.microsoftonline.cn on 127.0.0.11:53: read udp 127.0.0.1:39173->127.0.0.11:53: i/o timeout management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:447: loading OIDC configuration from the provided IDP configuration endpoint https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:452: loaded OIDC configuration from the provided IDP configuration endpoint: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:454: overriding HttpConfig.AuthIssuer with a new value https://login.partner.microsoftonline.cn/<tenant-id>/v2.0, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/v2.0 management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:458: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/discovery/v2.0/keys management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:484: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/token management-1 | 2024-03-04T06:35:48Z INFO management/cmd/management.go:487: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize, previously configured value: https://login.partner.microsoftonline.cn/<tenant-id>/oauth2/v2.0/authorize management-1 | 2024-03-04T06:35:48Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 management-1 | 2024-03-04T06:35:48Z INFO management/server/store.go:94: using SQLite store engine management-1 | 2024-03-04T06:35:49Z INFO management/cmd/management.go:171: geo location service has been initialized from /var/lib/netbird/ management-1 | 2024-03-04T06:35:49Z INFO management/server/account.go:849: single account mode enabled, accounts number 0 management-1 | 2024-03-04T06:35:49Z WARN management/cmd/management.go:185: TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing. management-1 | 2024-03-04T06:35:49Z INFO management/cmd/management.go:286: running gRPC backward compatibility server: [::]:33073 management-1 | 2024-03-04T06:35:49Z INFO management/cmd/management.go:318: running HTTP server and gRPC server on the same port: [::]:443 management-1 | 2024-03-04T06:35:49Z WARN management/server/account.go:889: failed warming up cache due to error: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:35:49Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled management-1 | 2024-03-04T06:35:49Z ERRO management/server/sqlite_store.go:374: when getting account from the store: record not found management-1 | 2024-03-04T06:35:50Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:35:50Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-03-04T06:35:50Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4116581583: GET /api/peers status 401 management-1 | 2024-03-04T06:35:59Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled management-1 | 2024-03-04T06:36:00Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:36:00Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-03-04T06:36:00Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4067145076: GET /api/groups status 401 management-1 | 2024-03-04T06:36:10Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled management-1 | 2024-03-04T06:36:10Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get azure token, statusCode 400 management-1 | 2024-03-04T06:36:10Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-03-04T06:36:10Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1564696021: GET /api/users status 401 ` **Screenshots** If applicable, add screenshots to help explain your problem. ![image](https://github.com/netbirdio/netbird/assets/26152437/edb10411-8b9e-437c-b0a5-9ea78d794fdd) **Additional context** Add any other context about the problem here. I used microsoft 365 operated by 21vianet so the endpoint url is slightly different. In entra id management centre, it gives me this error: ``` 500011 The resource principal named {name} was not found in the tenant named {tenant}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Developer error - the app requested access to a resource (application) that isn't installed in your tenant. If you expect the app to be installed, you may need to provide administrator permissions to add it. Check with the developers of the resource and application to understand what the right setup for your tenant is. ``` Below is my setup.env ``` ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="netbird.example.com" # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.partner.microsoftonline.cn/<tenant-id>/v2.0/.well-known/openid-configuration" # The default setting is to transmit the audience to the IDP during authorization. However, # if your IDP does not have this capability, you can turn this off by setting it to false. #NETBIRD_DASH_AUTH_USE_AUDIENCE=false NETBIRD_AUTH_AUDIENCE="<application-id>" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="<application-id>" # indicates the scopes that will be requested to the IDP NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://<application-id>/api" # NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. # NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here NETBIRD_AUTH_USER_ID_CLAIM="oid" # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0="false" # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. NETBIRD_AUTH_REDIRECT_URI="/auth" NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth" # Updates the preference to use id tokens instead of access token on dashboard # Okta and Gitlab IDPs can benefit from this # NETBIRD_TOKEN_SOURCE="idToken" # ------------------------------------------- # OIDC Device Authorization Flow # ------------------------------------------- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" # Some IDPs requires different audience, scopes and to use id token for device authorization flow # you can customize here: NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak NETBIRD_MGMT_IDP="azure" # Some IDPs requires different client id and client secret for management api NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID NETBIRD_IDP_MGMT_CLIENT_SECRET="<client-secret>" # Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird" # NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT= # With some IDPs may be needed enabling automatic refresh of signing keys on expire NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=true # NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice. NETBIRD_IDP_MGMT_EXTRA_OBJECT_ID="<object-id-of-application-azure>" NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://microsoftgraph.chinacloudapi.cn/v1.0" # ------------------------------------------- # Letsencrypt # ------------------------------------------- # Disable letsencrypt # if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead NETBIRD_DISABLE_LETSENCRYPT=true # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=true # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.example.com NETBIRD_MGMT_API_PORT=443 NETBIRD_SIGNAL_PORT=443 ```
saavagebueno added the management-servicewindowsidp labels 2025-11-20 05:15:51 -05:00
saavagebueno commented 2025-11-20 05:15:52 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Mar 5, 2024):

No idea where it went wrong but reconfigure from the template solved the issue.

@rqi14 commented on GitHub (Mar 5, 2024): No idea where it went wrong but reconfigure from the template solved the issue.
saavagebueno commented 2025-11-20 05:15:52 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Mar 6, 2024):

Ok I found the problem. According to the tutorial, this should be set: NETBIRD_MGMT_IDP="azure". But it only works when it is set to NETBIRD_MGMT_IDP="none"

Maybe it is somehow related, when I click 'connectin the windows client, it doesn't do anything. If I runnetbird up`, it complaints no sso provider returned from management.

2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys

@rqi14 commented on GitHub (Mar 6, 2024): Ok I found the problem. According to the tutorial, this should be set: `NETBIRD_MGMT_IDP="azure"`. But it only works when it is set to `NETBIRD_MGMT_IDP="none"` Maybe it is somehow related, when I click 'connect` in the windows client, it doesn't do anything. If I run `netbird up`, it complaints no sso provider returned from management. `2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys`
saavagebueno commented 2025-11-20 05:15:52 -05:00
Author
Owner
Copy Link

@bcmmbaga commented on GitHub (Mar 7, 2024):

The error message unable to get azure token, statusCode 400 on management indicates a misconfiguration of the Azure Entra ID (AD). To resolve this issue, please review the guidelines and ensure that you follow the outlined steps accurately.

@bcmmbaga commented on GitHub (Mar 7, 2024): The error message `unable to get azure token, statusCode 400` on management indicates a misconfiguration of the Azure Entra ID (AD). To resolve this issue, please review the [guidelines](https://docs.netbird.io/selfhosted/identity-providers#azure-ad) and ensure that you follow the outlined steps accurately.
saavagebueno commented 2025-11-20 05:15:52 -05:00
Author
Owner
Copy Link

@bcmmbaga commented on GitHub (Mar 7, 2024):

For Windows, open the client, go to settings, and ensure that the management URL and admin URL are pointing to your self-hosted instance url's.

@bcmmbaga commented on GitHub (Mar 7, 2024): For Windows, open the client, go to settings, and ensure that the `management URL` and `admin URL` are pointing to your self-hosted instance url's.
saavagebueno commented 2025-11-20 05:15:53 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Mar 7, 2024):

The error message unable to get azure token, statusCode 400 on management indicates a misconfiguration of the Azure Entra ID (AD). To resolve this issue, please review the guidelines and ensure that you follow the outlined steps accurately.

Yes I did check it for at least three times. Please see the screenshots below

Authentication
image
image

Scope
image

Permission
image

Token. I generated this token and copy and pasted multiple times... It is 100% correct.
image

@rqi14 commented on GitHub (Mar 7, 2024): > The error message `unable to get azure token, statusCode 400` on management indicates a misconfiguration of the Azure Entra ID (AD). To resolve this issue, please review the [guidelines](https://docs.netbird.io/selfhosted/identity-providers#azure-ad) and ensure that you follow the outlined steps accurately. Yes I did check it for at least three times. Please see the screenshots below Authentication <img width="622" alt="image" src="https://github.com/netbirdio/netbird/assets/26152437/476a1368-fc5a-4284-8602-5d3ff9ee29fa"> <img width="348" alt="image" src="https://github.com/netbirdio/netbird/assets/26152437/99d896e4-fd66-4ecd-856d-183766893ded"> Scope <img width="635" alt="image" src="https://github.com/netbirdio/netbird/assets/26152437/00045868-fbc1-4a7b-8a84-8566c67486cd"> Permission <img width="656" alt="image" src="https://github.com/netbirdio/netbird/assets/26152437/77d583b9-823f-4baf-bc60-e467635231b5"> Token. I generated this token and copy and pasted multiple times... It is 100% correct. <img width="647" alt="image" src="https://github.com/netbirdio/netbird/assets/26152437/63ea50c8-d589-4703-99fe-5eed04c7c01b">
saavagebueno commented 2025-11-20 05:15:53 -05:00
Author
Owner
Copy Link

@bcmmbaga commented on GitHub (Mar 7, 2024):

can you share your setup.env?

