Request failed with status code 401. Please refresh the page if the issue continues. token invalid

[jkirkcaldy]

Using authentik as auth provider. and Traefik as the reverse proxy.

These lines appear in the management logs:

2024-03-02T18:37:27Z ERRO management/server/http/util/util.go:80: got a handler error: token invalid
2024-03-02T18:37:27Z ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2291633713: GET /api/users status 401
2024-03-02T18:37:27Z INFO management/server/account.go:1590: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-03-02T18:37:27Z ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: unable to get authentik token, statusCode 400

I have a red box with a warning message

Request failed with status code 401. Please refresh the page if the issue continues.
token invalid

management.json

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:netbird.example.co.uk:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "12h0m0s",
        "Secret": "secret",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:netbird.example.co.uk:3478",
                "Username": "self",
                "Password": "xxxx"
            }
        ]
    },
    "Signal": {
        "Proto": "http",
        "URI": "netbird.example.co.uk:10000",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "H9HtkneUWN6/KdVlnOBo+9MtqHz9BliKx0Kuc3KbJJc=",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "AuthAudience": "xxxx",
        "AuthIssuer": "https://authentik.example.co.uk/application/o/netbird/",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://authentik.example.co.uk/application/o/netbird/jwks/",
        "OIDCConfigEndpoint": "https://authentik.example.co.uk/application/o/netbird/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": true
    },
    "IdpManagerConfig": {
        "ManagerType": "authentik",
        "ClientConfig": {
            "Issuer": "https://authentik.example.co.uk/application/o/netbird",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "ClientID": "xxxx",
            "ClientSecret": "",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "Password": "xxxxx",
            "Username": "Netbird"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "xxxx",
            "ClientSecret": "",
            "Domain": "authentik.example.co.uk",
            "Audience": "xxxx",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "DeviceAuthEndpoint": "https://authentik.example.co.uk/application/o/device/",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "xxxx",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "xxxx",
            "TokenEndpoint": "https://authentik.example.co.uk/application/o/token/",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://authentik.example.co.uk/application/o/authorize/",
            "Scope": "openid profile email offline_access api groups",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000"
            ]
        }
    },
    "StoreConfig": {
        "Engine": "sqlite"
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": null,
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": null
    }
}    

Compose file

version: "3"
services:
  #UI dashboard
  dashboard:
    image: wiretrustee/dashboard:latest
    restart: unless-stopped
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.co.uk:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.co.uk:443
      # OIDC
      - AUTH_AUDIENCE=xxxxx
      - AUTH_CLIENT_ID=xxxxx
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://authentik.example.co.uk/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - AUTH_REDIRECT_URI=
      - AUTH_SILENT_REDIRECT_URI=
      - NETBIRD_TOKEN_SOURCE=accessToken
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-dashboard.rule=Host(`netbird.example.co.uk`)
    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - /mnt/user/appdata/netbird/signal:/var/lib/netbird
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-signal.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/signalexchange.SignalExchange/`)
    - traefik.http.services.netbird-signal.loadbalancer.server.port=80
    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - /mnt/user/appdata/netbird/management:/var/lib/netbird
      - /mnt/user/appdata/netbird/management/management.json:/etc/netbird/management.json
    command: [
      "--port", "443",
      "--log-file", "console",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=netbird.example.co.uk",
      "--dns-domain=netbird.selfhosted"
      ]
    labels:
    - traefik.enable=true
    - traefik.http.routers.netbird-api.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/api`)
    - traefik.http.routers.netbird-api.service=netbird-api
    - traefik.http.services.netbird-api.loadbalancer.server.port=443

    - traefik.http.routers.netbird-management.rule=Host(`netbird.example.co.uk`) && PathPrefix(`/management.ManagementService/`)
    - traefik.http.routers.netbird-management.service=netbird-management
    - traefik.http.services.netbird-management.loadbalancer.server.port=443
    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: netbird.example.co.uk
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf