Confused about External JWT integration

Hello, I've setup (using the host anywhere guide) and OpenZiti server and have successfully connected and managed to access a service. I've created an External JWT Signer (labeled "JWT Signer" in ZAC) in the ZAC which uses information from my create application in Authentik (Idp). I also saw this blog entry: Zero Trust SSH with Multifactor Authentication which gives me hope that I can have client Authentic with OIDC only for primary auth when they connect with the Android Ziti Mobile Edge app - however I still see a QR code/JWT file show up when I create a user and when trying to connect, no browser window opens on Android to authenticate me with my Idp. What could I be doing wrong?

On a side note... when I change services or apply an auth policy to a user, I noticed that "services" says 0 for all identities for a long time - restarting services or the app does not seem to help, I left it overnight and it worked again (until I made another change).

External JWT auth support is coming to Android client soon. For now authentication is limited to cert/key

1 Like

Thankyou for the confirmation. Do the other clients support this, such as Windows and Linux? This feature would make it far easier for users to use OpenZiti from a user perspective.

We are in the midst of adding support for the functionality to all tunnelers. it's not supported yet, but it's actively being worked on.

I'm not sure I understand this sentiment. The user is given a jwt, they 'enroll' or 'add' the jwt to the tunneler and they are done. That's "pretty easy" imo and passes the "can my mother do this" test (she's notoriously not a techincal person) :slight_smile:

Could you expand on what you mean?