Edge-oidc URL order

marvkis · October 28, 2025, 6:10pm

Hi,

I'm currently updating my infrastructure to the latest versions of OpenZITI (1.7.1) and Linux Tunnelers.

However, I've noticed that I can only use client versions up to 1.7.14. From version 1.7.15 onwards, the following OIDC-related messages are logged:

(1)[        0.105]    INFO ziti-sdk:oidc.c:144 oidc_client_init() oidc[internal] initializing with provider[https://openziti-mgmt-api.internal.[red.ac.ted]:443/oidc]                               
(1)[        0.108]   ERROR tlsuv:http.c:353 http[openziti-mgmt-api.internal.[red.ac.ted]:443/oidc]: connection failed: unknown node or service

It seems that the client stops establishing a connection with the controller at this point.

The url the client tries to connect is the internal url for the management, not accessible from outside.

When loading https://client.sdn.[red.act.ed]/, I see that, except for edge-oidc, the public client.sdn... name is announced first:

{
  "data": {
    "apiVersions": {
      "edge": {
        "v1": {
          "apiBaseUrls": [
            "https://client.sdn.[red.act.ed]:443/edge/client/v1",
            "https://openziti-mgmt-api.internal.[red.act.ed]:443/edge/client/v1"
          ],
          "path": "/edge/client/v1"
        }
      },
      [...]
      "edge-oidc": {
        "v1": {
          "apiBaseUrls": [
            "https://openziti-mgmt-api.internal.[red.act.ed]:443/oidc",
            "https://client.sdn.[red.act.ed]:443/oidc"
          ],
          "path": "/oidc"
        }
      },
      [...]
  },
  [...]
}

How can I swap these for edge-oidc?

I have another lab setup where the public URL is also listed on edge-oidc first, as expected. However, I have no idea why the two instances behave differently.

ekoby · October 31, 2025, 1:41pm

You best bet (for now unless you need HA) may be just turning off OIDC support in controller config (just comment out edge-oidc binding block)

we will be looking into make client handle multiple endpoints and also adding options in controller configuration

ekoby · November 2, 2025, 11:01am

the fix is now available in the latest release candidate of the tunneler.

marvkis · November 2, 2025, 1:54pm

Hi @ekoby ,

I started digging into it this morning.

I had some oidc config left from tests with browzer:

An Auth Policy:

Referring to a disabled authentik config:

I removed the Auth Policy to see if it would affect the 'edge-oidc' order. At first it didn't, but after restarting the controller (single instance, no HA), the entries swapped.

I'll do some tests later...

scareything · November 2, 2025, 2:48pm

I’m not sure if it matters here but I know you use the macOS client as well. So fyi the fixes mentioned here are in the latest Test Flight of Ziti Desktop Edge for Mac (2.53.559).

ekoby · November 2, 2025, 2:56pm

Just to clear things up:

edge-oidc is NOT affected by external signers
it is only for facilitating internal authentication flow

marvkis · November 2, 2025, 9:33pm

Hi @ekoby,

Thanks for clarifying this. I rolled back to the backup (the ctrl.db file that I had saved before removing the auth policy) and restarted the controller, and the edge-oidc URLs were in the "correct" order.
I thought I had encountered a strange race condition during controller startup, so I restarted the controller about 20 times. Finally, the edge-oidc URLs were again in the wrong order. (Hint: My 'private' setup runs on an ARM machine with four Cortex-A55 cores and four Cortex-A76 cores - this might be relevant when hunting for race conditions.)

It seems that a simple controller restart would have solved this issue!

Nevertheless, I was able to reproduce to the incorrect state for testing purposes.

I can confirm that the latest 1.9.2 Linux tunneler and the Ziti Desktop Edge 2.53.559 are both working on the 1.7.1 controller with swapped edge-oidc URLs.

Thanks for all your work!

marvkis · November 2, 2025, 9:50pm

Hi,

I noticed that my Android client is unable to connect to the 1.7.1 controller. I checked for updates and found one: 0.19.0 (190000).

After updating, the app could not connect to any of my controllers, neither the 1.7.1 nor the 1.6.9.

I collected the logs from the Android app, and it appears that it tries to authenticate via OIDC on the 1.6.9 controller. However, there is no OIDC configured.

