netbirdio
Netbird - No Identity Providers work ! Keycloak - Login Error: User state: Unauthenticated
Describe the problem After trying to get Netbird Self Hosted with Authentik and getting weird errors (https://github.com/netbirdio/netbird/issues/1684) and no help so far, I decided to give a try to:
- Netbird + Zitadel -> This apparently causes some issues (Zitadel related i/o timeout for connection between PostgreSQL and Zitadel-Server, probably cause is 100% CPU usage on my VPS Server and extremely high memory/RAM usage in Zitadel)
- Netbird + Keycloak -> This results in a "Login Error: User state: Unauthenticated".
Nothing can be extracted from the logs of keycloak nor netbird-management Docker Container.
Looking at https://github.com/netbirdio/netbird/issues/1590, I am also running into the "CORS Missing Allow Origin".
To Reproduce
- Setup Keycloak and Netbird according to the current version of https://docs.netbird.io/selfhosted/identity-providers#keycloak, both running behind Traefik Reverse Proxy with Letsencrypt provided TLS Certificates.
- Visit https://netbird.MYDOMAIN.TLD
- Get
Login Error: User state: Unauthenticated
Expected behavior
Netbird working correctly.
Are you using NetBird Cloud?
Netbird self-hosted.
NetBird version
netbird version
NetBird status -d output:
Not sure how to do this:
netbird-managementcontainer:netbird: command not foundnetbird-dashboardcontainer:netbird: command not foundnetbird-signalcontainer:Error: crun: executable file/bin/shnot found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not foundnetbird-coturncontainer:netbird: command not found
Screenshots
Additional context
Environment same as in https://github.com/netbirdio/netbird/issues/1684 (Podman 4.9.3).
hello @luckylinux can you share logs from the following containers:
dashboard:
docker compose logs dashboard
management
docker compose logs management
Can you also share the content of your setup.env? you can mask your domain names, and client IDs, just make sure your are using the same masking value for the same real values.
Sure @mlsmaycon
I had to adjust a bit the command though since I am using Podman and not Docker ...
podman logs netbird-dashboard
podman_logs_netbird-dashboard.log
podman logs netbird-management
podman_logs_netbird-management.log
setup.env
setup.env.txt
Are there any news on this? Also unauthenticated running via keycloak. Also getting the same CORS error as above. All set up like in the documentation mentioned above.
content.js:364 getEmbedInfo
content.js:425 OEMBED https://netbird.MYDOMAIN.tld/?state=EmabodHrAU&session_state=bf19a860-aa59-40d2-847a-6e70c172b05b&iss=https%3A%2F%2Fauth.MYDOMAIN.tld%2Frealms%2FMYREALM&code=fe9d32ef-9d35-4c23-8350-598ac78cf784.bf19a860-aa59-40d2-847a-6e70c172b05b.b7a2ec9a-1fc9-4850-a12c-d5ee66d01aff#callback
2731-e746de7d02695f25.js:1 Checking to see if there is an authorization response to be delivered.
2731-e746de7d02695f25.js:1 Potential authorization request https://netbird.MYDOMAIN.tld/ Object EmabodHrAU fe9d32ef-9d35-4c23-8350-598ac78cf784.bf19a860-aa59-40d2-847a-6e70c172b05b.b7a2ec9a-1fc9-4850-a12c-d5ee66d01aff undefined
2731-e746de7d02695f25.js:1 Delivering authorization response
/?state=EmabodHrAU&session_state=bf19a860-aa59-40d2-847a-6e70c172b05b&iss=https%3A%2F%2Fauth.MYDOMAIN.tld%2Frealms%2FMYREALM&code=fe9d32ef-9d35-4c23-8350-598ac78cf784.bf19a860-aa59-40d2-847a-6e70c172b05b.b7a2ec9a-1fc9-4850-a12c-d5ee66d01aff#callback:1 Access to fetch at 'https://auth.MYDOMAIN.tld/realms/MYREALM/protocol/openid-connect/token' from origin 'https://netbird.MYDOMAIN.tld' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
auth.MYDOMAIN.tld/realms/MYREALM/protocol/openid-connect/token:1
Failed to load resource: net::ERR_FAILED
2731-e746de7d02695f25.js:1
Uncaught (in promise) TypeError: Failed to fetch
at FetchRequestor.xhr (2731-e746de7d02695f25.js:1:82495)
at BaseTokenRequestHandler.performTokenRequest (2731-e746de7d02695f25.js:1:79114)
at AuthorizationNotifier.listener (2731-e746de7d02695f25.js:1:56541)
at AuthorizationNotifier.onAuthorizationComplete (2731-e746de7d02695f25.js:1:65206)
at 2731-e746de7d02695f25.js:1:66271
Are there any news on this? Also unauthenticated running via keycloak. Also getting the same CORS error as above. All set up like in the documentation mentioned above.
