Comments (20)
HansAschauer
commented on August 17, 2024
4
I had a problem with quite similar symptoms. This is possibly a bug in recent versions of keycloak, but I am not an expert with it.
However, I could work around the issue in the following way:
In the setup guide (https://docs.netbird.io/selfhosted/identity-providers#step-6-create-a-net-bird-client-scope), go to step 6 ("Create a NetBird client scope"). But instead of adding "netbird-client" to "Included Client Audience", add it to "Included Custom Audience"
In fact, I have created a second mapper with these settings, but I guess just changing the first one should be enough.
If you want to check if the audience is set correctly, go to Clients -> netbird-client, go to tab "Client Scopes", subtab (one line below) "evaluate". Choose the user netbird and select "Generated access tokens" in the list on the right. Check if the "aud" claim contains "netbird-client".
from netbird.
mlsmaycon
commented on August 17, 2024
1
I have the same problem but with Dex. Right after starting netbird-management, everything works and the login succeeds. However, if I wait a couple of hours, I get the same error upon login:
2024-07-04T20:36:48Z ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: unable to find appropriate key 2024-07-04T20:36:48Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: unable to find appropriate key 2024-07-04T20:36:48Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid 2024-07-04T20:36:48Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4269949527: GET /api/users status 401
@identw you need to enable sign key refresh with --idp-sign-key-refresh-enabled
command: [
...
"--idp-sign-key-refresh-enabled",After that run docker compose up -d
from netbird.
Unreeling8562
commented on August 17, 2024
I've followed the official advanced docs from Netbird
from netbird.
Cikaros
commented on August 17, 2024
It requires the Geo database to be installed. Check whether the database is installed.
https://docs.netbird.io/selfhosted/geo-support
from netbird.
Unreeling8562
commented on August 17, 2024
It requires the Geo database to be installed. Check whether the database is installed. https://docs.netbird.io/selfhosted/geo-support
I've installed this, but still the same error unfortunately
from netbird.
landmass-deftly-reptile-budget
commented on August 17, 2024
I can imagine this is the same issue like this one (except this one is about Zitadel as an IDP): #2089
I doubt a 401 token invalid error has something to do with the geo database.
from netbird.
Cikaros
commented on August 17, 2024
Check the logs of the management service
from netbird.
ergleb78
commented on August 17, 2024
We are experiencing the same issue on Google Auth. Management logs:
2024-06-27T16:56:41Z ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: unable to find appropriate key
2024-06-27T16:56:41Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: unable to find appropriate key
2024-06-27T16:56:41Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-06-27T16:56:41Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 798438459: GET /api/users status 401
2024-06-27T16:56:43Z ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: unable to find appropriate key
2024-06-27T16:56:43Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: unable to find appropriate key
2024-06-27T16:56:43Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-06-27T16:56:43Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 404750189: GET /api/users status 401
It's inconsistent: sometimes restart of docker-compose helps, sometimes it required to remove the containers and recreate
UPDATE: Downloading and updating GEO database fixed the issue.
Ask: It would be incredibly helpful to see some pointers to the root cause of the problem in the err logs.
from netbird.
Vandaahl
commented on August 17, 2024
I had a problem with quite similar symptoms. This is possibly a bug in recent versions of keycloak, but I am not an expert with it.
However, I could work around the issue in the following way:
In the setup guide (https://docs.netbird.io/selfhosted/identity-providers#step-6-create-a-net-bird-client-scope), go to step 6 ("Create a NetBird client scope"). But instead of adding "netbird-client" to "Included Client Audience", add it to "Included Custom Audience"
In fact, I have created a second mapper with these settings, but I guess just changing the first one should be enough. If you want to check if the audience is set correctly, go to Clients -> netbird-client, go to tab "Client Scopes", subtab (one line below) "evaluate". Choose the user netbird and select "Generated access tokens" in the list on the right. Check if the "aud" claim contains "netbird-client".
Just wanted to say thank you for this comment. I wasted so many hours getting this to work with Keycloak and now it finally works :)
from netbird.
Pshemas
commented on August 17, 2024
I have similar problem with Authentik. Initially the setup worked, but after restarting the containers for both Netbird and Authentik I get this dreaded 401: token invalid error.
After restarting the containers (both for Authentik and Netbird) I can't log in to management portal. Any suggestions what to do are greatly appreciated.
Error logs found in management component:
management-1 | 2024-07-02T15:39:41Z DEBG management/server/grpcserver.go:130: Sync request from peer [YvVW8g9sDDcUNhigOOW2SlIZBHj5Lj//mfMP2WAgzkg=] [56.67.17.123]
management-1 | 2024-07-02T15:39:41Z DEBG management/server/updatechannel.go:87: opened updates channel for a peer cpk3l2f7g7ts738pqbh0
management-1 | 2024-07-02T15:39:41Z DEBG management/server/telemetry/http_api_metrics.go:201: request OPTIONS /api/users took 0 ms and finished with status 204
management-1 | 2024-07-02T15:39:41Z DEBG management/server/account.go:1661: overriding JWT Domain and DomainCategory claims since single account mode is enabled
management-1 | 2024-07-02T15:39:41Z DEBG management/server/account.go:1810: Acquired global lock in 77.978µs for user 7
management-1 | 2024-07-02T15:39:42Z DEBG management/server/sql_store.go:194: took 12 ms to persist an account to the store
management-1 | 2024-07-02T15:39:42Z DEBG management/server/account.go:1296: looking up user 7 of account cpk3ikv7g7ts73c049h0 in cache
management-1 | 2024-07-02T15:39:42Z DEBG management/server/account.go:1234: account cpk3ikv7g7ts73c049h0 not found in cache, reloading
management-1 | 2024-07-02T15:39:42Z DEBG management/server/idp/authentik.go:134: requesting new jwt token for authentik idp manager
management-1 | 2024-07-02T15:39:42Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400
management-1 | 2024-07-02T15:39:42Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
management-1 | 2024-07-02T15:39:42Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2496285363: GET /api/users status 401
management-1 | 2024-07-02T15:39:42Z DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 101 ms and finished with status 401
management-1 | 2024-07-02T15:39:42Z DEBG management/server/account.go:1661: overriding JWT Domain and DomainCategory claims since single account mode is enabled
Docker Compose file:
services:
#UI dashboard
dashboard:
image: netbirdio/dashboard:v2.4.0
restart: unless-stopped
ports:
- 80:80
- 443:443
env_file:
- /home/uslugi/.ENV/.nbird
volumes:
- netbird-letsencrypt:/etc/letsencrypt
# Signal
signal:
image: netbirdio/signal:0.28.3
restart: unless-stopped
volumes:
- netbird-signal:/var/lib/netbird
ports:
- 10000:80
# # port and command for Let's Encrypt validation
# - 443:443
# command: ["--letsencrypt-domain", "net.mysite.com", "--log-file", "console"]
# Management
management:
image: netbirdio/management:0.28.3
restart: unless-stopped
depends_on:
- dashboard
volumes:
- netbird-mgmt:/var/lib/netbird
- netbird-letsencrypt:/etc/letsencrypt:ro
- /home/uslugi/management.json:/etc/netbird/management.json:z
ports:
- 33073:443 #API port
# # command for Let's Encrypt validation without dashboard container
# command: ["--letsencrypt-domain", "net.mysite.com", "--log-file", "console"]
command: [
"--port", "443",
"--log-file", "console",
"--log-level", "debug",
"--disable-anonymous-metrics=true",
"--single-account-mode-domain=net.mysite.com",
"--dns-domain=netbird.selfhosted"
]
# Coturn
coturn:
image: coturn/coturn:4.6.2
restart: unless-stopped
domainname: net.mysite.com
volumes:
- /home/uslugi/turnserver.conf:/etc/turnserver.conf:z
# - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
# - ./cert.pem:/etc/coturn/certs/cert.pem:ro
network_mode: host
command:
- -c /etc/turnserver.conf
volumes:
netbird-mgmt:
netbird-signal:
netbird-letsencrypt:
Environment variables file:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT=https://net.mysite.com:33073
NETBIRD_MGMT_GRPC_API_ENDPOINT=https://net.mysite.com:33073
# OIDC
AUTH_AUDIENCE=wbuBlzoRj/c5sn/xVXk0omZULBGChzyoCAhAR1NLgzs=
AUTH_CLIENT_ID=wbuBlzoRj/c5sn/xVXk0omZULBGChzyoCAhAR1NLgzs=
AUTH_CLIENT_SECRET=
AUTH_AUTHORITY=https://auth.mysite.com/application/o/netbird/
USE_AUTH0=false
AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
AUTH_REDIRECT_URI=
AUTH_SILENT_REDIRECT_URI=
NETBIRD_TOKEN_SOURCE=accessToken
# SSL
NGINX_SSL_PORT=443
# Letsencrypt
LETSENCRYPT_DOMAIN=net.mysite.com
[email protected]
I've also checked Authentik and I found "application authorized" event:
{
"user": {
"pk": 7,
"email": "[email protected]",
"username": "myusername"
},
"action": "authorize_application",
"app": "authentik.providers.oauth2.views.authorize",
"context": {
"flow": "82fcc99a48664ec494ce06c38327c3b7",
"scopes": "profile email openid",
"http_request": {
"args": {
"scope": "openid profile email offline_access api",
"state": "hdKCFMF3p9",
"audience": "someid",
"client_id": "someid",
"redirect_uri": "https://net.mydomain.com/#callback",
"response_type": "code",
"code_challenge": "somecodechallenge",
"code_challenge_method": "S256"
},
"path": "/api/v3/flows/executor/default-provider-authorization-explicit-consent/",
"method": "GET",
"user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"
},
"authorized_application": {
"pk": "somepk",
"app": "authentik_core",
"name": "Netbird",
"model_name": "application"
}
},
"client_ip": "some.ip",
"expires": "2025-07-02T16:12:31.981Z",
"brand": {
"pk": "somepk",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
from netbird.
