Deleting referenced auth policy gives unhandled 500 error & Browzer help

Hi there,

I've set up a new instance of OpenZiti to test some of the newer features next to our working prod environment.
I'm very impressed by the HA work - cool stuff!
After understanding the PKI generation and how the clusters work together I think it's very straightforward. I found some missing parts in the documentation which I like to submit as issues, but that shouldn't be part of this topic

I tried using ext JWT signers combined with Browzer and HA but didn't manage to get it to work, I would love some help here, please find my deployment information below.
When trying to set up the JWT signer from scratch, I've come across this error:

ziti@ctrl1:~$ ziti edge delete auth-policy browzer-authentik-auth-policy
delete of auth-policy with id 6VCrqCTukacdje2mWY8XoV: FAIL
error: error deleting auth-policies/6VCrqCTukacdje2mWY8XoV instance in Ziti Edge Controller at https://alt.ctrl1.zt.test.deltasecure.de:8441/edge/management/v1. Status code: 500 Internal Server Error, Server returned: {
    "error": {
        "cause": {
            "code": "UNHANDLED",
            "message": "{\"LocalId\":\"6VCrqCTukacdje2mWY8XoV\",\"LocalType\":\"authPolicy\",\"RemoteField\":\"authPolicyId\",\"RemoteIds\":[\"iXiPMlFtHX\"],\"RemoteType\":\"identity\"}"
        },
        "code": "UNHANDLED",
        "message": "An unhandled error occurred",
        "requestId": "WWYP1lcpn"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}
[ble: exit 1]

Edit: I just found out this happens when trying to delete an auth-policy that's still referenced by an identity. I assume an error is expected behaviour, but also this error?

I can't manage to get Browzer and Ext JWT to work.
Here's the Browser Browzer Console Logs:

Ziti BrowZer Runtime is now Bootstrapping
ziti-browzer-runtime-CbL5am6h.js:216254 ZBR Logging Begins...
ziti-browzer-logo.svg:1 
            