content.js:364 getEmbedInfo content.js:425 OEMBED https://netbird.MYDOMAIN.tld/?state=EmabodHrAU&session_state=bf19a860-aa59-40d2-847a-6e70c172b05b&iss=https%3A%2F%2Fauth.MYDOMAIN.tld%2Frealms%2FMYREALM&code=fe9d32ef-9d35-4c23-8350-598ac78cf784.bf19a860-aa59-40d2-847a-6e70c172b05b.b7a2ec9a-1fc9-4850-a12c-d5ee66d01aff#callback 2731-e746de7d02695f25.js:1 Checking to see if there is an authorization response to be delivered. 2731-e746de7d02695f25.js:1 Potential authorization request https://netbird.MYDOMAIN.tld/ Object EmabodHrAU fe9d32ef-9d35-4c23-8350-598ac78cf784.bf19a860-aa59-40d2-847a-6e70c172b05b.b7a2ec9a-1fc9-4850-a12c-d5ee66d01aff undefined 2731-e746de7d02695f25.js:1 Delivering authorization response /?state=EmabodHrAU&session_state=bf19a860-aa59-40d2-847a-6e70c172b05b&iss=https%3A%2F%2Fauth.MYDOMAIN.tld%2Frealms%2FMYREALM&code=fe9d32ef-9d35-4c23-8350-598ac78cf784.bf19a860-aa59-40d2-847a-6e70c172b05b.b7a2ec9a-1fc9-4850-a12c-d5ee66d01aff#callback:1 Access to fetch at 'https://auth.MYDOMAIN.tld/realms/MYREALM/protocol/openid-connect/token' from origin 'https://netbird.MYDOMAIN.tld' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. auth.MYDOMAIN.tld/realms/MYREALM/protocol/openid-connect/token:1 Failed to load resource: net::ERR_FAILED 2731-e746de7d02695f25.js:1 Uncaught (in promise) TypeError: Failed to fetch at FetchRequestor.xhr (2731-e746de7d02695f25.js:1:82495) at BaseTokenRequestHandler.performTokenRequest (2731-e746de7d02695f25.js:1:79114) at AuthorizationNotifier.listener (2731-e746de7d02695f25.js:1:56541) at AuthorizationNotifier.onAuthorizationComplete (2731-e746de7d02695f25.js:1:65206) at 2731-e746de7d02695f25.js:1:66271
My problem is solved. The issue was that the user somehow hasn't had the default-roles-apps role, and with that no uma_authorization and no offline_access roles. Put the role back an it works.
@mlsmaycon : any News on this ? It's really unfortunate I'm not getting anything working.
At least the Webpage should show something useful IMHO, not just crash the entire thing (and the Logs don't really tell much).
I just noticed there might be something related to Traefik Reverse Proxy going on ...
At the moment I only had the Dashboard reverse Proxy, but trying a Netbird Installation from Scratch using ./configure.sh I get these Warnings:
The following forwards have to be setup:
- https://netbird.MYDOMAIN.TLD:443 -http-> dashboard:80
- https://netbird.MYDOMAIN.TLD:443/api -http-> management:443
- https://netbird.MYDOMAIN.TLD:443/management.ManagementService/ -grpc-> management:443
- https://netbird.MYDOMAIN.TLD:443/signalexchange.SignalExchange/ -grpc-> signal:80
You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script.
The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!
You are also free to remove any occurrences of the Letsencrypt-volume netbird-letsencrypt