-------- beginning of system
11-02 22:28:40.517  7347  7381 I DisplayManager: Choreographer implicitly registered for the refresh rate.
--------- beginning of main
11-02 22:30:31.023  7347  7347 I ZitiVPNService: onStartCommand Intent { act=stop xflg=0x4 cmp=org.openziti.mobile/.ZitiVPNService }, 4
11-02 22:30:31.023  7347  7347 I ZitiVPNService: monitor=StandaloneCoroutine{Active}@2fe2e5f
11-02 22:30:31.023  7347  7412 I ZitiVPNService: received cmd[stop]
11-02 22:30:31.024  7347  7412 I ZitiVPNService: tunnel stop success
11-02 22:30:31.024  7347  7378 I tunnel:netif.cpp:119 android_netif_do(): stopping android netif
11-02 22:30:33.223  7347  7347 I model   : enabling[7D3DDZQ6z]
11-02 22:30:33.239  7347  7347 D Tunnel  : cmd[13] = IdentityOnOff:{"Identifier":"7D3DDZQ6z","OnOff":true}
11-02 22:30:33.241  7347  7378 I Tunnel  : resp = {"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"Identifier":"7D3DDZQ6z","OnOff":true}},"Code":0}
11-02 22:30:33.243  7347  7378 D Tunnel  : result[13] = IdentityOnOff:TunnelResult(success=true, code=0, error=null, data={"Command":"IdentityOnOff","Data":{"Identifier":"7D3DDZQ6z","OnOff":true}})
11-02 22:30:33.244  7347  7378 I ziti-sdk:ziti.c:525 ziti_start_internal(): ztx[2] enabling Ziti Context
11-02 22:30:33.261  7347  7378 I ziti-sdk:ziti.c:542 ziti_start_internal(): ztx[2] using tlsuv[v0.39.6/OpenSSL 3.5.1 1 Jul 2025]
11-02 22:30:33.261  7347  7378 I ziti-sdk:ziti_ctrl.c:639 ziti_ctrl_init(): ctrl[https://client.my.controller.redacted:443] controller initialized
11-02 22:30:33.261  7347  7378 D ziti-sdk:ziti_ctrl.c:650 ziti_ctrl_init(): ctrl[https://client.my.controller.redacted:443] ziti controller client initialized
11-02 22:30:33.261  7347  7378 I ziti-sdk:ziti.c:619 ztx_init_controller(): ztx[2] Loading ziti context with controller[https://client.my.controller.redacted:443]
11-02 22:30:33.261  7347  7378 D ziti-sdk:ziti.c:550 ziti_start_internal(): ztx[2] using metrics interval: 0
11-02 22:30:33.261  7347  7378 D ziti-sdk:ziti.c:226 ziti_set_unauthenticated(): ztx[2] setting auth_state[0] to 0
11-02 22:30:33.261  7347  7378 D ziti-sdk:ziti_ctrl.c:380 ziti_ctrl_clear_auth(): ctrl[https://client.my.controller.redacted:443] clearing api session token for ziti_controller
11-02 22:30:33.261  7347  7378 D ziti-sdk:ziti_ctrl.c:1108 ctrl_paging_req(): ctrl[https://client.my.controller.redacted:443] starting paging request GET[/external-jwt-signers]
11-02 22:30:33.407  7347  7378 D ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb(): ctrl[https://client.my.controller.redacted:443] completed GET[/version] in 0.145 s
11-02 22:30:33.407  7347  7378 I ziti-sdk:ziti.c:2034 version_pre_auth_cb(): ztx[2] connected to controller https://client.my.controller.redacted:443 version v1.6.9(61ce69026623 2025-09-23T20:13:26Z)
11-02 22:30:33.407  7347  7378 I ziti-sdk:ziti.c:2035 version_pre_auth_cb(): ztx[2] using OIDC authentication method
11-02 22:30:33.407  7347  7378 I ziti-sdk:oidc.c:144 oidc_client_init(): oidc[internal] initializing with provider[https://client.my.controller.redacted:443/oidc]
