NetBird v0.36.5 with Zitadel: Account Login Success but Device Registration and Peer Login Failures

[xiaojueshi]

Describe the problem

During the use of the system, when using Zitadel for authentication, users can successfully log in to their accounts. However, they encounter issues when registering devices, preventing the devices from completing the registration process. Additionally, there are abnormal situations during client (peer) login, with two main types of error messages:

1. Missing authentication method: The system prompts "no peer auth method provided, please use a setup key or interactive SSO login", indicating that when the client attempts to log in, it fails to provide a valid authentication method. The system requires the use of a setup key or interactive Single - Sign - On (SSO) for authentication.
   For example:

2025-02-04T15:06:43Z WARN [context: GRPC, requestID: f89d69cb-2d88-499f-90ca-35b2de7b2309, accountID: UNKNOWN, peerID: iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=] management/server/grpcserver.go:473: failed logging in peer iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=: no peer auth method provided, please use a setup key or interactive SSO login

2. Account not found: The system prompts "failed adding new peer: account not found", meaning that when the client attempts to add a new peer, the system cannot find the corresponding account information.
   For example:

2025-02-04T15:06:44Z WARN [context: GRPC, requestID: a3db5f0a-812f-4058-a8dc-2649e4eb480d, accountID: UNKNOWN, peerID: iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=] management/server/grpcserver.go:473: failed logging in peer iarZZO5xA9gTip3+Pubd42ub1IoyNdevhZxgcAoW8F0=: failed adding new peer: account not found

These errors prevent the client from logging in normally and the device from completing the registration.

To Reproduce

Since the specific operation steps are not clearly indicated in the logs, the possible steps to reproduce are speculated as follows:

1. Start the NetBird management server. The server begins to load configuration information, as shown in the logs:

2025-02-04T15:05:59Z INFO [context: SYSTEM] management/cmd/management.go:514: loading OIDC configuration from the provided IDP configuration endpoint https://auth.lzwnas.cn/.well-known/openid-configuration
2025-02-04T15:05:59Z INFO [context: SYSTEM] management/server/telemetry/app_metrics.go:193: enabled application metrics and exposing on http://0.0.0.0:9090
2025-02-04T15:05:59Z INFO [context: SYSTEM] management/server/store/store.go:241: using SQLite store engine

2. Log in to the account through Zitadel. This step can be completed successfully.
3. Attempt to perform the device registration operation.
4. The client fails to provide a valid authentication method or uses non - existent account information when attempting to log in for device registration.
5. The system outputs the corresponding warning messages, indicating login failure and device registration failure, as shown in the log examples described in the error information above.

[bcmmbaga]

Hello @xiaojueshi , could you clarify how you are registering the new peer? Specifically, do you specify your self-hosted management URL during the registration process? If not you can try running:

netbird up --management-url <YOUR_MANAGEMENT_URL>