Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERR_UNAUTHORIZED Request failed with status code 401 #452

Closed
dcshoes23 opened this issue Sep 6, 2022 · 9 comments
Closed

ERR_UNAUTHORIZED Request failed with status code 401 #452

dcshoes23 opened this issue Sep 6, 2022 · 9 comments

Comments

@dcshoes23
Copy link

dcshoes23 commented Sep 6, 2022
edited
Loading

I have selfhosted netbird v0.9.0 using Authentik as my identity provider.

I am able to login using Authentik and I seee the following error in the UI:
image

I see two problems in the Chrome debug console.

  1. Calls to https://auth.mydomain.com/application/o/userinfo/ fail due to a CORS error:
    Access to fetch at 'https://auth.mydomain.com/application/o/userinfo/' from origin 'https://nb.mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

NOTE: the call to https://auth.mydomain.com/application/o/token/ works fine which I see is called by xhr.ts:88 vs the failing call which is directly from oidc.ts:160

  1. Any web calls to the management service on :33073 are returning 401 unauthorized with the following response: The token isn't valid
@braginini
Copy link
Contributor

braginini commented Sep 6, 2022
edited
Loading

Hey @dcshoes23
There must be something wrong with the configuration. Could you please send the setup.env, docker-compose.yml, and management.json?
Would be also great to see an example of a generated JWT.

You can send this info on Slack (DM).
https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A

@mlsmaycon
Copy link
Collaborator

Relates to goauthentik/authentik#3555

@braginini
Copy link
Contributor

I think that we can close this one @dcshoes23. Since the issues have been resolved and Authentik is now compatible with NetBird!

@dcshoes23
Copy link
Author

dcshoes23 commented Sep 14, 2022
edited
Loading

closing as issues were with Authentik, thanks for helping to indentify what was missing!
Only point 2 was on the Authentik. For point 1, see my comment below.

@dcshoes23
Copy link
Author

dcshoes23 commented Sep 14, 2022
edited
Loading

Found the issue, netbird is not setting the Origin header in the request to Authentik. When I manually add that in my curl test command, the proper CORS headers are returned from Authentik.

@dcshoes23 dcshoes23 reopened this Sep 14, 2022
@braginini
Copy link
Contributor

Found the issue, netbird is not setting the Origin header in the request to Authentik. When I manually add that in my curl test command, the proper CORS headers are returned from Authentik.

The user info endpoint, right? There must be something with related to the OIDC library. Will check that

@BeryJu
Copy link

BeryJu commented Oct 7, 2022

Also trying out netbird currently (great project btw) and I've noticed one error seems to come from the netbird frontend injecting a slash into the well-known URL if you use the correct OIDC issuer for authentik, which ends with a trailing slash (https://id.beryju.org/application/o/netbird/), so if I remove that trailing slash in the UI I can login but get the same error as above, and API requests return The token isn't valid since I assume it's comparing the issuer against what is configured, which is failing

@BeryJu BeryJu mentioned this issue Oct 7, 2022
Open
@BeryJu
Copy link

BeryJu commented Oct 7, 2022

See the issue linked above, I monkey-patched this in the compiled main.js file and I can now correctly set the issuer. However there's still some 401 errors but also a warning due to base64-encoding

main.9e66752d.js:formatted:2797 DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.
    at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:43246
    at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:43311
    at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:40691
    at Object.next (https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:40796)
    at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:39707
    at new Promise (<anonymous>)
    at a (https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:39452)
    at v (https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:42818)
    at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:41529
    at https://netbird.infra.beryju.io/static/js/main.9e66752d.js:2:40691

I can't quite tell yet where the code that does this is from (and I feel like this is due to some missing base64 padding, which I dont think the spec asks for?)

@BeryJu BeryJu mentioned this issue Oct 15, 2022
Merged
@mlsmaycon mlsmaycon mentioned this issue Dec 7, 2022
Merged
4 tasks
@mlsmaycon
Copy link
Collaborator

@dcshoes23 recently we added authentik integration, you can find the docs here: https://docs.netbird.io/selfhosted/identity-providers#authentik

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@braginini @BeryJu @dcshoes23 @mlsmaycon