11-02 22:30:33.407  7347  7378 D ziti-sdk:oidc.c:255 oidc_client_configure(): oidc[internal] configuring provider[https://client.my.controller.redacted:443/oidc]
11-02 22:30:33.423  7347  7378 D ziti-sdk:ziti_ctrl.c:490 ctrl_body_cb(): ctrl[https://client.my.controller.redacted:443] received 0/0 for paging request GET[/external-jwt-signers]
11-02 22:30:33.423  7347  7378 D ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb(): ctrl[https://client.my.controller.redacted:443] completed paging request GET[/external-jwt-signers] in 0.162 s
11-02 22:30:33.424  7347  7378 D ziti-sdk:ziti.c:671 ext_jwt_singers_cb(): ztx[2] 0 external auth providers available
11-02 22:30:33.518  7347  7378 D ziti-sdk:oidc_auth.c:183 config_cb(): oidc config callback: 0/(null)
11-02 22:30:33.518  7347  7378 D ziti-sdk:oidc.c:736 oidc_client_start(): oidc[internal] starting auth flow
11-02 22:30:33.518  7347  7378 D ziti-sdk:oidc.c:745 oidc_client_start(): oidc[internal] requesting authentication code from auth_url[https://client.my.controller.redacted:443/oidc/authorize]
11-02 22:30:33.535  7347  7378 D ziti-sdk:oidc.c:425 auth_cb(): oidc[internal] 302 Found err[missing content-type] body=null
11-02 22:30:33.536  7347  7378 D ziti-sdk:oidc.c:439 auth_cb(): oidc[internal] login with path[/oidc/login/cert?id=6ff14286-9d8c-45cb-9cb6-d9580f0b2973] 
11-02 22:30:33.696  7347  7378 D ziti-sdk:oidc.c:370 login_cb(): oidc[internal] 401 login[unexpected content] body = null
11-02 22:30:33.696  7347  7378 W ziti-sdk:oidc.c:301 failed_auth_req(): oidc[internal] OIDC authorization failed: Unauthorized
11-02 22:30:36.299  7347  7347 I ZitiVPNService: onStartCommand Intent { act=start xflg=0x4 cmp=org.openziti.mobile/.ZitiVPNService }, 5
11-02 22:30:36.299  7347  7347 I ZitiVPNService: monitor=StandaloneCoroutine{Active}@2fe2e5f
11-02 22:30:36.300  7347  7412 I ZitiVPNService: received cmd[start]
11-02 22:30:36.302  7347  7412 I ZitiVPNService: link[386] addresses: [/my.client.net.196]
11-02 22:30:36.302  7347  7412 I ZitiVPNService: link[386] nameservers: [/my.client.net.252]
11-02 22:30:36.302  7347  7412 I ZitiVPNService: set upstream DNS[[my.client.net.252]]
11-02 22:30:36.303  7347  7412 D Tunnel  : cmd[14] = SetUpstreamDNS:[{"host":"my.client.net.252"}]
11-02 22:30:36.303  7347  7412 I ZitiVPNService: startTunnel()
11-02 22:30:36.303  7347  7378 I tunnel-cbs:ziti_dns.c:273 ziti_dns_set_upstream(): DNS upstream[1] is set to my.client.net.252:53
11-02 22:30:36.303  7347  7378 I Tunnel  : resp = {"Success":true,"Code":0}
11-02 22:30:36.304  7347  7378 D Tunnel  : result[14] = SetUpstreamDNS:TunnelResult(success=true, code=0, error=null, data=null)
11-02 22:30:36.306  7347  7412 D ZitiVPNService: adding route Route(address=/100.64.0.0, bits=10)
11-02 22:30:36.308  7347  7412 I ZitiVPNService: creating tunnel interface
11-02 22:30:36.319  7347  7412 I ZitiVPNService: starting tunnel for fd=java.io.FileDescriptor@cea4660
11-02 22:30:36.319  7347  7412 I ZitiVPNService: tunnel start success
11-02 22:30:36.320  7347  7378 I tunnel:netif.cpp:111 android_netif_do(): starting android netif
11-02 22:30:50.577  7347  7347 I model   : disabling[7D3DDZQ6z]