@bcmmbaga commented on GitHub (Mar 7, 2024): can you share your setup.env?
saavagebueno commented 2025-11-20 05:15:53 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Mar 7, 2024):

can you share your setup.env?

Please see below

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="teleport.example.com"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/v2.0/.well-known/openid-configuration"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="18554d9e-****-****-****-0e7452cc1678"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="18554d9e-****-****-****-0e7452cc1678"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://18554d9e-****-****-****-0e7452cc1678/api"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
NETBIRD_AUTH_USER_ID_CLAIM="oid"
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI="/auth"
NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
# OIDC Device Authorization Flow
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="none"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET="0v67ZA-*****************4RiG"
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
NETBIRD_IDP_MGMT_EXTRA_OBJECT_ID="c95fa6f9-****-****-****-5c2ce0e34e57"
NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://microsoftgraph.chinacloudapi.cn/v1.0"
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443

These are my endpoints

Endpoints
OAuth 2.0 authorization endpoint (v2)
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/authorize
OAuth 2.0 token endpoint (v2)
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/token
OAuth 2.0 authorization endpoint (v1)
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/authorize
OAuth 2.0 token endpoint (v1)
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/token
OpenID Connect metadata document
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/v2.0/.well-known/openid-configuration
Microsoft Graph API endpoint
https://microsoftgraph.chinacloudapi.cn
Federation metadata document
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/federationmetadata/2007-06/federationmetadata.xml
WS-Federation sign-on endpoint
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/wsfed
SAML-P sign-on endpoint
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/saml2
SAML-P sign-out endpoint
https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/saml2

There are two object IDs. I'm not sure which one to use as it is not specified in the tutorial. I used the one in "properties" (the first screenshot below)
image

image

@rqi14 commented on GitHub (Mar 7, 2024): > can you share your setup.env? Please see below ``` ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="teleport.example.com" # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/v2.0/.well-known/openid-configuration" # The default setting is to transmit the audience to the IDP during authorization. However, # if your IDP does not have this capability, you can turn this off by setting it to false. #NETBIRD_DASH_AUTH_USE_AUDIENCE=false NETBIRD_AUTH_AUDIENCE="18554d9e-****-****-****-0e7452cc1678" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="18554d9e-****-****-****-0e7452cc1678" # indicates the scopes that will be requested to the IDP NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api://18554d9e-****-****-****-0e7452cc1678/api" # NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. # NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here NETBIRD_AUTH_USER_ID_CLAIM="oid" # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0="false" # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. NETBIRD_AUTH_REDIRECT_URI="/auth" NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth" # Updates the preference to use id tokens instead of access token on dashboard # Okta and Gitlab IDPs can benefit from this # NETBIRD_TOKEN_SOURCE="idToken" # ------------------------------------------- # OIDC Device Authorization Flow # ------------------------------------------- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" # Some IDPs requires different audience, scopes and to use id token for device authorization flow # you can customize here: NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak NETBIRD_MGMT_IDP="none" # Some IDPs requires different client id and client secret for management api NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID NETBIRD_IDP_MGMT_CLIENT_SECRET="0v67ZA-*****************4RiG" # Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird" # NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT= # With some IDPs may be needed enabling automatic refresh of signing keys on expire NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false # NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice. NETBIRD_IDP_MGMT_EXTRA_OBJECT_ID="c95fa6f9-****-****-****-5c2ce0e34e57" NETBIRD_IDP_MGMT_EXTRA_GRAPH_API_ENDPOINT="https://microsoftgraph.chinacloudapi.cn/v1.0" # ------------------------------------------- # Letsencrypt # ------------------------------------------- # Disable letsencrypt # if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead NETBIRD_DISABLE_LETSENCRYPT=true # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted NETBIRD_MGMT_API_PORT=443 NETBIRD_SIGNAL_PORT=443 ``` These are my endpoints ``` Endpoints OAuth 2.0 authorization endpoint (v2) https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/authorize OAuth 2.0 token endpoint (v2) https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/token OAuth 2.0 authorization endpoint (v1) https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/authorize OAuth 2.0 token endpoint (v1) https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/token OpenID Connect metadata document https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/v2.0/.well-known/openid-configuration Microsoft Graph API endpoint https://microsoftgraph.chinacloudapi.cn Federation metadata document https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/federationmetadata/2007-06/federationmetadata.xml WS-Federation sign-on endpoint https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/wsfed SAML-P sign-on endpoint https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/saml2 SAML-P sign-out endpoint https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/saml2 ``` There are two object IDs. I'm not sure which one to use as it is not specified in the tutorial. I used the one in "properties" (the first screenshot below) ![image](https://github.com/netbirdio/netbird/assets/26152437/ab10ab53-a988-4a50-b5ad-502b4fd0208f) ![image](https://github.com/netbirdio/netbird/assets/26152437/f5275444-51fe-4e97-acb9-6730bdf6840c)
saavagebueno commented 2025-11-20 05:15:53 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Mar 8, 2024):

can you share your setup.env?

Hi. I found this line below, which maybe hardcoded the graph api end point. In my case the service run by 21vianet has a different endpoint. Is it a problem?
Line 118: data.Set("scope", "https://graph.microsoft.com/.default")

@rqi14 commented on GitHub (Mar 8, 2024): > can you share your setup.env? Hi. I found this line below, which maybe hardcoded the graph api end point. In my case the service run by 21vianet has a different endpoint. Is it a problem? [Line 118: data.Set("scope", "https://graph.microsoft.com/.default")](https://github.com/netbirdio/netbird/blob/fde1a2196c9b900e6e97f3b31006bd37b725021f/management/server/idp/azure.go#L118)
saavagebueno commented 2025-11-20 05:15:53 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Mar 11, 2024):

The error message unable to get azure token, statusCode 400 on management indicates a misconfiguration of the Azure Entra ID (AD). To resolve this issue, please review the guidelines and ensure that you follow the outlined steps accurately.

I forked the repo, changed the scope url, built and tested. After changing the scope url to https:///.default, the error seen on server disappeared. Netbird can read user profiles normally. But the bug with no SSO provider etc.. still existed. I had to change device authorization bit in the management.json like below. This is different from what the guideline said. The document seems incomplete as it told me not to fill the device authorization bit.

"DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
        "ClientID": "<client-id>",
        "ClientSecret": "",
        "Domain": "",
        "Audience": "<client-id>",
        "TokenEndpoint": "https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/token",
        "DeviceAuthEndpoint": "https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/devicecode",
        "AuthorizationEndpoint": "",
        "Scope": "openid profile email offline_access api://18554d9e-****-****-****-0e7452cc1678/api",
        "UseIDToken": false,
        "RedirectURLs": null
    }
},
@rqi14 commented on GitHub (Mar 11, 2024): > The error message `unable to get azure token, statusCode 400` on management indicates a misconfiguration of the Azure Entra ID (AD). To resolve this issue, please review the [guidelines](https://docs.netbird.io/selfhosted/identity-providers#azure-ad) and ensure that you follow the outlined steps accurately. I forked the repo, changed the scope url, built and tested. After changing the scope url to https://<graph-api-endpoint>/.default, the error seen on server disappeared. Netbird can read user profiles normally. But the bug with no SSO provider etc.. still existed. I had to change device authorization bit in the management.json like below. This is different from what the guideline said. The document seems incomplete as it told me not to fill the device authorization bit. "DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "ClientID": "<client-id>", "ClientSecret": "", "Domain": "", "Audience": "<client-id>", "TokenEndpoint": "https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/token", "DeviceAuthEndpoint": "https://login.partner.microsoftonline.cn/ac3ee95e-****-****-****-52462d585364/oauth2/v2.0/devicecode", "AuthorizationEndpoint": "", "Scope": "openid profile email offline_access api://18554d9e-****-****-****-0e7452cc1678/api", "UseIDToken": false, "RedirectURLs": null } },
saavagebueno commented 2025-11-20 05:15:53 -05:00
Author
Owner
Copy Link

@adriangabura commented on GitHub (Jul 11, 2024):

Ok I found the problem. According to the tutorial, this should be set: NETBIRD_MGMT_IDP="azure". But it only works when it is set to NETBIRD_MGMT_IDP="none"

Maybe it is somehow related, when I click 'connectin the windows client, it doesn't do anything. If I runnetbird up`, it complaints no sso provider returned from management.

2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys

Thank you. You saved me much time. I can't thank you enough for this commentary on the "none". @rqi14 Would you be able to help me understand if this is a bug, or I'm missing something? The guide on the netbird site says to set "azure". Is the guide or the codebase bugged? Thanks!

