You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After upgrading the self-hosted dashboard (via the :latest tag), Google SSO login fails with "Oops, something went wrong! There was an error logging you in. Error: Unauthenticated". The browser console shows the dashboard's Content-Security-Policy blocking the OIDC token exchange:
Root cause: in docker/init_react_envs.sh, the CSP connect-src is built from AUTH_AUTHORITY (which adds accounts.google.com) plus the management endpoint and a hardcoded third-party list — but the IdP's token endpoint and JWKS URI are never added. With Google these live on different hosts (oauth2.googleapis.com and www.googleapis.com), so the browser-side PKCE code→token exchange is blocked and no authenticated request ever reaches the management API. This works for Auth0/Zitadel/Keycloak only because their authority and token endpoint share a host. This appears to be a regression introduced by #674 ("Merge NetBird cloud edition into the dashboard", 2026-06-21); the follow-up #680 touched the same CSP logic but didn't cover Google's separate token host.
Open the dashboard and click Login, then complete Google sign-in.
Google redirects back to /auth?code=… and the dashboard attempts the token exchange.
See error: "Oops, something went wrong! There was an error logging you in. Error: Unauthenticated". Browser DevTools → Console shows the CSP connect-src violation blocking https://oauth2.googleapis.com/token.
Expected behavior
The dashboard's CSP connect-src should allow the IdP's token endpoint (and JWKS/userinfo endpoints), so the PKCE code→token exchange succeeds and login completes. For Google this means allowing https://oauth2.googleapis.com and https://www.googleapis.com (ideally derived automatically from the authority's /.well-known/openid-configuration token_endpoint/jwks_uri/userinfo_endpoint, rather than only adding AUTH_AUTHORITY).
Are you using NetBird Cloud?
No — self-hosted control plane (management, signal, relay, dashboard, coturn via the standard docker-compose). IdP is Google.
Not applicable — this is a dashboard/control-plane login (browser↔IdP) issue, not a client/peer connectivity issue. The failure occurs in the browser before any peer is involved; the management API logs show no authenticated request arriving during the failed login.
After upgrading the self-hosted dashboard (via the :latest tag), Google SSO login fails with "Oops, something went wrong! There was an error logging you in. Error: Unauthenticated". The browser console shows the dashboard's Content-Security-Policy blocking the OIDC token exchange:
Connecting to 'https://oauth2.googleapis.com/token' violates the following Content Security Policy directive:
"connect-src 'self' … https://accounts.google.com https://:33073 …"
Fetch API cannot load https://oauth2.googleapis.com/token. Refused to connect because it violates the document's Content Security Policy.
Root cause: in docker/init_react_envs.sh, the CSP connect-src is built from AUTH_AUTHORITY (which adds accounts.google.com) plus the management endpoint and a hardcoded third-party list — but the IdP's token endpoint and JWKS URI are never added. With Google these live on different hosts (oauth2.googleapis.com and www.googleapis.com), so the browser-side PKCE code→token exchange is blocked and no authenticated request ever reaches the management API. This works for Auth0/Zitadel/Keycloak only because their authority and token endpoint share a host. This appears to be a regression introduced by #674 ("Merge NetBird cloud edition into the dashboard", 2026-06-21); the follow-up #680 touched the same CSP logic but didn't cover Google's separate token host.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The dashboard's CSP connect-src should allow the IdP's token endpoint (and JWKS/userinfo endpoints), so the PKCE code→token exchange succeeds and login completes. For Google this means allowing https://oauth2.googleapis.com and https://www.googleapis.com (ideally derived automatically from the authority's /.well-known/openid-configuration token_endpoint/jwks_uri/userinfo_endpoint, rather than only adding AUTH_AUTHORITY).
Are you using NetBird Cloud?
No — self-hosted control plane (management, signal, relay, dashboard, coturn via the standard docker-compose). IdP is Google.
NetBird version
NetBird status -d output:
Not applicable — this is a dashboard/control-plane login (browser↔IdP) issue, not a client/peer connectivity issue. The failure occurs in the browser before any peer is involved; the management API logs show no authenticated request arriving during the failed login.
Screenshots
Additional context
NETBIRD_CSP=https://oauth2.googleapis.com https://www.googleapis.com https://openidconnect.googleapis.com