11-02 22:30:50.602  7347  7347 D Tunnel  : cmd[15] = IdentityOnOff:{"Identifier":"7D3DDZQ6z","OnOff":false}
11-02 22:30:50.603  7347  7378 I Tunnel  : resp = {"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"Identifier":"7D3DDZQ6z","OnOff":false}},"Code":0}
11-02 22:30:50.603  7347  7378 D Tunnel  : result[15] = IdentityOnOff:TunnelResult(success=true, code=0, error=null, data={"Command":"IdentityOnOff","Data":{"Identifier":"7D3DDZQ6z","OnOff":false}})
11-02 22:30:50.604  7347  7378 I ziti-sdk:ziti.c:464 ziti_stop_internal(): ztx[2] disabling Ziti Context
11-02 22:30:50.604  7347  7378 D ziti-sdk:oidc.c:867 oidc_client_close(): oidc[internal] closing
11-02 22:30:50.604  7347  7378 D ziti-sdk:ziti.c:226 ziti_set_unauthenticated(): ztx[2] setting auth_state[0] to 0
11-02 22:30:50.604  7347  7378 D ziti-sdk:ziti_ctrl.c:380 ziti_ctrl_clear_auth(): ctrl[https://client.my.controller.redacted:443] clearing api session token for ziti_controller
11-02 22:30:50.604  7347  7412 I ZitiVPNService: restarting tunnel
11-02 22:30:50.605  7347  7378 I tunnel:netif.cpp:119 android_netif_do(): stopping android netif
11-02 22:30:50.607  7347  7412 I ZitiVPNService: link[386] addresses: [/my.client.net.196]
11-02 22:30:50.608  7347  7412 I ZitiVPNService: link[386] nameservers: [/my.client.net.252]
11-02 22:30:50.608  7347  7412 I ZitiVPNService: set upstream DNS[[my.client.net.252]]
11-02 22:30:50.608  7347  7412 D Tunnel  : cmd[16] = SetUpstreamDNS:[{"host":"my.client.net.252"}]
11-02 22:30:50.642  7347  7378 I tunnel-cbs:ziti_dns.c:273 ziti_dns_set_upstream(): DNS upstream[1] is set to my.client.net.252:53
11-02 22:30:50.642  7347  7412 I ZitiVPNService: startTunnel()
11-02 22:30:50.642  7347  7378 I Tunnel  : resp = {"Success":true,"Code":0}
11-02 22:30:50.642  7347  7378 D Tunnel  : result[16] = SetUpstreamDNS:TunnelResult(success=true, code=0, error=null, data=null)
11-02 22:30:50.647  7347  7412 D ZitiVPNService: adding route Route(address=/100.64.0.0, bits=10)
11-02 22:30:50.649  7347  7412 I ZitiVPNService: creating tunnel interface
11-02 22:30:50.719  7347  7412 I ZitiVPNService: starting tunnel for fd=java.io.FileDescriptor@75eb4a
11-02 22:30:50.720  7347  7378 I tunnel:netif.cpp:111 android_netif_do(): starting android netif
11-02 22:30:51.662  7347  7347 I model   : enabling[7D3DDZQ6z]
11-02 22:30:51.680  7347  7347 D Tunnel  : cmd[17] = IdentityOnOff:{"Identifier":"7D3DDZQ6z","OnOff":true}
11-02 22:30:51.680  7347  7378 I Tunnel  : resp = {"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"Identifier":"7D3DDZQ6z","OnOff":true}},"Code":0}
11-02 22:30:51.682  7347  7378 D Tunnel  : result[17] = IdentityOnOff:TunnelResult(success=true, code=0, error=null, data={"Command":"IdentityOnOff","Data":{"Identifier":"7D3DDZQ6z","OnOff":true}})
11-02 22:30:51.682  7347  7378 I ziti-sdk:ziti.c:525 ziti_start_internal(): ztx[2] enabling Ziti Context
11-02 22:30:51.702  7347  7378 I ziti-sdk:ziti.c:542 ziti_start_internal(): ztx[2] using tlsuv[v0.39.6/OpenSSL 3.5.1 1 Jul 2025]
11-02 22:30:51.702  7347  7378 I ziti-sdk:ziti_ctrl.c:639 ziti_ctrl_init(): ctrl[https://client.my.controller.redacted:443] controller initialized
