Unregistered redirect_uri with v0.71.0

[alexmoras]

Before posting

• I searched existing discussions and issues, including closed ones, and checked the relevant docs.
• I believe this is a product bug rather than a configuration or setup question.
• I can reproduce this issue, or for intermittent issues I've included trigger, frequency, and timing details below.
• I removed or anonymized sensitive data from logs, screenshots, and configuration.

Affected area

Login / Authentication / IdP

Deployment type

Self-hosted - quickstart script

Operating system or environment

Linux

NetBird version and upgrade status

Management
v0.71.0

Dashboard
v2.38.0

Client
v0.71.0 - Linux

Did this work before?

Yes, this worked before

Regression details

v0.70.5 - worked prior to upgrade to v0.71.0. Fresh install of v0.71.0 also replicates the issue.

Summary

Whenever trying to use device authentication, such as Netbird SSH or signing in on a TV, the NetBird Oauth server returns a Unregistered redirect_uri. due to a malformed redirect URI, missing the host domain name and only containing the oauth path.

Current behavior

v0.71.0 returns the following oauth device callback URL with the malformed redirect_uri which is missing the host domain.

https://domain.tld/oauth2/auth/pocketid-uniqueid?client_id=netbird-cli&client_secret=&redirect_uri=%2Foauth2%2Fdevice%2Fcallback&response_type=code&scope=openid+profile+email+groups&state=WXYZ-ZYXW

Expected behavior

The redirect_uri parameter should include the host domain (previous version did) and when you manually include it after seeing the error, the device gets authorised correctly.

&redirect_uri=https%3A%2F%2Fdomain.tld%2Foauth2%2Fdevice%2Fcallback

Steps to reproduce

Upgrade from 0.70.5 or a fresh install of 0.71.0 (I've tried both, the issue is present whichever way I install it)

Setup PocketID (I haven't tested this issue with other IDPs).

Attempt to use NetBird SSH or sign in to Android TV via the QR code and it'll prompt you for the 8-char code.

This will then redirect you to the malformed callback URL as above.

Environment and topology

Self-hosted install running on Ubuntu Server 26.04 with latest Docker. Configured with quickstart using option 0 for Traefik and Proxy / CrowdSec enabled. PocketID enabled via the UI as IDP option.

Self-hosted details, if available

No response

Logs, status output, or debug evidence

N/A

Related issues or discussions

No response

Impact

Given that I have replicated this on three separate, fresh-install, VPS, I would suggest that multiple people will be facing this issue. I have also tested it on a variety of domains in case my funky gTLD was being parsed weirdly. I've tested this with a legacy install that was updated from 0.70.5, and also fresh installs of 0.71.0.

Additional context

Possibly related to #6149, although the error I am seeing is shown by NetBird, rather than the third-party IDP.

[nascherer]

Adding another affected instance (self-hosted, embedded IdP, Traefik setup)
I can confirm this issue affects my setup as well after upgrading to v0.71.2.
Environment:

Management: v0.71.2
Dashboard: v2.38.0
Client: v0.71.2 (Windows Desktop)
Deployment: Self-hosted, Docker, Traefik reverse proxy
IDP: Embedded (built-in Netbird IdP, not a third-party provider like PocketID)

Setup (docker-compose, simplified):

services:
  dashboard:
    image: netbirdio/dashboard:latest
    
  netbird-server:  # combined: Management + Signal + Relay + STUN
    image: netbirdio/netbird-server:latest
    # Traefik routes: /relay, /ws-proxy, /api, /oauth2
    # gRPC routes: /signalexchange, /management
Behavior:

Click "Connect" → Browser opens automatically with token pre-filled → Click OK → "Bad Request – Unregistered redirect_uri"
This worked without any issues on the previous version
The only change made was running system updates (server + client)

Important note for the developers:
This is not limited to PocketID or external IDPs. The bug also affects the embedded IdP that ships with the Netbird all-in-one package. This suggests the issue is in the core OAuth redirect_uri handling, not in a specific IDP integration.
This is a production environment and the broken authentication is blocking access to critical infrastructure. A fix or official workaround (other than downgrading) would be greatly appreciated.

[jnfrati]

@nascherer a fix is going out on the next release, if you need to have something working ASAP you can use the ghcr images linked here #6191 (comment)

[jnfrati]

Confirmed and validated, related issue here #6189
I'll try to push a fix for this as quick as possible 👍

[jnfrati]

A fix for this will go out on the next release 💪

Related PR applying the fix here #6191

If anyone needs to be able to solve this quicker, you can try using the GHCR images displayed here until a release is cut #6191 (comment)