Skip to content

Self-hosted Google OIDC login broken — CSP connect-src omits token endpoint (oauth2.googleapis.com) #690

Description

@zerotohero

After upgrading the self-hosted dashboard (via the :latest tag), Google SSO login fails with "Oops, something went wrong! There was an error logging you in. Error: Unauthenticated". The browser console shows the dashboard's Content-Security-Policy blocking the OIDC token exchange:

Connecting to 'https://oauth2.googleapis.com/token' violates the following Content Security Policy directive:
"connect-src 'self' … https://accounts.google.com https://:33073 …"
Fetch API cannot load https://oauth2.googleapis.com/token. Refused to connect because it violates the document's Content Security Policy.

Root cause: in docker/init_react_envs.sh, the CSP connect-src is built from AUTH_AUTHORITY (which adds accounts.google.com) plus the management endpoint and a hardcoded third-party list — but the IdP's token endpoint and JWKS URI are never added. With Google these live on different hosts (oauth2.googleapis.com and www.googleapis.com), so the browser-side PKCE code→token exchange is blocked and no authenticated request ever reaches the management API. This works for Auth0/Zitadel/Keycloak only because their authority and token endpoint share a host. This appears to be a regression introduced by #674 ("Merge NetBird cloud edition into the dashboard", 2026-06-21); the follow-up #680 touched the same CSP logic but didn't cover Google's separate token host.

To Reproduce

Steps to reproduce the behavior:

  1. Self-host NetBird with Google as the IdP (AUTH_AUTHORITY=https://accounts.google.com, USE_AUTH0=false), using a post-Merge NetBird cloud edition into the dashboard #674 dashboard image (e.g. netbirdio/dashboard:v2.80.0 or v2.90.1).
  2. Open the dashboard and click Login, then complete Google sign-in.
  3. Google redirects back to /auth?code=… and the dashboard attempts the token exchange.
  4. See error: "Oops, something went wrong! There was an error logging you in. Error: Unauthenticated". Browser DevTools → Console shows the CSP connect-src violation blocking https://oauth2.googleapis.com/token.

Expected behavior

The dashboard's CSP connect-src should allow the IdP's token endpoint (and JWKS/userinfo endpoints), so the PKCE code→token exchange succeeds and login completes. For Google this means allowing https://oauth2.googleapis.com and https://www.googleapis.com (ideally derived automatically from the authority's /.well-known/openid-configuration token_endpoint/jwks_uri/userinfo_endpoint, rather than only adding AUTH_AUTHORITY).

Are you using NetBird Cloud?

No — self-hosted control plane (management, signal, relay, dashboard, coturn via the standard docker-compose). IdP is Google.

NetBird version

NetBird status -d output:

Not applicable — this is a dashboard/control-plane login (browser↔IdP) issue, not a client/peer connectivity issue. The failure occurs in the browser before any peer is involved; the management API logs show no authenticated request arriving during the failed login.

Screenshots

Image

Additional context

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions