netbird
netbird copied to clipboard
netbirdio
ERR_UNAUTHORIZED Request failed with status code 401
I have selfhosted netbird v0.9.0 using Authentik as my identity provider.
I am able to login using Authentik and I seee the following error in the UI:
I see two problems in the Chrome debug console.
- Calls to
https://auth.mydomain.com/application/o/userinfo/fail due to a CORS error:Access to fetch at 'https://auth.mydomain.com/application/o/userinfo/' from origin 'https://nb.mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
NOTE: the call to https://auth.mydomain.com/application/o/token/ works fine which I see is called by xhr.ts:88 vs the failing call which is directly from oidc.ts:160
- Any web calls to the management service on :33073 are returning 401 unauthorized with the following response:
The token isn't valid
Hey @dcshoes23 There must be something wrong with the configuration. Could you please send the setup.env, docker-compose.yml, and management.json? Would be also great to see an example of a generated JWT.
You can send this info on Slack (DM). https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A
I think that we can close this one @dcshoes23. Since the issues have been resolved and Authentik is now compatible with NetBird!
~~closing as issues were with Authentik, thanks for helping to indentify what was missing!~~ Only point 2 was on the Authentik. For point 1, see my comment below.
Found the issue, netbird is not setting the Origin header in the request to Authentik. When I manually add that in my curl test command, the proper CORS headers are returned from Authentik.
Found the issue, netbird is not setting the
Originheader in the request to Authentik. When I manually add that in my curl test command, the proper CORS headers are returned from Authentik.
The user info endpoint, right? There must be something with related to the OIDC library. Will check that
Also trying out netbird currently (great project btw) and I've noticed one error seems to come from the netbird frontend injecting a slash into the well-known URL if you use the correct OIDC issuer for authentik, which ends with a trailing slash (https://id.beryju.org/application/o/netbird/), so if I remove that trailing slash in the UI I can login but get the same error as above, and API requests return The token isn't valid since I assume it's comparing the issuer against what is configured, which is failing
See the issue linked above, I monkey-patched this in the compiled main.js file and I can now correctly set the issuer. However there's still some 401 errors but also a warning due to base64-encoding
main.9e66752d.js:formatted:2797 DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.
at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:43246
at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:43311
at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:40691
at Object.next (https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:40796)
at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:39707
at new Promise (<anonymous>)
at a (https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:39452)
at v (https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:42818)
at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:41529
at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:40691
I can't quite tell yet where the code that does this is from (and I feel like this is due to some missing base64 padding, which I dont think the spec asks for?)
@dcshoes23 recently we added authentik integration, you can find the docs here: https://docs.netbird.io/selfhosted/identity-providers#authentik