11-02 22:30:51.702  7347  7378 D ziti-sdk:ziti_ctrl.c:650 ziti_ctrl_init(): ctrl[https://client.my.controller.redacted:443] ziti controller client initialized
11-02 22:30:51.702  7347  7378 I ziti-sdk:ziti.c:619 ztx_init_controller(): ztx[2] Loading ziti context with controller[https://client.my.controller.redacted:443]
11-02 22:30:51.702  7347  7378 D ziti-sdk:ziti.c:550 ziti_start_internal(): ztx[2] using metrics interval: 0
11-02 22:30:51.702  7347  7378 D ziti-sdk:ziti.c:226 ziti_set_unauthenticated(): ztx[2] setting auth_state[0] to 0
11-02 22:30:51.702  7347  7378 D ziti-sdk:ziti_ctrl.c:380 ziti_ctrl_clear_auth(): ctrl[https://client.my.controller.redacted:443] clearing api session token for ziti_controller
11-02 22:30:51.702  7347  7378 D ziti-sdk:ziti_ctrl.c:1108 ctrl_paging_req(): ctrl[https://client.my.controller.redacted:443] starting paging request GET[/external-jwt-signers]
11-02 22:30:51.843  7347  7378 D ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb(): ctrl[https://client.my.controller.redacted:443] completed GET[/version] in 0.140 s
11-02 22:30:51.843  7347  7378 I ziti-sdk:ziti.c:2034 version_pre_auth_cb(): ztx[2] connected to controller https://client.my.controller.redacted:443 version v1.6.9(61ce69026623 2025-09-23T20:13:26Z)
11-02 22:30:51.843  7347  7378 I ziti-sdk:ziti.c:2035 version_pre_auth_cb(): ztx[2] using OIDC authentication method
11-02 22:30:51.843  7347  7378 I ziti-sdk:oidc.c:144 oidc_client_init(): oidc[internal] initializing with provider[https://client.my.controller.redacted:443/oidc]
11-02 22:30:51.843  7347  7378 D ziti-sdk:oidc.c:255 oidc_client_configure(): oidc[internal] configuring provider[https://client.my.controller.redacted:443/oidc]
11-02 22:30:51.891  7347  7378 D ziti-sdk:ziti_ctrl.c:490 ctrl_body_cb(): ctrl[https://client.my.controller.redacted:443] received 0/0 for paging request GET[/external-jwt-signers]
11-02 22:30:51.891  7347  7378 D ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb(): ctrl[https://client.my.controller.redacted:443] completed paging request GET[/external-jwt-signers] in 0.188 s
11-02 22:30:51.891  7347  7378 D ziti-sdk:ziti.c:671 ext_jwt_singers_cb(): ztx[2] 0 external auth providers available
11-02 22:30:51.966  7347  7378 D ziti-sdk:oidc_auth.c:183 config_cb(): oidc config callback: 0/(null)
11-02 22:30:51.966  7347  7378 D ziti-sdk:oidc.c:736 oidc_client_start(): oidc[internal] starting auth flow
11-02 22:30:51.966  7347  7378 D ziti-sdk:oidc.c:745 oidc_client_start(): oidc[internal] requesting authentication code from auth_url[https://client.my.controller.redacted:443/oidc/authorize]
11-02 22:30:51.980  7347  7378 D ziti-sdk:oidc.c:425 auth_cb(): oidc[internal] 302 Found err[missing content-type] body=null
11-02 22:30:51.981  7347  7378 D ziti-sdk:oidc.c:439 auth_cb(): oidc[internal] login with path[/oidc/login/cert?id=4485ee30-e747-4af6-ad80-c9b0d0218f62] 
11-02 22:30:52.051  7347  7378 D ziti-sdk:oidc.c:370 login_cb(): oidc[internal] 401 login[unexpected content] body = null
11-02 22:30:52.051  7347  7378 W ziti-sdk:oidc.c:301 failed_auth_req(): oidc[internal] OIDC authorization failed: Unauthorized

