Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request failed with status code 401 (Authentik) #2941

Open
MDMeridio001 opened this issue Nov 23, 2024 · 12 comments
Open

Request failed with status code 401 (Authentik) #2941

MDMeridio001 opened this issue Nov 23, 2024 · 12 comments
Labels
triage-needed

Comments

@MDMeridio001
Copy link

Describe the problem

After updating to authentik version 2024.10.4 I am no longer able to access the dashboard as I get an "invalid token" error. Looking at the management logs I can see the following error: management-1 | 2024-11-23T11:01:07Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden. I have tried deleting the Netbird service account's token and create a new one and I have also tried completely removing the application and provider and setting them up again from scratch but it didn't fix the error. With version 2024.10.2 everything worked just fine.

To Reproduce

Steps to reproduce the behavior:

  1. Update authentik to version 2024.10.4
  2. Check for the error in the management logs

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.33.0

Screenshots

image
@mlsmaycon
Copy link
Collaborator

Hello, @MDMeridio001, it seems like something went wrong with the guide steps 3 and 4 on your configuration. Can you review them and rerun the configure.sh script?

As an alternative, you can disable IdP manager in your management.json file by setting IdpManagerConfig.ManagerType and then restarting the management service with docker compose restart management

@MDMeridio001
Copy link
Author

@mlsmaycon Thanks for the reply. I'd prefer not to disable the IdP as I have all of my users configured there.

I would like to specify that it worked in version 2024.10.2 and I suspect that maybe they have made some changes to some of authentik's API endpoints. I have also checked nginx logs and it seems like error 403 is returned when the management service tries to reach this endpoint: [23/Nov/2024:12:03:53 +0100] "GET /api/v3/core/users/?page=1 HTTP/2.0" 403 58 "-" "OpenAPI-Generator/1.0.0/go".
If I try to access the same page in a web broswer logged in as the Netbird service account I successfully get a list with all the users in json format.

I would also like to mention that since I followed the guide when I first set netbird and authentik up the WebUI for authentik changed significantly, so it might be in need of an update. For example, when I tried to recreate the Netbird service account the token was not created automatically and I had to manually add one.

@MDMeridio001
Copy link
Author

@mlsmaycon Just an update. I restored an old backup of authentik (version 2024.8.2) and it immediately started working again.

@mlsmaycon
Copy link
Collaborator

The backup is old but are you running the latest authentik version?

@MDMeridio001
Copy link
Author

@mlsmaycon No, I'm running version 2024.8.2

@Spiritreader
Copy link

Spiritreader commented Nov 23, 2024
edited
Loading

I am having the same problem since updating to 2024.10.4, only that rolling back to 2024.8.2 (or any other older version) does not restore functionality.

The service account mentioned in step 3 and 4 of the guide seems to work fine though, in Authentik I see it logging in successfully
image

I have even set up netbird from scratch, deleting all configuration and recreating it from infrastructure artifacts with Authentik verisons 2024.8.6, 2024.8.5, 2024.8.2, 2024.10.4 and 2024.10.3.

There were some issues with redirect URLs for 2024.8.5 and 2024.10.3 which since have been resolved.

Currently I am on 2024.8.6, which is the latest supported build of 2024.8. Those are the logs:

2024-11-23T21:29:44Z WARN [context: SYSTEM] management/server/account.go:1114: failed warming up cache due to error: 403 Forbidden

2024-11-23T21:30:33Z DEBG management/server/account.go:1515: account cres9lc1955s73f2aig0 not found in cache, reloading
2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/middleware/auth_middleware.go:89: Error when validating JWT claims: 403 Forbidden
2024-11-23T21:30:33Z ERRO [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/http/util/util.go:81: got a handler error: token invalid
2024-11-23T21:30:33Z ERRO [requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4, context: HTTP] management/server/telemetry/http_api_metrics.go:168: HTTP response 5b94c307-da2a-406f-9545-3a886a33d7c4: GET /api/users status 401
2024-11-23T21:30:33Z DEBG [context: HTTP, requestID: 5b94c307-da2a-406f-9545-3a886a33d7c4] management/server/telemetry/http_api_metrics.go:181: request GET /api/users took 357 ms and finished with status 401
2024-11-23T21:30:35Z DEBG [context: SYSTEM] management/server/jwtclaims/jwtValidator.go:120: keys refreshed, new UTC expiration time: 2024-11-23 21:30:35.465361803 +0000 UTC
2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:2002: overriding JWT Domain and DomainCategory claims since single account mode is enabled
2024-11-23T21:30:35Z DEBG [context: HTTP, requestID: f42c4177-9e51-4d9a-83d9-a11aacd27150] management/server/account.go:1577: looking up user 1 of account cres9lc1955s73f2aig0 in cache

The netbird service account is in the authentik-admins group:
image

@roehren
Copy link

roehren commented Nov 23, 2024

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again.
grafik

@Spiritreader
Copy link

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again. grafik

You're fantastic, that worked! Thank you ❤️

@Spiritreader Spiritreader mentioned this issue Nov 24, 2024
Open
@MDMeridio001
Copy link
Author

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again. grafik

Thank you a lot, that solved the issue immediately.

@Spiritreader Spiritreader mentioned this issue Nov 24, 2024
Open
@rdeangel
Copy link

rdeangel commented Nov 25, 2024
edited
Loading

Had the same problem. After adding api access to scopes of the Authentik OAuth2 Provider and restarting the management container seems to work again. grafik

Thank you a lot, that solved the issue immediately.

For me that wasn't the only issue I had to reconfigure the redirects under Providers.
It seems authentik changed how these are entered in the latest version (they introduced strict and regex option in text fields rather than just regex and multiple lines in a text box) so in short they got wiped :-(

image

@Nivek938
Copy link

I ran into simmilar issues. I wasnt able to login to the netbird management dashboard too with the following message:

image

I had to do the following steps to get it working again (as described above):

  1. In authentik provider:
    1a. change the https://netbird.tld.* to regex
    1b. add 'authentik api access' to selected scopes
  2. restart netbird management container

Netbird version: 0.33.0
Authentik version: 2024.10.4

@xpufx
Copy link

xpufx commented Nov 27, 2024

I ran into simmilar issues. I wasnt able to login to the netbird management dashboard too with the following message:

image

I had to do the following steps to get it working again (as described above):

1. In authentik provider:
   1a. change the https://netbird.tld.* to regex
   1b. add 'authentik api access' to selected scopes

2. restart netbird management container

Netbird version: 0.33.0 Authentik version: 2024.10.4

That worked for me. Thanks. Also, the domain redirects need to be each in their own line. Authentik's documentation displays this correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage-needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rdeangel @mlsmaycon @Spiritreader @xpufx @roehren @MDMeridio001 @Nivek938