Describe the problem
When opening the Web-SSH terminal for a peer via the SSH button in the dashboard, window.open() creates a new browser tab. This new tab has no inherited authentication state (OIDC tokens are stored in JavaScript memory and are not shared between browser contexts). The dashboard performs silent token renewal via prompt=none, but the embedded IDP included in netbird-server (Dex with local connector) does not support prompt=none — it returns login_required, which triggers a full re-authentication flow.
As a result, the user must enter their credentials every single time they open a Web-SSH terminal, even though they are already fully authenticated in the main dashboard tab.
This is distinct from issue #557 (fixed in PR #559, included in v2.34.2): that issue addressed query parameters being lost after re-authentication, causing SSH to hang. The re-authentication prompt itself was not addressed by that fix.
To Reproduce
- Self-host Netbird with the default embedded IDP (no external OIDC provider configured)
- Log in to the Netbird dashboard
- Navigate to any peer with SSH enabled
- Click the SSH button to open the Web-SSH terminal
- A new browser tab opens and immediately shows the embedded Dex login page, requiring username and password — despite already being logged in to the dashboard
Expected behavior
Since the user is already authenticated in the main dashboard tab, opening a Web-SSH terminal should not require re-entering credentials. Possible approaches:
- Open the SSH terminal in the same window context (e.g., as a modal or drawer) so the existing auth state is available, OR
- Pass auth state to the child window via
window.postMessage(), OR
- Perform token handoff through a short-lived
localStorage entry before calling window.open()
Are you using NetBird Cloud?
No — self-hosted with the default embedded IDP (netbird-server built-in Dex, local connector).
NetBird version
Management server: v0.66.4
Dashboard: v2.34.2 (already includes the PR #559 query-param fix)
Additional context
- The embedded IDP (Dex
local connector compiled into netbird-server) does not support prompt=none. This is a known Dex limitation for the local connector and cannot be fixed by configuration alone.
- External OIDC providers (Zitadel, Keycloak, Authelia, etc.) maintain browser session cookies and support
prompt=none, so self-hosters using an external IDP likely do not experience this issue.
- The most UX-preserving fix on the dashboard side would be to open the SSH terminal in a modal or drawer within the existing page, avoiding a new window entirely. This would also benefit users on browsers that block
window.open() popups.
Describe the problem
When opening the Web-SSH terminal for a peer via the SSH button in the dashboard,
window.open()creates a new browser tab. This new tab has no inherited authentication state (OIDC tokens are stored in JavaScript memory and are not shared between browser contexts). The dashboard performs silent token renewal viaprompt=none, but the embedded IDP included innetbird-server(Dex with local connector) does not supportprompt=none— it returnslogin_required, which triggers a full re-authentication flow.As a result, the user must enter their credentials every single time they open a Web-SSH terminal, even though they are already fully authenticated in the main dashboard tab.
This is distinct from issue #557 (fixed in PR #559, included in v2.34.2): that issue addressed query parameters being lost after re-authentication, causing SSH to hang. The re-authentication prompt itself was not addressed by that fix.
To Reproduce
Expected behavior
Since the user is already authenticated in the main dashboard tab, opening a Web-SSH terminal should not require re-entering credentials. Possible approaches:
window.postMessage(), ORlocalStorageentry before callingwindow.open()Are you using NetBird Cloud?
No — self-hosted with the default embedded IDP (
netbird-serverbuilt-in Dex, local connector).NetBird version
Management server:
v0.66.4Dashboard:
v2.34.2(already includes the PR #559 query-param fix)Additional context
localconnector compiled intonetbird-server) does not supportprompt=none. This is a known Dex limitation for the local connector and cannot be fixed by configuration alone.prompt=none, so self-hosters using an external IDP likely do not experience this issue.window.open()popups.