            
           Failed to load resource: the server responded with a status of 500 (ServerError)Understand this error
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-info Controller Version acquired:  v1.5.4
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-info externalJwtSigners acquired:  Array(1)
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug ################ SW register completed ################
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug sending msg: ZBR_INIT_COMPLETE
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug sending msg: SET_CONFIG
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug ZBSW: Got response from network.
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug sending msg: SET_COOKIE - __ziti-browzer-config eyJjb250cm9sbGVyIjp7ImFwaSI6Imh0dHBzOi8vYWx0LmN0cmwxLnp0LnRlc3QuZGVsdGFzZWN1cmUuZGU6ODQ0MS9lZGdlL2NsaWVudC92MSJ9LCJicm93emVyIjp7ImJvb3RzdHJhcHBlciI6eyJzZWxmIjp7InNjaGVtZSI6Imh0dHBzIiwiaG9zdCI6ImJyb3d6ZXIuenQudGVzdC5kZWx0YXNlY3VyZS5kZSIsInBvcnQiOiI4NDQ2IiwidmVyc2lvbiI6IjAuODcuNCJ9LCJ0YXJnZXQiOnsic2VydmljZSI6ImJyb3d6ZXIuenQudGVzdCIsInBhdGgiOiIvIiwic2NoZW1lIjoiaHR0cHMifX0sInN3Ijp7ImxvY2F0aW9uIjoieml0aS1icm93emVyLXN3LmpzIiwidmVyc2lvbiI6IjAuODMuMCIsImxvZ0xldmVsIjoiZGVidWcifSwicnVudGltZSI6eyJzcmMiOiJ6aXRpLWJyb3d6ZXItcnVudGltZS1DYkw1YW02aC5qcyIsImNzcyI6InppdGktYnJvd3plci1jc3MtQ1FzSVNTZFQuY3NzIiwibG9nTGV2ZWwiOiJkZWJ1ZyIsIm9yaWdpblRyaWFsVG9rZW4iOiJBajQyOGxFUFJLb2paMzNJbGNkaWsrQ1M2SjdzTngwcndLMlBWMU1MbGJLd014LzJ6cEZSUWdZdWtTMzRNeGg0YVdiSEJhbHdyaUl3bnpua2dUL3NjUTRBQUFDTmV5SnZjbWxuYVc0aU9pSm9kSFJ3Y3pvdkwySnlMV2RoZEdWM1lYa3RkR1Z6ZEMxNmRDNWtaV3gwWVhObFkzVnlaUzVrWlRvME5ETWlMQ0ptWldGMGRYSmxJam9pVjJWaVFYTnpaVzFpYkhsS1UxQnliMjFwYzJWSmJuUmxaM0poZEdsdmJpSXNJbVY0Y0dseWVTSTZNVGMxTXpFME1qUXdNQ3dpYVhOVGRXSmtiMjFoYVc0aU9uUnlkV1Y5In0sImxvYWRiYWxhbmNlciI6e30sIndoaXRlbGFiZWwiOnsiZW5hYmxlIjp7ImJyb3daZXJCdXR0b24iOnRydWUsImJyb3daZXJUb2FzdE1lc3NhZ2VzIjp0cnVlLCJicm93WmVyU3BsYXNoU2NyZWVuIjp0cnVlLCJicm93WmVyVGhyb3VnaHB1dENoYXJ0Ijp0cnVlfSwiYnJhbmRpbmciOnsiYnJvd1plck5hbWUiOiJPcGVuWml0aSBCcm93WmVyIiwiYnJvd1plclNwbGFzaE1lc3NhZ2UiOiJTdGFuZCBieSB3aGlsZSBPcGVuWml0aSBCcm93WmVyIEJvb3RzdHJhcHMgeW91ciBwcml2YXRlIHdlYiBhcHAiLCJicm93WmVyQnV0dG9uSWNvblN2Z1VybCI6Imh0dHBzOi8vYnJvd3plci56dC50ZXN0LmRlbHRhc2VjdXJlLmRlL3ppdGktYnJvd3plci1sb2dvLnN2ZyIsImJyb3daZXJDU1MiOiJodHRwczovL2Jyb3d6ZXIuenQudGVzdC5kZWx0YXNlY3VyZS5kZS96aXRpLWJyb3d6ZXItY3NzLUNRc0lTU2RULmNzcyJ9fX0sImlkcCI6eyJob3N0IjoiaHR0cHM6Ly9sb2dpbi5kZWx0YXNlY3VyZS5kZS9hcHBsaWNhdGlvbi9vL2V4dGp3dC10ZXN0LyIsImNsaWVudElkIjoiT2FrbFFLcUpCOG5xak5GaTdGUVIydTFUSnBKTkZMbjYzV0tldzZ3WiJ9fQ%3D%3D
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug ################ loadedViaBootstrapper detected -- doing page reload in 1sec ################
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-info ZBSW: Controller Version acquired: 
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-info ZBSW: externalJwtSigners acquired: 
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-error ZBSW: TypeError: Failed to fetch
log @ ziti-browzer-runtime-CbL5am6h.js:172615Understand this error
ziti-browzer-sw--ziti-browzer-core--c02849a7.js:113400 Uncaught (in promise) Error: The request could not be completed. The session is not authorized or the credentials are invalid
    at ZitiContext.fetchServices (ziti-browzer-sw--ziti-browzer-core--c02849a7.js:113400:15)
    at async ZitiContext.getServiceConfigByName (ziti-browzer-sw--ziti-browzer-core--c02849a7.js:113506:9)
    at async ZitiContext.getConnectAppDataByServiceName (ziti-browzer-sw--ziti-browzer-core--c02849a7.js:113613:20)
    at async ZitiContext.initialize (ziti-browzer-sw--ziti-browzer-core--c02849a7.js:112308:37)
    at async ziti-browzer-sw--ziti-browzer-sw-workbox-strategies--5e6e634c.js:460:27Understand this error
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-error ZBSW: The request could not be completed. The session is not authorized or the credentials are invalid
log @ ziti-browzer-runtime-CbL5am6h.js:172615Understand this error
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-debug ZBSW: doing raw internet fetch for [https://browzer.zt.test.deltasecure.de/ziti-browzer-css-CQsISSdT.css]
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-error ZBSW: Got error: [TypeError: Failed to fetch]
log @ ziti-browzer-runtime-CbL5am6h.js:172615Understand this error
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-warn ZBSW: Unable to get a response from the network. Will respond with a cached response.
log @ ziti-browzer-runtime-CbL5am6h.js:172615Understand this warning
ziti-browzer-runtime-CbL5am6h.js:172615 ZBR-error ZBSW: no-response when trying to reach URL [https://browzer.zt.test.deltasecure.de/ziti-browzer-css-CQsISSdT.css]
log @ ziti-browzer-runtime-CbL5am6h.js:172615Understand this error
/ziti-browzer-css-CQsISSdT.css:1 
            