@adriangabura commented on GitHub (Jul 11, 2024): > Ok I found the problem. According to the tutorial, this should be set: `NETBIRD_MGMT_IDP="azure"`. But it only works when it is set to `NETBIRD_MGMT_IDP="none"` > > Maybe it is somehow related, when I click 'connect`in the windows client, it doesn't do anything. If I run`netbird up`, it complaints no sso provider returned from management. > > `2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys` Thank you. You saved me much time. I can't thank you enough for this commentary on the "none". @rqi14 Would you be able to help me understand if this is a bug, or I'm missing something? The guide on the netbird site says to set "azure". Is the guide or the codebase bugged? Thanks!
saavagebueno commented 2025-11-20 05:15:54 -05:00
Author
Owner
Copy Link

@rqi14 commented on GitHub (Jul 11, 2024):

Ok I found the problem. According to the tutorial, this should be set: NETBIRD_MGMT_IDP="azure". But it only works when it is set to NETBIRD_MGMT_IDP="none"
Maybe it is somehow related, when I click 'connectin the windows client, it doesn't do anything. If I runnetbird up, it complaints no sso provider returned from management. 2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys`

Thank you. You saved me much time. I can't thank you enough for this commentary on the "none". @rqi14 Would you be able to help me understand if this is a bug, or I'm missing something? The guide on the netbird site says to set "azure". Is the guide or the codebase bugged? Thanks!

You shouldn't set it to None. My problem was related to a bug about the scope in the sign in request. The fix has been merged. If setting to azure doesn't work, I suggest checking all the settings again.

@rqi14 commented on GitHub (Jul 11, 2024): > > Ok I found the problem. According to the tutorial, this should be set: `NETBIRD_MGMT_IDP="azure"`. But it only works when it is set to `NETBIRD_MGMT_IDP="none"` > > Maybe it is somehow related, when I click 'connect`in the windows client, it doesn't do anything. If I run`netbird up`, it complaints no sso provider returned from management. > > `2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys` > > Thank you. You saved me much time. I can't thank you enough for this commentary on the "none". @rqi14 Would you be able to help me understand if this is a bug, or I'm missing something? The guide on the netbird site says to set "azure". Is the guide or the codebase bugged? Thanks! You shouldn't set it to None. My problem was related to a bug about the scope in the sign in request. The fix has been merged. If setting to azure doesn't work, I suggest checking all the settings again.
saavagebueno commented 2025-11-20 05:15:54 -05:00
Author
Owner
Copy Link

@biney999 commented on GitHub (Dec 4, 2024):

Ok I found the problem. According to the tutorial, this should be set: NETBIRD_MGMT_IDP="azure". But it only works when it is set to NETBIRD_MGMT_IDP="none"
Maybe it is somehow related, when I click 'connectin the windows client, it doesn't do anything. If I runnetbird up, it complaints no sso provider returned from management. 2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys`

Thank you. You saved me much time. I can't thank you enough for this commentary on the "none". @rqi14 Would you be able to help me understand if this is a bug, or I'm missing something? The guide on the netbird site says to set "azure". Is the guide or the codebase bugged? Thanks!

A little late to the party but I was setting up a self hosted Netbird as well and in following the documentation, ended up leading me down the same error trail. I found I had accidentally been using the Azure Secret ID in the configuration instead of the Secret Value (partly because of the documentation not being clear on which to use in my opinion). Just putting this out there in case anyone else is finding the same errors, to just double check if they are using the right Secret.

@biney999 commented on GitHub (Dec 4, 2024): > > Ok I found the problem. According to the tutorial, this should be set: `NETBIRD_MGMT_IDP="azure"`. But it only works when it is set to `NETBIRD_MGMT_IDP="none"` > > Maybe it is somehow related, when I click 'connect`in the windows client, it doesn't do anything. If I run`netbird up`, it complaints no sso provider returned from management. > > `2024-03-07T02:08:53+08:00 WARN client/cmd/root.go:204: retrying Login to the Management service in 1.606479616s due to error rpc error: code = Unknown desc = no SSO provider returned from management. Please proceed with setting up this device using setup keys https://docs.netbird.io/how-to/register-machines-using-setup-keys` > > Thank you. You saved me much time. I can't thank you enough for this commentary on the "none". @rqi14 Would you be able to help me understand if this is a bug, or I'm missing something? The guide on the netbird site says to set "azure". Is the guide or the codebase bugged? Thanks! A little late to the party but I was setting up a self hosted Netbird as well and in following the documentation, ended up leading me down the same error trail. I found I had accidentally been using the Azure Secret ID in the configuration instead of the Secret Value (partly because of the documentation not being clear on which to use in my opinion). Just putting this out there in case anyone else is finding the same errors, to just double check if they are using the right Secret.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label idp management-service windows
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#678
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?