i find ctrl log
[ 136.467] DEBUG ziti/controller/env.(*AppEnv).getJwtTokenFromRequest: {error=[token is unverifiable: error while executing keyfunc: key for kid 90by2k_tMGWtbYi9ng8LHIEG3vfL3a6L198ex9dPXek, not found]} JWT provided that did not parse and verify against controller public keys, skipping
but keycloak certs have 90by2k_tMGWtbYi9ng8LHIEG3vfL3a6L198ex9dPXek
Hi @McGonagall666, is your Keycloak server using a verifiable cert such as from ZeroSSL/LetsEncrypt? This sounds to me like the sort of problem where the controller doesn't trust the IdP and thus can't (well, won't) connect to the IdP to get the JWKS.
My best guess is the keycloak server cert isn't able to be validated/verified by the controller, the controller can't/won't connect to the keycloak server, leading to "no results" when the controller tries to get the JWKS and leading to a "no kid found" type of error.
Thanks for your reply,I'm using a self-signed certificate, but I've trusted the certificate used by Keycloak using update-ca-certificates in the controller environment, and I still get this error.
One more thing: I'm using an HA controller. I tested it and it works in single-controller mode, but not in HA mode. I'm not sure if the HA controller verification method has changed. The HA certificate is a sub-certificate generated by a trusted CA.
ziti pki create ca --trust-domain ctrl.mmtest.com --pki-root ./pki --ca-file ca --ca-name 'HA Ctrl Trust Root'
This url https://ctrl.mmtest.com:1280/oidc/authorize?client_id=openziti&scope=openid%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fzf-svc.mmtest.com&code_challenge=jVbB2hr5SPKZk6FxYS4C4SsS0yPazQinJZ0egy2TU5g&code_challenge_method=S256&audience=openziti&state=SesodjUEQZWOJjPiV9Ln4eBmaarQtki0lwi4PVM3dlU
Is going to this endpoint https://ctrl.mmtest.com:1280/oidc/authorize , which is the OpenZiti OIDC provider. Whatever is doing the OIDC flow with it is attempting to redirect to https%3A%2F%2Fzf-svc.mmtest.com (or https://svc.mmtest.com unescaped). The OpenZiti OIDC provider denies the redirect. OIDC providers usually have a whitelist of hostnames that are valid for redirects; otherwise, they can trick users into logging in and sending tokens to a host that will intercept them.
You need to tell your Ziti controller to allow redirect to svc.mmtest.com . You do that in the controller config files. In the controler configs, there is a web section that will have one or more instances of the API binding edge-oidc. You need to add your redirect there if you want to send tokens to a relying party server at svc.mmtest.com. It is, however, odd that you do not have a path on that redirect. Normally, I would expect to see a /callback, oidc/callback, auth/callback, etc.
Whatever the case, the redirect needs to be added to the white list. It would look something like this:
- binding: edge-oidc
options:
redirectURIs:
- "http://localhost:*/auth/callback"
- "http://127.0.0.1:*/auth/callback"
- "https://svc.mmtest.com"
Again, I would expect a callback path in that configuration, but you didn’t provide one in your request URL at the top. So I don’t know what it should be. Maybe you are hosting a relying party on the root URL. I also do not know what browZer expects it to be - as that might be your browZer site.
Thank you very much. I added redirectURIs in ctrl.yaml,Now the problem has been solved.
Why does this happen occasionally? My browzer uses a wildcard certificate *.mytest.com. Is this related to it?
browzer error log
{"code":"ENOTFOUND","errno":-3008,"hostname":"*.mytest.com","level":"error","message":"getaddrinfo ENOTFOUND *.mytest.com","stack":"Error: getaddrinfo ENOTFOUND *.mytest.com\n at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:118:26)","syscall":"getaddrinfo","timestamp":"2025-08-27T03:13:46.489Z","version":"0.90.0"}
other error,And the client agent will report an error half an hour after starting:
ctrl[https://ctrl2.mytest.com:1280/edge/client/v1] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
update_identity_data() ztx[0] api session is no longer valid. Trying to re-auth
auth error: The request could not be completed. The session is not authorized or the credentials are invalid
controller connections failed: failed to authenticate
context event : status is failed to authenticate
I solved both issues.
The first, the browser controller-oidc-proxy error about wildcard domains, was caused by using a wildcard certificate in my controller's alt_server_certs. Deleting it fixed the problem.
The second issue was resolved by adding this to the controller's YAML file:
authRateLimiter:
enabled: true
minSize: 5
maxSize: 100
oidc:
accessTokenDuration: 30m
idTokenDuration: 30m
refreshTokenDuration: 24h