            
           Failed to load resource: the server responded with a status of 500 (ServerError)

browzer.env

ziti@br-gateway-test-zt:~/ziti-browzer-bootstrapper$ cat browzer.env
ZITI_BROWZER_BOOTSTRAPPER_HOST="browzer.zt.test.deltasecure.de"
ZITI_BROWZER_BOOTSTRAPPER_LOGLEVEL="debug"
ZITI_BROWZER_RUNTIME_LOGLEVEL="debug"
ZITI_BROWZER_RUNTIME_HOTKEY="alt+F12"
ZITI_CONTROLLER_HOST="alt.ctrl1.zt.test.deltasecure.de"
ZITI_CONTROLLER_PORT="8441"
ZITI_BROWZER_BOOTSTRAPPER_SCHEME="https"
ZITI_BROWZER_BOOTSTRAPPER_CERTIFICATE_PATH="/etc/letsencrypt/live/browzer.zt.test.deltasecure.de/fullchain.pem"
ZITI_BROWZER_BOOTSTRAPPER_KEY_PATH="/etc/letsencrypt/live/browzer.zt.test.deltasecure.de/privkey.pem"
ZITI_BROWZER_BOOTSTRAPPER_LISTEN_PORT="8446"
export ZITI_BROWZER_BOOTSTRAPPER_TARGETS='{
  "targetArray": [
    {
      "vhost": "browzer.zt.test.deltasecure.de",
      "service": "browzer.zt.test",
      "path": "/",
      "scheme": "https",
      "idp_issuer_base_url": "https://login.deltasecure.de/application/o/extjwt-test/",
      "idp_client_id": "myclientid"
    }
  ]
}'

NODE_EXTRA_CA_CERTS=node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem

ctrl1.yaml

---
v: 3

cluster:
  dataDir: /home/ziti/cluster_data

identity:
  cert: /home/ziti/pki/ctrl1/certs/client.chain.pem
  server_cert: /home/ziti/pki/ctrl1/certs/server.chain.pem
  key: /home/ziti/pki/ctrl1/keys/server.key
  ca: /home/ziti/pki/root_ca/certs/cas.pem
  alt_server_certs:
    - server_cert: /etc/letsencrypt/live/alt.ctrl1.zt.test.deltasecure.de/fullchain.pem
      server_key: /etc/letsencrypt/live/alt.ctrl1.zt.test.deltasecure.de/privkey.pem

edge:
  api:
    sessionTimeout: 30m
    address: ctrl1.zt.test.deltasecure.de:8441
  enrollment:
    signingCert:
      cert: /home/ziti/pki/ctrl1/certs/ctrl1.cert
      key:  /home/ziti/pki/ctrl1/keys/ctrl1.key
    edgeIdentity:
      duration: 180m
    edgeRouter:
      duration: 180m

ctrl:
  listener: tls:0.0.0.0:8440
  options:
    advertiseAddress: tls:ctrl1.zt.test.deltasecure.de:8440
web:
  - name: all-apis-localhost
    bindPoints:
      - interface: 0.0.0.0:8441
        address: ctrl1.zt.test.deltasecure.de:8441
    options:
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: health-checks
      - binding: fabric
      - binding: edge-management
      - binding: zac
        options:
          location: ./console
        indexFile: index.html
      - binding: edge-client
      - binding: edge-oidc

Anything coming to mind already from the config? The alt_server_cert is issued to alt.ctrl1.zt.test.deltasecure.de

I didn't try issuing alt certs to ctrl2 and ctrl3 yet. Would that be necessary since I'm also only able to specify ctrl1 within the browzer bootstrapper?

Thanks!

Just found out the following as well:

ziti ops verify ext-jwt-signer oidc --controller-url https://ctrl1.zt.test.deltasecure.de:8441 browzer-authentik-ext-jwt-signer
Saving identity 'default' to /home/ziti/.config/ziti/ziti-cli.json
INFO    using supplied redirect url: http://localhost:20314/auth/callback
INFO    found external JWT signer
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x30699a4]

goroutine 1 [running]:
github.com/openziti/ziti/ziti/cmd/ops/verify/ext-jwt-signer/oidc.NewOidcVerificationCmd.func1(0xc000d28c00?, {0xc000d35830, 0x1, 0x3ec020d?})
	github.com/openziti/ziti/ziti/cmd/ops/verify/ext-jwt-signer/oidc/oidc.go:336 +0x6e4
github.com/spf13/cobra.(*Command).execute(0xc000d36908, {0xc000d357d0, 0x3, 0x3})
	github.com/spf13/cobra@v1.9.1/command.go:1019 +0xa7b
github.com/spf13/cobra.(*Command).ExecuteC(0x614f660)
	github.com/spf13/cobra@v1.9.1/command.go:1148 +0x40c
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra@v1.9.1/command.go:1071
github.com/openziti/ziti/ziti/cmd.Execute()
	github.com/openziti/ziti/ziti/cmd/cmd.go:90 +0x1a
main.main()
	github.com/openziti/ziti/ziti/main.go:53 +0xf
[ble: exit 2]

When using the alt cert, the output is the following, what am I doing wrong?

ziti ops verify ext-jwt-signer oidc --controller-url https://alt.ctrl1.zt.test.deltasecure.de:8441 browzer-authentik-ext-jwt-signer
Saving identity 'default' to /home/ziti/.config/ziti/ziti-cli.json
ERROR   Could not obtain an ID for the external jwt signer with filter name="browzer-authentik-ext-jwt-signer": Get "https://alt.ctrl1.zt.test.deltasecure.de:8441/edge/client/v1/external-jwt-signers?filter=name%3D%22browzer-authentik-ext-jwt-signer%22": tls: failed to verify certificate: x509: certificate signed by unknown authority
FATAL   no external JWT signer found with name

The command actually needs to use the private PKI url so that first command was correct but it seems like the code isn't verifying the external url properly and panic'ing. Currently browzer doesn't make use of the url from the external signer, so to address that panic just go to your browzer-authentik-ext-jwt-signer and add update the "External Auth Url". For example:

Thanks. That solved the issue.
However I do get an error back from the controller that I can't seem to solve:

The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application.
Is there a redirect URI I need to configure with the controller somehow?

Here's the proxied URL I captured in the Browzer bootstrapper:

(https://alt.ctrl1.zt.test.deltasecure.de:8441/oidc/authorize?client_id=openziti&scope=openid%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Fbrowzer.zt.test.deltasecure.de&code_challenge=ABCDE-PN2qc4NfLanT4yP_B7l5EO_GIo4vdGq8&code_challenge_method=S256&audience=openziti&state=BLABLA)

However I configured all those URLs for testing:

grafik932×1064 48.8 KB

I feel like I'm not quite in tune with what you're doing. The controller:8441/oidc/callback doesn't seem to be necessary at all. I'm not sure why you're using that?

Taking that away, you have two strict redirects, one with and one without the / and you have a regex that would appear to be just "any" url.

Were you able to use the verify command with that regex to authenticate to the controller? Let's start there.... After that, I would expect your IdP to allow redirects back to browzer and any services that you're exposing, but the regex of .* would cover that I'd think.

The requested redirect_uri is missing in the client configuration.

this is coming from authentik, right?

I don't to the controller/oidc/callback on purpose - but Browzer logs an error, I assume it's doing this request under the hood.
Here's the Browzer logs:

iti@browzer:~/ziti-browzer-bootstrapper$ node index.js
{"level":"info","message":"ziti-browzer-bootstrapper initializing","timestamp":"2025-05-02T14:17:39.142Z","version":"0.87.4"}
{"field":"idp_type","level":"warn","message":"obsolete config field encountered - ignored","timestamp":"2025-05-02T14:17:39.146Z","version":"0.87.4"}
{"level":"info","message":"Using CA certificates: node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem","timestamp":"2025-05-02T14:17:39.147Z","version":"0.87.4"}
{"host":"alt.ctrl1.zt.test.deltasecure.de","level":"info","message":"contacting specified controller","port":"8441","timestamp":"2025-05-02T14:17:39.150Z","version":"0.87.4"}
{"level":"debug","message":"configured target service(s)","targets":{"targetArray":[{"idp_client_id":"OaklQKqJB8nqjNFi7FQR2u1TJpJNFLn63WKew6wZ","idp_issuer_base_url":"https://login.deltasecure.de/application/o/extjwt-test/","path":"/","scheme":"http","service":"browzer.zt.test","vhost":"browzer.zt.test.deltasecure.de"}]},"timestamp":"2025-05-02T14:17:40.726Z","version":"0.87.4"}
{"certificate_path":"/etc/letsencrypt/live/browzer.zt.test.deltasecure.de/fullchain.pem","key_path":"/etc/letsencrypt/live/browzer.zt.test.deltasecure.de/privkey.pem","level":"info","message":"new tlsContext created","timestamp":"2025-05-02T14:17:40.788Z","version":"0.87.4"}
{"level":"info","message":"listening","port":"443","scheme":"https","timestamp":"2025-05-02T14:17:40.793Z","version":"0.87.4"}
{"controllerVersion":"1.5.4","level":"info","message":"attached controller version","timestamp":"2025-05-02T14:17:40.821Z","version":"0.87.4"}
{"level":"error","message":{"error":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application.\n","error_code":400,"redirect_uri":"browzer.zt.test.deltasecure.de"},"timestamp":"2025-05-02T14:18:56.571Z","version":"0.87.4"}

I've now removed the other allowd redirect URLs. Right now it's only with the slash:

grafik932×1064 34.5 KB

I am successfully redirected to the IDP, then redirected back but Browzer stays spinning endlessly and I am getting the above error.

Here's my browzer.env:

ziti@browzer:~/ziti-browzer-bootstrapper$ cat browzer.env

export ZITI_BROWZER_BOOTSTRAPPER_LOGLEVEL="debug"
export ZITI_BROWZER_BOOTSTRAPPER_HOST="browzer.zt.test.deltasecure.de"
export ZITI_BROWZER_RUNTIME_LOGLEVEL="debug"
export ZITI_BROWZER_RUNTIME_HOTKEY="alt+F12"
export ZITI_CONTROLLER_HOST="alt.ctrl1.zt.test.deltasecure.de"
export ZITI_CONTROLLER_PORT="8441"
export ZITI_BROWZER_BOOTSTRAPPER_SCHEME="https"
export ZITI_BROWZER_BOOTSTRAPPER_CERTIFICATE_PATH="/etc/letsencrypt/live/browzer.zt.test.deltasecure.de/fullchain.pem"
export ZITI_BROWZER_BOOTSTRAPPER_KEY_PATH="/etc/letsencrypt/live/browzer.zt.test.deltasecure.de/privkey.pem"
export ZITI_BROWZER_BOOTSTRAPPER_LISTEN_PORT="443"
export ZITI_BROWZER_SERVICE=browzer.zt.test
export ZITI_BROWZER_VHOST=browzer.zt.test.deltasecure.de
export ZITI_BROWZER_OIDC_URL="https://login.deltasecure.de/application/o/extjwt-test/"
export ZITI_BROWZER_CLIENT_ID="OaklQKqJB8nqjNFi7FQR2u1TJpJNFLn63WKew6wZ"


export ZITI_BROWZER_BOOTSTRAPPER_TARGETS="$(cat <<HERE
  {
    "targetArray": [
      {
        "vhost": "${ZITI_BROWZER_VHOST}",
        "service": "${ZITI_BROWZER_SERVICE}",
        "path": "/",
        "scheme": "http",
        "idp_issuer_base_url": "${ZITI_BROWZER_OIDC_URL}",
        "idp_client_id": "${ZITI_BROWZER_CLIENT_ID}"
      }
    ]
  }
HERE
)"

export NODE_EXTRA_CA_CERTS=node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem

Unfortunately I wasn't able to test the verify command - it says Waiting up to 30s for external auth... but no window is opening to test the IDP....

Okay, I managed to test this and the login succeeds, however I still get the browzer error:

{"level":"error","message":{"error":"The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application.\n","error_code":400,"redirect_uri":"browzer.zt.test.deltasecure.de"},"timestamp":"2025-05-02T14:18:56.571Z","version":"0.87.4"}

ziti@ctrl1:~$ ziti ops verify ext-jwt-signer oidc \
  --controller-url https://ctrl1.zt.test.deltasecure.de:8441 \
  --authenticate \
  --redirect-url http://localhost:20314/auth/callback \
  browzer-authentik-ext-jwt-signer --authenticate
Saving identity 'default' to /home/ziti/.config/ziti/ziti-cli.json
INFO    using supplied redirect url: http://localhost:20314/auth/callback
INFO    found external JWT signer
INFO      - issuer: https://login.deltasecure.de/application/o/extjwt-test/
INFO      - clientId: OaklQKqJB8nqjNFi7FQR2u1TJpJNFLn63WKew6wZ
INFO    supplied issuer matches discovered issuer: https://login.deltasecure.de/application/o/extjwt-test/
INFO    attempting to authenticate to external provider
Waiting up to 30s for external auth...Done!
INFO    ID token payload:
{
  "iss": "https://login.deltasecure.de/application/o/extjwt-test/",
  "sub": "0c7d89a19dadb753dabc2e80f7e76a496be2a4cbd3e0f5597a9d3935462e0958",
  "aud": "OaklQKqJB8nqjNFi7FQR2u1TJpJNFLn63WKew6wZ",
  "exp": 1746198706,
  "iat": 1746198406,
  "auth_time": 1746195624,
  "acr": "goauthentik.io/providers/oauth2/default",
  "amr": [
    "pwd",
    "mfa"
  ],
  "sid": "2ffcf98b611592a8212c8c09c3c10e74f26268bde7b4b4ccd1046df0ed1f68d1",
  "email": "dominik.muensterer@deltasecure.de",
  "email_verified": true
}
INFO    access token payload:
{
  "iss": "https://login.deltasecure.de/application/o/extjwt-test/",
  "sub": "0c7d89a19dadb753dabc2e80f23456784cbd3e0f5597a9d3935462e0958",
  "aud": "OaklQKqJB8nqjNFi7FQRJGHHS34n63WKew6wZ",
  "exp": 1746198706,
  "iat": 1746198406,
  "auth_time": 1746195624,
  "acr": "goauthentik.io/providers/oauth2/default",
  "amr": [
    "pwd",
    "mfa"
  ],
  "sid": "2ffcf981234562c8c09c3c10e74KAJSHD6df0ed1f68d1",
  "email": "dominik.muensterer@deltasecure.de",
  "email_verified": true,
  "azp": "OaklQKqJ1234Ln63WKew6wZ",
  "uid": "WznrohgJE2rDUNCmDACNeLqZoBfFx1eJ78yS7Ehs"
}
WARNING no refresh token returned
INFO    attempting to authenticate to controller with specified target token type: ID
Token: 1234566-cdcf-45a7-8a42-c84dacb791a0
INFO    login succeeded

Alright, I recreated my own authentik server. I had to enable CORS. I assume you enabled CORS. I did this with nginx, my authentik server is proxied to terminate TLS by nginx.

