Brozwer support for API, getting error on option and post methods

Hi Im trying out browzer for my webapp, I was able to reach my frontend through browzer but backend fails not sure how to resolve this?
Get 403 on /graphql post method.
With ziti edge desktop which works perfectly, this fails on through browzer

"clientIp":"127.0.0.1","level":"warn","message":"req terminate; non-GET method","method":"OPTIONS","timestamp":"2025-01-10T00:32:04.810Z","url":"/graphql","version":"0.76.0"}                                               │
│ {"clientIp":"127.0.0.1","level":"warn","message":"req terminate; non-GET method","method":"OPTIONS","timestamp":"2025-01-10T00:32:04.815Z","url":"/graphql","version":"0.76.0"}                                               │
│ {"clientIp":"127.0.0.1","level":"warn","message":"req terminate; non-GET method","method":"POST","timestamp":"2025-01-10T00:46:48.796Z","url":"/graphql","version":"0.76.0"}                                                  │
│ {"clientIp":"127.0.0.1","level":"warn","message":"req terminate; non-GET method","method":"POST","timestamp":"2025-01-10T00:46:48.803Z","url":"/graphql","version":"0.76.0"}

Looks like browzer does not support other methods?

Could you help me resolve this?

this is my helm value targets

targets:
      - vhost: "demo.xxxx.xxxx.com"  # httpbin.ziti.example.com
        service: "xxxx-rd-ui"  # httpbin-service
        #path: /*
        scheme: https
        idp_issuer_base_url: "https://xxxx.xxx-dev.com/realms/demo"
        idp_client_id: "xxx-xxxx-auth"
      - vhost: "demo-internal.xxxx-xxx.com"  # httpbin.ziti.example.com
        service: "xxxx-xxxx-rd-backend"  # httpbin-service
        path: /
        scheme: https
        idp_issuer_base_url: "https://xxxx.xxx-dev.com/realms/demo"
        idp_client_id: "xxx-xxxx-auth"

Does browzer does not support for API's? or am i missing anything here need help ASAP?

and on external JWT signers we cant add same Issuer but with different audiences?

@ss_vinoth22 It appears to me that your web app is represented by two distinct servers. The "front end" server which you have mapped to a Ziti Service named xxxx-rd-ui, and a second/different API server which you have mapped to a Ziti Service named xxxx-xxxx-rd-backend . Please confirm I understand your topology correctly.

If so, and if HTTP requests initiated by your web app are targeting the API server (and not the host from where the web app was loaded), then the Ziti browZer Runtime (ZBR) should intercept these requests and route them over Ziti.

Since the API requests are hitting the browZer Bootstrapper (the non-GET error you see in the bootstrapper logs), this means that the REST calls intended for the API Service are not being intercepted.

On Chrome, can you click the browZer button, then go to the Setting tab in the browZer config tray, then change the Loglevel to TRACE (this will cause a reload the page). Then open Chrome DevTools, and go to the Console trace for your browZer web app, and tell me if there are warning msgs about certain targets not being intercepted.

Here is an example of what the warnings will look like:

If you see your API server listed, we will need to diagnose whether your Identity has access to the Service or not.

@curt Yes you are right frontend and backend different server.

Does that mean i dont need to specify backend endpoint in bootstrapper like below?

zitiBrowzer:
  bootstrapper:
    logLevel: "debug"
    loadBalancer:
      host: "aly-dev.com"  # browzer.ziti.example.com
      port: 443
    scheme: http
    targets:
      - vhost: "xxxx.xxxx.aly-dev.com"  # httpbin.ziti.example.com
        service: "aly-assistant-rd-ui"  # httpbin-service
        scheme: https
        idp_issuer_base_url: "https://xxxx.aly-dev.com/realms/demo"
        idp_client_id: "xxxx-xxx-auth"
      - vhost: "xxx-xxxx-demo-internal.aly-dev.com"  # httpbin.ziti.example.com
        service: "xxxx-xxxx-rd-backend"  # httpbin-service
        path: /graphql
        scheme: https
        idp_issuer_base_url: "https://xxxx.xxxx.com/realms/demo"
        idp_client_id: "xxxx-xxxx-auth"

If i have 2 different ziti services(1 Frontend and 1 Backend) how do i let browzer know?
in targets i map only frontend url with front end service only, but on ziti identity policies i have mapped both front end backend services.

for testing i ve removed api vhost from browzer targets and added backend api endpoint also to same ziti service, in the debug logs on config i can it is intercepted. But still it fails with cors issue

Screenshot 2025-01-11 at 4.52.401440×886 131 KB

Screenshot 2025-01-11 at 4.52.321446×550 115 KB

after removing backedn api from browzer and mapped (backend endpoint)into same service as UI, It is not rechable, not sure what im missing here. help me fix this!

Screenshot 2025-01-11 at 5.03.581436×1166 145 KB

how to do this?
btw my identity policy has access to backend endpoint too?

Screenshot 2025-01-11 at 5.09.581300×736 46.8 KB

No, you only need to specify a target for the webserver.

Can you please update to browZer release 0.80.0 and retry?

Currently im using helm charts to deploy which has latest version of 0.76.0, probably i have manually chnage the browzer bootstrap version and will try.

@curt
After upgrading to version 0.80, Browzer continuously loops with an "invalid scope" error and fails to display the login page. Clearing the app storage via developer tools did not resolve the issue. In contrast, the login page functions correctly in version 0.76.0. Is it necessary to add any scope or audience parameters in the environment settings within Browzer's bootstrap targets?

Screenshot 2025-01-12 at 7.36.462990×996 281 KB

I ve tried both on kubernetes and ubuntu deploying browzer bootstrap, it is throwing me same isssue. it just loops throwing error as invalid scope. But it was redirecting to login page on 0.76.0 but only backend was not accessible.
So not sure what im missing. Please do help me to fix this?

@curt
Disregard my previous issue. After adding idp_authorization_scope to the Browzer targets configuration, it started working. However, my earlier issue persists — the backend URL is not being resolved despite the service being mapped in the identity policy. I am getting a 404 error, and it seems the ZBR runtime is not properly intercepting the backend URL.

Yes, your understanding of the topology is correct.

To confirm:

• In the Ziti BrowZer Bootstrapper, the vhost target is mapped only to the frontend Ziti service (xxxx-rd-ui).
• The backend service (xxxx-xxxx-rd-backend) is attached exclusively to the Ziti service Dial policy for the users and is not listed in the vhost targets.

Based on my understanding, this configuration should allow the Ziti BrowZer Runtime (ZBR) to intercept and route backend API requests automatically over Ziti. However, despite following this setup, I am experiencing an issue where the ZBR throws a 404 error when attempting to access the backend service.

Both the frontend and backend services are mapped in the Ziti user Dial policy, but the ZBR appears unable to access the backend API as expected. Could you please help confirm if this setup is correct or advise on any additional configurations needed to resolve the issue?

My controller is 0.15 , do i need to upgrade to support this feature? i hope not. Please do confirm

@curt

Screenshot 2025-01-12 at 16.35.261874×1084 302 KB

@curt Any idea why it is not working?

Can you set your client-side loglevel to TRACE, retry your flow, then send me a zip of your console log (in a DM)?

@curt
Sending you in DM