Any hints?

Chris

marvkis · November 2, 2025, 10:11pm

Hi,

Now i've disabled the identity for the 1.6.9 controller to test the 1.7.1 controller.
This is the log:

--------- beginning of system
11-02 22:54:44.274  7347  7347 D InsetsController: Setting requestedVisibleTypes to -14 (was -9)
--------- beginning of main
11-02 22:55:34.375  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:55:54.382  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:14.402  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:34.421  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:54.440  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:55.864  7347  7378 I tunnel-cbs:ziti_dns.c:567 format_resp(): found record[100.64.0.3] for query[1:cloud.1.7.1.controller]
11-02 22:56:55.867  7347  7378 D tunnel-cbs:ziti_tunnel_cbs.c:354 ziti_sdk_c_dial(): service[iac-kis_svc_cloud_80,443_t-2] app_data_json[176]='{"connType":null,"dst_protocol":"tcp","dst_hostname":"cloud.1.7.1.controller","dst_ip":"100.64.0.3","dst_port":"443","src_protocol":"tcp","src_ip":"100.64.0.0","src_port":"48509"}'
11-02 22:56:55.867  7347  7378 D ziti-sdk:connect.c:426 connect_get_service_cb(): conn[3.0/zgBIgXvy/Connecting](iac-kis_svc_cloud_80,443_t-2) got service[iac-kis_svc_cloud_80,443_t-2] id[4nJcPDOIqi7eNrIGwjSajL]
11-02 22:56:55.867  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:55.867  7347  7378 D ziti-sdk:connect.c:520 process_connect(): conn[3.0/zgBIgXvy/Connecting](iac-kis_svc_cloud_80,443_t-2) requesting 'Dial' session for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:55.867  7347  7378 D tunnel-cbs:ziti_tunnel_cbs.c:354 ziti_sdk_c_dial(): service[iac-kis_svc_cloud_80,443_t-2] app_data_json[176]='{"connType":null,"dst_protocol":"tcp","dst_hostname":"cloud.1.7.1.controller","dst_ip":"100.64.0.3","dst_port":"443","src_protocol":"tcp","src_ip":"100.64.0.0","src_port":"42929"}'
11-02 22:56:55.867  7347  7378 D ziti-sdk:connect.c:426 connect_get_service_cb(): conn[3.1/kNEhG4Qa/Connecting](iac-kis_svc_cloud_80,443_t-2) got service[iac-kis_svc_cloud_80,443_t-2] id[4nJcPDOIqi7eNrIGwjSajL]
11-02 22:56:55.867  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:55.867  7347  7378 D ziti-sdk:connect.c:520 process_connect(): conn[3.1/kNEhG4Qa/Connecting](iac-kis_svc_cloud_80,443_t-2) requesting 'Dial' session for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:55.867  7347  7378 D tunnel-cbs:ziti_tunnel_cbs.c:354 ziti_sdk_c_dial(): service[iac-kis_svc_cloud_80,443_t-2] app_data_json[176]='{"connType":null,"dst_protocol":"tcp","dst_hostname":"cloud.1.7.1.controller","dst_ip":"100.64.0.3","dst_port":"443","src_protocol":"tcp","src_ip":"100.64.0.0","src_port":"42196"}'
11-02 22:56:55.867  7347  7378 D ziti-sdk:connect.c:426 connect_get_service_cb(): conn[3.2/eVUA6QcD/Connecting](iac-kis_svc_cloud_80,443_t-2) got service[iac-kis_svc_cloud_80,443_t-2] id[4nJcPDOIqi7eNrIGwjSajL]
11-02 22:56:55.867  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:55.867  7347  7378 D ziti-sdk:connect.c:520 process_connect(): conn[3.2/eVUA6QcD/Connecting](iac-kis_svc_cloud_80,443_t-2) requesting 'Dial' session for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:55.871  7347  7378 D tunnel-cbs:ziti_tunnel_cbs.c:354 ziti_sdk_c_dial(): service[iac-kis_svc_cloud_80,443_t-2] app_data_json[176]='{"connType":null,"dst_protocol":"tcp","dst_hostname":"cloud.1.7.1.controller","dst_ip":"100.64.0.3","dst_port":"443","src_protocol":"tcp","src_ip":"100.64.0.0","src_port":"42210"}'
11-02 22:56:55.871  7347  7378 D ziti-sdk:connect.c:426 connect_get_service_cb(): conn[3.3/eQcIHz3k/Connecting](iac-kis_svc_cloud_80,443_t-2) got service[iac-kis_svc_cloud_80,443_t-2] id[4nJcPDOIqi7eNrIGwjSajL]
11-02 22:56:55.871  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:55.871  7347  7378 D ziti-sdk:connect.c:520 process_connect(): conn[3.3/eQcIHz3k/Connecting](iac-kis_svc_cloud_80,443_t-2) requesting 'Dial' session for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:55.947  7347  7347 D ImeBackDispatcher: Clear (mImeCallbacks.size=0)
11-02 22:56:55.947  7347  7347 I ImeTracker: org.openziti.mobile:f5f3620a: onRequestHide at ORIGIN_CLIENT reason HIDE_WINDOW_LOST_FOCUS fromUser false
11-02 22:56:55.947  7347  7347 D InsetsController: hide(ime())
11-02 22:56:55.947  7347  7347 I ImeTracker: org.openziti.mobile:f5f3620a: onCancelled at PHASE_CLIENT_ALREADY_HIDDEN
11-02 22:56:55.947  7347  7347 D ImeBackDispatcher: switch root view (mImeCallbacks.size=0)
11-02 22:56:55.998  7347  7378 D ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb(): ctrl[https://client.1.7.1.controller:443] completed POST[/sessions] in 0.130 s
11-02 22:56:55.998  7347  7378 D ziti-sdk:connect.c:481 connect_get_net_session_cb(): conn[3.0/zgBIgXvy/Connecting](iac-kis_svc_cloud_80,443_t-2) got session[cmhi9473m02jv0fahdtn9o8qr] for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:55.998  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:55.998  7347  7378 D ziti-sdk:connect.c:543 process_connect(): conn[3.0/zgBIgXvy/Connecting](iac-kis_svc_cloud_80,443_t-2) starting Dial connection for service[iac-kis_svc_cloud_80,443_t-2] with session[cmhi9473m02jv0fahdtn9o8qr]
11-02 22:56:55.998  7347  7378 D ziti-sdk:connect.c:404 ziti_connect(): conn[3.0/zgBIgXvy/Connecting](iac-kis_svc_cloud_80,443_t-2) selected ch[core-router@tls://edge.kis.1.7.1.controller:443] for best latency(13 ms)
11-02 22:56:55.998  7347  7378 D ziti-sdk:channel.c:238 ziti_channel_add_receiver(): ch[0] added receiver[0]
11-02 22:56:56.016  7347  7378 D ziti-sdk:connect.c:1413 process_edge_message(): conn[3.0/zgBIgXvy/Connected](iac-kis_svc_cloud_80,443_t-2) peer capability: stream[N] multipart[Y] trace[Y]
11-02 22:56:56.074  7347  7378 D ziti-sdk:connect.c:658 ziti_write_req(): conn[3.0/zgBIgXvy/Connected](iac-kis_svc_cloud_80,443_t-2) consolidated 2 payloads total_len[673]
11-02 22:56:56.077  7347  7378 D ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb(): ctrl[https://client.1.7.1.controller:443] completed POST[/sessions] in 0.210 s
11-02 22:56:56.077  7347  7378 D ziti-sdk:connect.c:477 connect_get_net_session_cb(): conn[3.1/kNEhG4Qa/Connecting](iac-kis_svc_cloud_80,443_t-2) discarding existing session[cmhi9473m02jv0fahdtn9o8qr] for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:56.077  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:56.077  7347  7378 D ziti-sdk:connect.c:543 process_connect(): conn[3.1/kNEhG4Qa/Connecting](iac-kis_svc_cloud_80,443_t-2) starting Dial connection for service[iac-kis_svc_cloud_80,443_t-2] with session[cmhi9475402jw0fahughhwmhh]
11-02 22:56:56.077  7347  7378 D ziti-sdk:connect.c:404 ziti_connect(): conn[3.1/kNEhG4Qa/Connecting](iac-kis_svc_cloud_80,443_t-2) selected ch[core-router@tls://edge.kis.1.7.1.controller:443] for best latency(13 ms)
11-02 22:56:56.078  7347  7378 D ziti-sdk:channel.c:238 ziti_channel_add_receiver(): ch[0] added receiver[1]
11-02 22:56:56.138  7347  7378 D ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb(): ctrl[https://client.1.7.1.controller:443] completed POST[/sessions] in 0.270 s
11-02 22:56:56.138  7347  7378 D ziti-sdk:connect.c:477 connect_get_net_session_cb(): conn[3.2/eVUA6QcD/Connecting](iac-kis_svc_cloud_80,443_t-2) discarding existing session[cmhi9475402jw0fahughhwmhh] for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:56.138  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:56.138  7347  7378 D ziti-sdk:connect.c:543 process_connect(): conn[3.2/eVUA6QcD/Connecting](iac-kis_svc_cloud_80,443_t-2) starting Dial connection for service[iac-kis_svc_cloud_80,443_t-2] with session[cmhi9477802jx0fahf5k2nk7x]