Once I did that, here is what I used for my authentik server:

image1056×139 6.93 KB

I have a service named "docker-whale". It's exposed by browzer at:
https://docker-whale.zrok.clint.demo.openziti.org/

I thought I had to use ID token but I had to add the user:email scope to get the 'email' address on the Access token

Here's how I configured my ext-jwt-signer. Notice the client id and audience are the same...

image1143×775 103 KB

Hope that helps you!

Clint, thanks a lot! I’ll give this a try and report back!

Dunno if you need extra details but I guess technically the service name is "docker.whale". The targetArray definition looks like this:

            "targetArray": [
            {
                      "vhost": "docker-whale.zrok.clint.demo.openziti.org",
                      "service": "docker.whale",
                      "path": "/",
                      "scheme": "http",
                      "_idp_issuer_base_url": "https://keycloak.zrok.clint.demo.openziti.org:8446/realms/zitirealm",
                      "_idp_client_id": "browzerBootstrapClient",
                      "idp_issuer_base_url": "https://authentik.doc.demo.openziti.org:9243/application/o/browzer/",
                      "idp_client_id": "authentik_browzer"
            },

( you can see I usually use keycloak )

You can see the service CLI calls here if interested: openziti-scripts/ziti-zrok-browzer/docker.whale at main · dovholuknf/openziti-scripts · GitHub

Which is openziti-scripts/ziti-zrok-browzer/install.browzer.sh at main · dovholuknf/openziti-scripts · GitHub

  docker-whale:
    image: crccheck/hello-world
    ports:
      - "2000:8000"

Still can't get it to work, Browzer gives me now the following error:

{"controllerVersion":"1.5.4","level":"info","message":"attached controller version","timestamp":"2025-05-02T22:10:41.959Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.236Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.279Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.316Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.354Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.394Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.429Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.468Z","version":"0.87.4"}
{"error":{"code":"ERR_SSL_TLSV1_ALERT_DECODE_ERROR","library":"SSL routines","reason":"tlsv1 alert decode error"},"level":"error","message":"TLS error","timestamp":"2025-05-02T22:13:57.503Z","version":"0.87.4"}

Could it be that Browzer doesn't yet support EC instead of RSA for controller certs?
I'll try this tomorrow again with a fresh quickstart

And does your idp have a cert from a public ca?

Yupp, the IDP has a cloudflare cert.
I’m wondering if it has anything to do with the controller clustering or the EC PKI…

Hmm, I have no idea what exactly the point is that causes the issue for me. I've setup a whole new control plane using the quickstart but still the same issue.
I recorded a quick video:

Top left is ziti-router logs (the only edge router)

Middle-left is ziti-controller logs showing a EOF error from browzer

Bottom-left is a browzer console, I'm using Google Chrome 135:

Any help is highly appreciated! Thanks.

Can you look at the network tab too? Let's look to see what requests are being made and why they fail (assuming there are some that are failing).

As for RSA/EC, it's surely a possibility but I'm not sure. The cert I have/user is from LE. You could try LE to see if that somehow makes a difference maybe.

I didn't see any errors in the logs but I admit, it's hard to read "screen shot". If there are errors in there, I didn't notice them?

I think we need @curt to have a look to see if anything pops out to him....

Good point! I think we're getting there:

ENOENT: no such file or directory, open '/home/ziti/browzer/node_modules/@openziti/libcrypto-js/dist/esm/libcrypto.JSPI.74dc7d5.wasm'

I'll do some troubleshooting as well - looks like the issue here is my bootstrapper.

Okay, got it to work! Please don't ask me what the issue was - I tried multiple times deleting the node_modules folder and run yarn install again. Didn't help. When I removed the whole folder and cloned it from git again it worked. So many hours for such a stupid error

I really appreciate the help!

Oh you're building the bootstrapper???? That's definitely not something I'd recommend "in general" just because it's always going to be a moving target. I really recommend you use the docker-based builds. Those are the official builds.

That said, i'm glad you got things working. I didn't consider asking how you deployed the bootstrapper but I'll definitely ask next time.

Cheers

Haha yeah - I learned my lesson
Will deploy the Docker Containers into prod though