I am building a Zitified Flask client app being developed to streamline identity creation & downloading the OTT to the end user device. This is accessing LDAP as a dark ziti service, so the app is already authenticated with Ziti and successfully communicating over a socket. The app identity is already set as "isAdmin".
Is there a way to leverage that existing ZitiContext into making API calls?
Hi @ritzdan, welcome to the community and to OpenZiti! Sounds like you've made some really excellent progress!
That's an interesting use case, one I haven't seen yet. Unfortunately, at this moment, there really isn't any easy way to reuse the token that the client obtained during the process of authenticating to the overlay for the management API. Totally makes sense to me why you'd want to do that though...
You could use the contents of the identity file -- the ca bundle, cert, key in a subsequent api request and authenticate an HTTP client to obtain a second token and use that... I think it'd have the same sort of effect you're looking? The user wouldn't need to have any "credentials" so to speak in that case, but you'd have to make a HTTP request to the authenticate url before you could use it.
That help?
EDIT:
Oh and the token is in there, somewhere, I just don't think it's easily accessible at this time
Thanks for the feedback, I just wanted to make sure I wasn't missing anything.
Just to share some feedback, the Python REST API Client isn't usable in its current form and after navigating a few issues I just gave up and started using requests. Overall the documentation, blog posts, and Discourse threads seem a bit outdated and almost none of the sample code works out of the box (probably API changed and docs haven't been updated). That's not to say they aren't helpful, and without them I'd surely be stuck. But, it would be good for you to have some more up-to-date Python examples to help people connect to the APIs (after that it is entirely straightforward).
That said, the app (Flask) is finished and works really well. It's an end-user portal to enroll devices using a 3rd party IdP (Azure AD/Entra) to authenticate the user. This gets around the issue of getting JWT onto the user's device. We let our (authenticated) users create their own identites for now (up to a limit), but it could easily be set to require Admins to create the identity and users can just download their token or access the QR Code to enroll.
If you ever want a demo I'd be happy to share, it covers a lot of ground that other new users are probably going to have to deal with getting Python API access set up and provisioning new identities.
Thank you for that feedback. "almost none of the sample code works out of the box" -- ugh. I can appreciate how frustrating that can be so, my apologies for that. Nice job getting things working in spite of that 
!
that sounds really exciting and neat! Is that something you'd be willing to put into the open source community?
Heck yeah I want a demo! Do you have any interest in joining our ADOPTERS.md list and/or coming on a live Ziti TV? <-- totally casual live stream, just two people talking tech type of thing. Sounds like a lot of fun. I don't have a ton of Azure AD/Entra experience so it'd be fun for m e and I'd surely learn a thing or two!