Configure the External JWT Signer and Auth Policy error

Configure external JWT signers and authentication policies for the first time, add services to access HTTP web applications, associate/update identities with authorization policies, all passed, and finally prompt 'now go to': And see your brozac!, The login page for Auth0 is displayed. I used my registered Google email and obtained my identity. I logged in using Google to display a blank page and seemed to be constantly refreshing requests. I realized something was wrong and checked the controller,route, console, which displayed running. Then, I logged in to the controller and displayed Token,but Configure external JWT signers and authentication policies show error

ubuntu@ip-172-31-8-243:~$ ziti edge login -u $ZITI_USER -p $ZITI_PWD -y ${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}
Token: ac921eb6-8ad7-41c9-801c-7aa5bc9c33f5
Saving identity 'default' to /home/ubuntu/.config/ziti/ziti-cli.json
ubuntu@ip-172-31-8-243:~$ echo "configuring OpenZiti for BrowZer..."
issuer=$(curl -s ${ZITI_BROWZER_OIDC_URL}/.well-known/openid-configuration | jq -r .issuer)
jwks=$(curl -s ${ZITI_BROWZER_OIDC_URL}/.well-known/openid-configuration | jq -r .jwks_uri)

echo "OIDC issuer : $issuer"
echo "OIDC jwks url : $jwks"

ext_jwt_signer=$(ziti edge create ext-jwt-signer "${ziti_object_prefix}-ext-jwt-signer" "${issuer}" --jwks-endpoint "${jwks}" --audience "${ZITI_BROWZER_CLIENT_ID}" --claims-property email)
echo "ext jwt signer id: $ext_jwt_signer"

auth_policy=$(ziti edge create auth-policy "${ziti_object_prefix}-auth-policy" --primary-ext-jwt-allowed --primary-ext-jwt-allowed-signers ${ext_jwt_signer})
echo "auth policy id: $auth_policy"
configuring OpenZiti for BrowZer...
OIDC issuer :
OIDC jwks url :
error: COULD_NOT_VALIDATE - The supplied request contains an invalid document or no valid accept content were available, see cause: INVALID_FIELD - name [browzer-auth0-ext-jwt-signer] duplicate value 'browzer-auth0-ext-jwt-signer' in unique index on externalJwtSigners store
ext jwt signer id:
Error: flag needs an argument: --primary-ext-jwt-allowed-signers
ziti edge create auth-policy [flags]

-i, --cli-identity string Specify the saved identity you want the CLI to use when connect to the controller with
-h, --help help for auth-policy
-j, --output-json Output the full JSON response from the Ziti Edge Controller
--output-request-json Output the full JSON request to the Ziti Edge Controller
--primary-cert-allowed Enable certificate authentication
--primary-cert-expired-allowed Allow expired certificates
--primary-ext-jwt-allowed Allow external JWT authentication
--primary-ext-jwt-allowed-signers stringArray Allow specific JWT signers
--primary-updb-allowed Allow username/password db authentication
--primary-updb-lockout-min int Lockout duration minutes after max attempts, 0=forever
--primary-updb-max-attempts int Number of invalid authentication attempts, 0=unlimited
--primary-updb-min-length int Minimum password length (default 5)
--primary-updb-req-mixed-case Require mixed case in passwords
--primary-updb-req-numbers Require numbers in passwords
--primary-updb-req-special Require special characters in passwords
--secondary-req-ext-jwt-signer string JWT required on every request
--secondary-req-totp MFA TOTP enrollment required
-t, --tags stringToString Add tags to entity definition (default )
--tags-json string Add tags defined in JSON to entity definition
--timeout int Timeout for REST operations (specified in seconds) (default 5)
--verbose Enable verbose logging

flag needs an argument: --primary-ext-jwt-allowed-signers
auth policy id:

I have recreated an instance and all processes have passed.
Now go to: And see your brozac!
I registered my identity using my Google email, and when I click on Google Login on the this login page, I will enter a blank page that is constantly refreshing. I don't know where the problem is

@McGonagall666 Thanks for using browZer.

  1. If you try accessing from a fresh incognito tab, do you still get the blank-page refresh problem?
  2. Can you open dev tools and send me the Console log from your failing browser tab? This log might render clues about what is wrong.
  3. Are you OK with adding an Identity for me in your network so I can attempt to reproduce/diagnose the issue from here? If so, I will send you my Google email address.


@McGonagall666 I see you are using browZer 0.43.0. just released browZer 0.43.1 which I believe will resolve your issue (I had a typo that caused a mismatch when you used a port on the bootstrapper that was not the default 443). Please give the latest release a try and let me know if things improve. In fact, ping me once you have done the upgrade, and I will also try it from here. Thanks.

Okay, successfully logged into the console

Terrific! I can see ZAC over browZer as well. Feel free to disable or remove my Identity from your network now.

Congrats on being among the first to experience browZer.

I am getting this issue now . What has changed ? How to resolve this ?

Sorry, I'm on vacation recently. This question is because externalJwtSigners already exists. Just delete it.
ziti edge delete auth-policy ${ziti_object_prefix}-auth-policy
ziti edge delete ext-jwt-signer ${ziti_object_prefix}-ext-jwt-signer

If the log keeps loading in a loop, then I will update the bootstrapper version. If you have other questions, you can post them or ask the developers.