Token Invalid #926

Open
opened 2025-11-20 05:20:04 -05:00 by saavagebueno · 0 comments
Owner

Originally created by @mighty-services on GitHub (May 24, 2024).

Describe the problem

I´ve setup netbird on a hetzner Cloud-VM (ubuntu 22.04lts) and used the quick start script. I worked with netbird for a while and the (i think ist was after an upgrade) the netbird status-page doesnt come up anymore. Instead its showing the error Error: Request failed with status code 401.

I cleared everything and started from cratch and the same thing happened again. Right the next day. The Error I see on the logs is this:

management-1  | 2024-05-24T16:11:44Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get zitadel token, st1
management-1  | 2024-05-24T16:11:44Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
management-1  | 2024-05-24T16:11:44Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4087911685: GET /api/users status 401

I use the latest version of netbird (state of 24.05.2024) since I was following this issue, where they said I should pull the github, repo, put the values from the conf-files into setup.env and redeploy the stack. This is my actual setup.env-file:

## example file, you can copy this file to setup.env and update its values
##

# Image tags
# you can force specific tags for each component; will be set to latest if empty
NETBIRD_DASHBOARD_TAG=""
NETBIRD_SIGNAL_TAG=""
NETBIRD_MANAGEMENT_TAG=""
COTURN_TAG=""

# Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="netbird.example.com"

# TURN server domain. e.g. turn.mydomain.com
# if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN=""

# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="xx.xxx.xx.xxx"

# -------------------------------------------
# OIDC
#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
# -------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://netbird.example.com/oauth/v2/token"
# The default setting is to transmit the audience to the IDP during authorization. However,
# if your IDP does not have this capability, you can turn this off by setting it to false.
#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
NETBIRD_AUTH_AUDIENCE="11111111111111@netbird"
# e.g. netbird-client
NETBIRD_AUTH_CLIENT_ID="1111111111111111@netbird"
# indicates the scopes that will be requested to the IDP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access"
# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
# NETBIRD_AUTH_CLIENT_SECRET=""
# if you want to use a custom claim for the user ID instead of 'sub', set it here
# NETBIRD_AUTH_USER_ID_CLAIM=""
# indicates whether to use Auth0 or not: true or false
NETBIRD_USE_AUTH0="false"
# if your IDP provider doesn't support fragmented URIs, configure custom
# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
NETBIRD_AUTH_REDIRECT_URI=/nb-auth
NETBIRD_AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
# NETBIRD_TOKEN_SOURCE="idToken"
# -------------------------------------------
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER=""
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# Some IDPs requires different audience, scopes and to use id token for device authorization flow
# you can customize here:
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
# -------------------------------------------
# OIDC PKCE Authorization Flow
# -------------------------------------------
# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
# eg. 53000,54000
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
# -------------------------------------------
# IDP Management
# -------------------------------------------
# eg. zitadel, auth0, azure, keycloak
NETBIRD_MGMT_IDP="none"
# Some IDPs requires different client id and client secret for management api
NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET=""
# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
# With some IDPs may be needed enabling automatic refresh of signing keys on expire
# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
# -------------------------------------------
# Letsencrypt
# -------------------------------------------
# Disable letsencrypt
#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=false
# e.g. hello@mydomain.com
NETBIRD_LETSENCRYPT_EMAIL=""
# -------------------------------------------
# Extra settings
# -------------------------------------------
# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
Originally created by @mighty-services on GitHub (May 24, 2024). **Describe the problem** I´ve setup netbird on a hetzner Cloud-VM (ubuntu 22.04lts) and used the quick start script. I worked with netbird for a while and the (i think ist was after an upgrade) the netbird status-page doesnt come up anymore. Instead its showing the error `Error: Request failed with status code 401`. I cleared everything and started from cratch and the same thing happened again. Right the next day. The Error I see on the logs is this: ``` management-1 | 2024-05-24T16:11:44Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get zitadel token, st1 management-1 | 2024-05-24T16:11:44Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid management-1 | 2024-05-24T16:11:44Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4087911685: GET /api/users status 401 ``` I use the latest version of netbird (state of 24.05.2024) since I was following this issue, where they said I should pull the github, repo, put the values from the conf-files into setup.env and redeploy the stack. This is my actual setup.env-file: ``` ## example file, you can copy this file to setup.env and update its values ## # Image tags # you can force specific tags for each component; will be set to latest if empty NETBIRD_DASHBOARD_TAG="" NETBIRD_SIGNAL_TAG="" NETBIRD_MANAGEMENT_TAG="" COTURN_TAG="" # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="netbird.example.com" # TURN server domain. e.g. turn.mydomain.com # if not specified it will assume NETBIRD_DOMAIN NETBIRD_TURN_DOMAIN="" # TURN server public IP address # required for a connection involving peers in # the same network as the server and external peers # usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN NETBIRD_TURN_EXTERNAL_IP="xx.xxx.xx.xxx" # ------------------------------------------- # OIDC # e.g., https://example.eu.auth0.com/.well-known/openid-configuration # ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://netbird.example.com/oauth/v2/token" # The default setting is to transmit the audience to the IDP during authorization. However, # if your IDP does not have this capability, you can turn this off by setting it to false. #NETBIRD_DASH_AUTH_USE_AUDIENCE=false NETBIRD_AUTH_AUDIENCE="11111111111111@netbird" # e.g. netbird-client NETBIRD_AUTH_CLIENT_ID="1111111111111111@netbird" # indicates the scopes that will be requested to the IDP NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access" # NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace. # NETBIRD_AUTH_CLIENT_SECRET="" # if you want to use a custom claim for the user ID instead of 'sub', set it here # NETBIRD_AUTH_USER_ID_CLAIM="" # indicates whether to use Auth0 or not: true or false NETBIRD_USE_AUTH0="false" # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. NETBIRD_AUTH_REDIRECT_URI=/nb-auth NETBIRD_AUTH_SILENT_REDIRECT_URI=/nb-silent-auth # Updates the preference to use id tokens instead of access token on dashboard # Okta and Gitlab IDPs can benefit from this # NETBIRD_TOKEN_SOURCE="idToken" # ------------------------------------------- NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" # Some IDPs requires different audience, scopes and to use id token for device authorization flow # you can customize here: NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid" NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false # ------------------------------------------- # OIDC PKCE Authorization Flow # ------------------------------------------- # Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative # eg. 53000,54000 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000" # ------------------------------------------- # IDP Management # ------------------------------------------- # eg. zitadel, auth0, azure, keycloak NETBIRD_MGMT_IDP="none" # Some IDPs requires different client id and client secret for management api NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID NETBIRD_IDP_MGMT_CLIENT_SECRET="" # Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird" # NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT= # With some IDPs may be needed enabling automatic refresh of signing keys on expire # NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false # NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice. # ------------------------------------------- # Letsencrypt # ------------------------------------------- # Disable letsencrypt # if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead NETBIRD_DISABLE_LETSENCRYPT=false # e.g. hello@mydomain.com NETBIRD_LETSENCRYPT_EMAIL="" # ------------------------------------------- # Extra settings # ------------------------------------------- # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted ```
saavagebueno added the waiting-feedbackidpconfig-idptriage-needed labels 2025-11-20 05:20:04 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#926