Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentik IDP - Error parsing token: key is of invalid type #1947

Open
blazp7 opened this issue May 8, 2024 · 0 comments
Open

Authentik IDP - Error parsing token: key is of invalid type #1947

blazp7 opened this issue May 8, 2024 · 0 comments
Labels
triage-needed

Comments

@blazp7
Copy link

blazp7 commented May 8, 2024
edited

Problem
My dashboard and management process is running successfully however i am getting these errors after successfully logging into the webui through my IDP.

Web browser UI:

  • Request failed with status code 401

Web browser console:

  • GET https://netbird.echoinstruments.eu/api/users [HTTP/2 401 20ms] Object { message: "token invalid", code: 401 }

Service logs after logging in:

  • Error when validating JWT claims: Error parsing token: key is of invalid type
  • got a handler error: token invalid

Service logs at startup:

  • WARN: failed warming up cache due to error: unable to get authentik token, statusCode 400

Additional Information

Self-hosted NetBird's control plane, version 0.27.4
Authentik identity provider
Traefik reverse proxy

Additional context

  • my management.json
{
  "DataStoreEncryptionKey": "genEVP6j/Yp2EeVujm0zgqXrRos29dQkpvX0hHdEUlQ=",
  "Datadir": "/var/lib/netbird-mgmt/data",
  "DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
      "Audience": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "AuthorizationEndpoint": "",
      "ClientID": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "ClientSecret": "",
      "DeviceAuthEndpoint": "https://auth.mycompany.eu/application/o/device/",
      "Domain": "",
      "RedirectURLs": [
        "https://netbird.mycompany.eu/#callback"
      ],
      "Scope": "email openid profile",
      "TokenEndpoint": "https://auth.mycompany.eu/application/o/token/",
      "UseIDToken": false
    }
  },
  "HttpConfig": {
    "Address": "0.0.0.0:8011",
    "AuthAudience": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
    "AuthIssuer": "https://auth.mycompany.eu/application/o/netbird/",
    "AuthKeysLocation": "https://auth.mycompany.eu/application/o/netbird/jwks/",
    "AuthUserIDClaim": "",
    "CertFile": "",
    "CertKey": "",
    "IdpSignKeyRefreshEnabled": true,
    "OIDCConfigEndpoint": "https://auth.mycompany.eu/application/o/netbird/.well-known/openid-configuration"
  },
  "IdpManagerConfig": {
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "ClientConfig": {
      "ClientID": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "ClientSecret": "",
      "GrantType": "client_credentials",
      "Issuer": "https://auth.mycompany.eu/application/o/netbird/",
      "TokenEndpoint": "https://auth.mycompany.eu/application/o/token/"
    },
    "ExtraConfig": {
      "Password": "PpUEt47VIakCkjqfcIJ7Ci7URqtS8PdHUlFVBMNy",
      "Username": "netbird"
    },
    "KeycloakClientCredentials": null,
    "ManagerType": "authentik",
    "ZitadelClientCredentials": null
  },
  "PKCEAuthorizationFlow": {
    "ProviderConfig": {
      "Audience": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "AuthorizationEndpoint": "https://auth.mycompany.eu/application/o/authorize/",
      "ClientID": "YII3qPQZKKYF3GaXMVhh5wbK0RnQ8Okp2a4GBeON",
      "ClientSecret": "",
      "Domain": "",
      "RedirectURLs": [
        "https://netbird.mycompany.eu/#callback"
      ],
      "Scope": "email openid profile",
      "TokenEndpoint": "https://auth.mycompany.eu/application/o/token/",
      "UseIDToken": false
    }
  },
  "ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
      "0.0.0.0/0"
    ]
  },
  "Signal": {
    "Password": null,
    "Proto": "https",
    "URI": "netbird.mycompany.eu",
    "Username": ""
  },
  "StoreConfig": {
    "Engine": "sqlite"
  },
  "Stuns": [
    {
      "Password": null,
      "Proto": "udp",
      "URI": "stun:192.168.12.250:3478",
      "Username": ""
    }
  ],
  "TURNConfig": {
    "CredentialsTTL": "12h",
    "Secret": "veryinsecuresecret",
    "TimeBasedCredentials": false,
    "Turns": [
      {
        "Password": "veryinsecureturnpassword",
        "Proto": "udp",
        "URI": "turn:192.168.12.250:3478",
        "Username": "netbird"
      }
    ]
  }
}
  • process is started with the following cli arguments
netbird "management" \
"--config" "/var/lib/netbird-mgmt/management.json" \
"--datadir" "/var/lib/netbird-mgmt/data" \
"--dns-domain" "netbird.mycompany.eu" \
"--port" "8011" \
"--log-file" "console" \
"--log-level" "DEBUG" \
"--idp-sign-key-refresh-enabled"  \
"--single-account-mode-domain" "netbird.mycompany.eu" \
"--disable-anonymous-metrics"
  • service startup logs
systemd[1]: Started The management server for Netbird, a wireguard VPN.
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:462: overriding HttpConfig.AuthIssuer with a new value https://auth.mycompany.eu/application/o/netbird/, previously configured value: https://auth.mycompany.eu/application/o/netbird/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:466: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.mycompany.eu/application/o/netbird/jwks/, previously configured value: https://auth.mycompany.eu/application/o/netbird/jwks/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:471: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.mycompany.eu/application/o/token/, previously configured value: https://auth.mycompany.eu/application/o/token/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:474: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.mycompany.eu/application/o/device/, previously configured value: https://auth.mycompany.eu/application/o/device/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:482: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.mycompany.eu, previously configured value:
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:492: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.mycompany.eu/application/o/token/, previously configured value: https://auth.mycompany.eu/application/o/token/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/cmd/management.go:495: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.mycompany.eu/application/o/authorize/, previously configured value: https://auth.mycompany.eu/application/o/authorize/
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 INFO management/server/store.go:92: using SQLite store engine
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 DEBG management/server/migration/migration.go:39: No records in table accounts, no migration needed
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 DEBG management/server/migration/migration.go:39: No records in table routes, no migration needed
netbird-mgmt[730565]: 2024-05-08T10:43:40+02:00 DEBG management/server/migration/migration.go:39: No records in table routes, no migration needed
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/activity/sqlite/sqlite.go:328: check deleted_users table version
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/geolocation/store.go:174: took 107.113993ms to setup geoname db
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:173: geo location service has been initialized from /var/lib/netbird-mgmt/data
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/server/account.go:887: single account mode enabled, accounts number 0
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/idp/authentik.go:134: requesting new jwt token for authentik idp manager
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 DEBG management/server/ephemeral.go:135: loaded ephemeral peer(s): 0
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 WARN management/server/account.go:927: failed warming up cache due to error: unable to get authentik token, statusCode 400
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:292: running gRPC backward compatibility server: [::]:33073
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:324: management server version 0.27.4
netbird-mgmt[730565]: 2024-05-08T10:43:41+02:00 INFO management/cmd/management.go:325: running HTTP server and gRPC server on the same port: [::]:8011
  • service logs when i login to the webui
netbird-mgmt[730565]: 2024-05-08T10:45:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:45:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:46:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:46:41+02:00 DEBG management/server/geolocat
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/jwtclaim
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/jwtclaim
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/mid
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/uti
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 2995609963: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 41 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:22.954373094 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 905634035: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:22+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 18 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:23.49892141 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3636200884: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:23+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 20 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:24.083951284 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 3416239691: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:24+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 17 ms and finished with status 401
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 DEBG management/server/jwtclaims/jwtValidator.go:111: keys refreshed, new UTC expiration time: 2024-05-08 08:47:29.182113768 +0000 UTC
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/jwtclaims/jwtValidator.go:160: error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/http/middleware/auth_middleware.go:88: Error when validating JWT claims: Error parsing token: key is of invalid type
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/http/util/util.go:80: got a handler error: token invalid
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 ERRO management/server/telemetry/http_api_metrics.go:181: HTTP response 1676120686: GET /api/users status 401
netbird-mgmt[730565]: 2024-05-08T10:47:29+02:00 DEBG management/server/telemetry/http_api_metrics.go:201: request GET /api/users took 18 ms and finished with status 401

Edit: i realize i posted my service account password, it has already been changed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage-needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blazp7 and others