netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Authentik IDP - Error parsing token: key is of invalid type

Open blazp7 opened this issue 1 year ago • 0 comments

Problem My dashboard and management process is running successfully however i am getting these errors after successfully logging into the webui through my IDP.

Web browser UI:

  • Request failed with status code 401

Web browser console:

  • GET https://netbird.echoinstruments.eu/api/users [HTTP/2 401 20ms] Object { message: "token invalid", code: 401 }

Service logs after logging in:

  • Error when validating JWT claims: Error parsing token: key is of invalid type
  • got a handler error: token invalid

Service logs at startup:

  • WARN: failed warming up cache due to error: unable to get authentik token, statusCode 400

Additional Information

Self-hosted NetBird's control plane, version 0.27.4 Authentik identity provider Traefik reverse proxy

Additional context

  • my management.json
{
  "DataStoreEncryptionKey": "genEVP6j/Yp2EeVujm0zgqXrRos29dQkpvX0hHdEUlQ=",
  "Datadir": "/var/lib/netbird-mgmt/data",
  "DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
      "Audience": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "AuthorizationEndpoint": "",
      "ClientID": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "ClientSecret": "",
      "DeviceAuthEndpoint": "https://auth.mycompany.eu/application/o/device/",
      "Domain": "",
      "RedirectURLs": [
        "https://netbird.mycompany.eu/#callback"
      ],
      "Scope": "email openid profile",
      "TokenEndpoint": "https://auth.mycompany.eu/application/o/token/",
      "UseIDToken": false
    }
  },
  "HttpConfig": {
    "Address": "0.0.0.0:8011",
    "AuthAudience": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
    "AuthIssuer": "https://auth.mycompany.eu/application/o/netbird/",
    "AuthKeysLocation": "https://auth.mycompany.eu/application/o/netbird/jwks/",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
    "OIDCConfigEndpoint": "https://auth.mycompany.eu/application/o/netbird/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "ClientConfig": {
      "ClientID": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "ClientSecret": "",
      "GrantType": "client_credentials",
      "Issuer": "https://auth.mycompany.eu/application/o/netbird/",
      "TokenEndpoint": "https://auth.mycompany.eu/application/o/token/"
    },
    "ExtraConfig": {
      "Password": "PpUEt47VIakCkjqfcIJ7Ci7URqtS8PdHUlFVBMNy",
      "Username": "netbird"
    },
    "KeycloakClientCredentials": null,
    "ManagerType": "authentik",
    "ZitadelClientCredentials": null
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "AuthorizationEndpoint": "https://auth.mycompany.eu/application/o/authorize/",
      "ClientID": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "ClientSecret": "",
      "Domain": "",
      "RedirectURLs": [
        "https://netbird.mycompany.eu/#callback"
      ],
      "Scope": "email openid profile",
      "TokenEndpoint": "https://auth.mycompany.eu/application/o/token/",
      "UseIDToken": false
    }
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "Signal": {
    "Password": null,
    "Proto": "https",
    "URI": "netbird.mycompany.eu",
    "Username": ""
  },
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "Stuns": [
    {
      "Password": null,
      "Proto": "udp",
      "URI": "stun:192.168.12.250:3478",
      "Username": ""
    }
  ],
  "TURNConfig": {
    "CredentialsTTL": "12h",
    "Secret": "veryinsecuresecret",
    "TimeBasedCredentials": false,
    "Turns": [
      {
        "Password": "veryinsecureturnpassword",
        "Proto": "udp",
        "URI": "turn:192.168.12.250:3478",
        "Username": "netbird"
      }
    ]
  }
}
  • process is started with the following cli arguments
netbird "management" \
"--config" "/var/lib/netbird-mgmt/management.json" \
"--datadir" "/var/lib/netbird-mgmt/data" \
"--dns-domain" "netbird.mycompany.eu" \
"--port" "8011" \
"--log-file" "console" \
"--log-level" "DEBUG" \
"--idp-sign-key-refresh-enabled"  \
"--single-account-mode-domain" "netbird.mycompany.eu" \
"--disable-anonymous-metrics"
  • service startup logs
systemd[1]: Started The management server for Netbird, a wireguard VPN.
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:462: overriding HttpConfig.AuthIssuer with a new value https://auth.mycompany.eu/application/o/netbird/, previously configured value: https://auth.mycompany.eu/application/o/netbird/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:466: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.mycompany.eu/application/o/netbird/jwks/, previously configured value: https://auth.mycompany.eu/application/o/netbird/jwks/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:471: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.mycompany.eu/application/o/token/, previously configured value: https://auth.mycompany.eu/application/o/token/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:474: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.mycompany.eu/application/o/device/, previously configured value: https://auth.mycompany.eu/application/o/device/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:482: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.mycompany.eu, previously configured value:
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:492: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.mycompany.eu/application/o/token/, previously configured value: https://auth.mycompany.eu/application/o/token/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:495: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.mycompany.eu/application/o/authorize/, previously configured value: https://auth.mycompany.eu/application/o/authorize/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/server/store.go:92: using SQLite store engine
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 DEBG management/server/migration/migration.go:39: No records in table accounts, no migration needed
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 DEBG management/server/migration/migration.go:39: No records in table routes, no migration needed
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 DEBG management/server/migration/migration.go:39: No records in table routes, no migration needed
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/activity/sqlite/sqlite.go:328: check deleted_users table version
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/geolocation/store.go:174: took 107.113993ms to setup geoname db
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:173: geo location service has been initialized from /var/lib/netbird-mgmt/data
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/server/account.go:887: single account mode enabled, accounts number 0
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/idp/authentik.go:134: requesting new jwt token for authentik idp manager
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/ephemeral.go:135: loaded ephemeral peer(s): 0
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 WARN management/server/account.go:927: failed warming up cache due to error: unable to get authentik token, statusCode 400
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:292: running gRPC backward compatibility server: [::]:33073
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:324: management server version 0.27.4
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:325: running HTTP server and gRPC server on the same port: [::]:8011
  • service logs when i login to the webui
netbird-mgmt[730565]: 2024-05-08T10:45:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:45:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:46:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:46:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/jwtclaim
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/jwtclaim
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/mid
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/uti
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2995609963: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 41 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:22.954373094 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 905634035: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 18 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:23.49892141 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3636200884: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 20 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:24.083951284 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3416239691: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 17 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:29.182113768 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1676120686: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 18 ms and finished with status 401

Edit: i realize i posted my service account password, it has already been changed

blazp7 avatar May 08 '24 08:05 blazp7