vsavovski
commented on August 17, 2024
Regarding Keycloak, it is possible to use the original setup; however, you cannot provide netbird-client as the ID. Instead, you must use the generated GUID that Keycloak creates for each client ID.
You can find the GUID in the URL: https://keycloak.mysite.com/admin/master/console/#/{realm}/clients/{client-id}.
Alternatively, as @HansAschauer mentioned, you can generate access tokens and locate the client ID in the aud field. This client ID should then be used in the .env file.
from netbird.
Pshemas
commented on August 17, 2024
so far I've tried:
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=trueadded to .env
- copied geo database
This doesn't help sadly. IWhen I look into developer console I see this:
And token invaild in netbird management logs as posted above.
I wonder - can it be something with Authentik being behind Cloudflare? But on the other hand it does not cause any issues on other apps I use with Authentik (and the super annoying thing is that it worked for a couple of weeks without a hitch).
from netbird.
Pshemas
commented on August 17, 2024
on my end it "autmagically" started working - thus suggesting something to do with Authentik config, not Netbird itself.
from netbird.
identw
commented on August 17, 2024
I have the same problem but with Dex. Right after starting netbird-management, everything works and the login succeeds. However, if I wait a couple of hours, I get the same error upon login:
2024-07-04T20:36:48Z ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: unable to find appropriate key
2024-07-04T20:36:48Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: unable to find appropriate key
2024-07-04T20:36:48Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-07-04T20:36:48Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 4269949527: GET /api/users status 401
from netbird.
identw
commented on August 17, 2024
@mlsmaycon Thank you very much. This helped me
from netbird.
singhera-ilmiya
commented on August 17, 2024
I'm still getting same issue please help me @mlsmaycon @identw
from netbird.
mlsmaycon
commented on August 17, 2024
@singhera-ilmiya can you check your management logs for error logs and share them with us?
from netbird.
bl0way
commented on August 17, 2024
Regarding Keycloak, it is possible to use the original setup; however, you cannot provide
netbird-clientas the ID. Instead, you must use the generated GUID that Keycloak creates for each client ID.You can find the GUID in the URL:
https://keycloak.mysite.com/admin/master/console/#/{realm}/clients/{client-id}.Alternatively, as @HansAschauer mentioned, you can generate access tokens and locate the client ID in the
audfield. This client ID should then be used in the .env file.
Indeed, this worked for me. The previous proposed solution unfortunately was not working for me (keycloak didn't add the provided Included Custom Audience in the generated token for X or Y reasons). I modified the management.json to update the AuthAudience by the generated GUID of keycloak.
from netbird.
adriangabura
commented on August 17, 2024
Is it possible these 401 issues are related to this? I have triple checked my Azure config. There is no error on my part. And far too many identity providers cause similar symptoms.
from netbird.
mannp
commented on August 17, 2024
I am getting this error today with a fresh kanidm install.
from netbird.
Related Issues (20)
- Login with URL from linux cli give HTTP ERROR 404
- Client enables all the exit nodes and network routes after restart HOT 1
- netbird client disappears from top bar of Mac OS HOT 6
- DNS issue inside a docker container
- [question] linux client logs to syslog
- client raising a "failed marshalling message string field contains invalid UTF-8" when trying to register the peer due to invalid SerialNumber HOT 1
- Docker routing peers
- Netbird Client: Add warning and allow session extension *before* it expires
- Deploy netbird in OpenWrt router > assign IP to netbird0 interface HOT 2
- "Error parsing token: unable to find appropriate key" fixed with restarting management service HOT 5
- Client on HarmonyOS NEXT
- Web reverse proxy without a client
- ios show connected, but still same old ip HOT 6
- Use one account with multiple networks
- NetBird disconnects after a couple of seconds on Windows Server 2016 HOT 10
- add additional dns domains to local dns resolver HOT 1
- upgrade client via dashboard
- option to disable client upgrade notification
- netbird try (and can't) set /proc/sys/net/ipv4/conf/all/src_valid_mark
- Window CLI HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from netbird.