11-02 22:56:56.138  7347  7378 D ziti-sdk:connect.c:404 ziti_connect(): conn[3.2/eVUA6QcD/Connecting](iac-kis_svc_cloud_80,443_t-2) selected ch[core-router@tls://edge.kis.1.7.1.controller:443] for best latency(13 ms)
11-02 22:56:56.138  7347  7378 D ziti-sdk:channel.c:238 ziti_channel_add_receiver(): ch[0] added receiver[2]
11-02 22:56:56.145  7347  7378 D ziti-sdk:connect.c:1413 process_edge_message(): conn[3.1/kNEhG4Qa/Connected](iac-kis_svc_cloud_80,443_t-2) peer capability: stream[N] multipart[Y] trace[Y]
11-02 22:56:56.175  7347  7378 D ziti-sdk:connect.c:1413 process_edge_message(): conn[3.2/eVUA6QcD/Connected](iac-kis_svc_cloud_80,443_t-2) peer capability: stream[N] multipart[Y] trace[Y]
11-02 22:56:56.202  7347  7378 D ziti-sdk:connect.c:658 ziti_write_req(): conn[3.1/kNEhG4Qa/Connected](iac-kis_svc_cloud_80,443_t-2) consolidated 2 payloads total_len[739]
11-02 22:56:56.220  7347  7347 D VRI[ZitiMobileEdgeActivity]: visibilityChanged oldVisibility=true newVisibility=false
11-02 22:56:56.229  7347  7378 D ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb(): ctrl[https://client.1.7.1.controller:443] completed POST[/sessions] in 0.357 s
11-02 22:56:56.229  7347  7378 D ziti-sdk:connect.c:477 connect_get_net_session_cb(): conn[3.3/eQcIHz3k/Connecting](iac-kis_svc_cloud_80,443_t-2) discarding existing session[cmhi9477802jx0fahf5k2nk7x] for service[iac-kis_svc_cloud_80,443_t-2]
11-02 22:56:56.229  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:56:56.229  7347  7378 D ziti-sdk:connect.c:543 process_connect(): conn[3.3/eQcIHz3k/Connecting](iac-kis_svc_cloud_80,443_t-2) starting Dial connection for service[iac-kis_svc_cloud_80,443_t-2] with session[cmhi9478v02jy0faha240n98o]
11-02 22:56:56.229  7347  7378 D ziti-sdk:connect.c:404 ziti_connect(): conn[3.3/eQcIHz3k/Connecting](iac-kis_svc_cloud_80,443_t-2) selected ch[core-router@tls://edge.kis.1.7.1.controller:443] for best latency(13 ms)
11-02 22:56:56.229  7347  7378 D ziti-sdk:channel.c:238 ziti_channel_add_receiver(): ch[0] added receiver[3]
11-02 22:56:56.238  7347  7347 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): android.app.Activity$$ExternalSyntheticLambda0@4e7bd2d
11-02 22:56:56.251  7347  7378 D ziti-sdk:connect.c:1413 process_edge_message(): conn[3.3/eQcIHz3k/Connected](iac-kis_svc_cloud_80,443_t-2) peer capability: stream[N] multipart[Y] trace[Y]
11-02 22:57:02.911  7347  7378 D ziti-sdk:connect.c:658 ziti_write_req(): conn[3.1/kNEhG4Qa/Connected](iac-kis_svc_cloud_80,443_t-2) consolidated 2 payloads total_len[16406]
11-02 22:57:02.912  7347  7378 D ziti-sdk:connect.c:658 ziti_write_req(): conn[3.1/kNEhG4Qa/Connected](iac-kis_svc_cloud_80,443_t-2) consolidated 2 payloads total_len[16406]
11-02 22:57:02.912  7347  7378 D ziti-sdk:connect.c:658 ziti_write_req(): conn[3.1/kNEhG4Qa/Connected](iac-kis_svc_cloud_80,443_t-2) consolidated 2 payloads total_len[16406]
11-02 22:57:05.605  7347  7347 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): androidx.activity.OnBackPressedDispatcher$Api34Impl$createOnBackAnimationCallback$1@1d7262
11-02 22:57:05.656  7347  7347 D ImeBackDispatcher: switch root view (mImeCallbacks.size=0)
11-02 22:57:10.089  7347  7347 I ZitiVPNService: onStartCommand Intent { act=stop xflg=0x4 cmp=org.openziti.mobile/.ZitiVPNService }, 10
11-02 22:57:10.090  7347  7347 I ZitiVPNService: monitor=StandaloneCoroutine{Active}@2fe2e5f
11-02 22:57:10.090  7347  7412 I ZitiVPNService: received cmd[stop]
11-02 22:57:10.091  7347  7412 I ZitiVPNService: tunnel stop success
11-02 22:57:10.091  7347  7378 I tunnel:netif.cpp:119 android_netif_do(): stopping android netif
11-02 22:57:12.430  7347  7347 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): android.app.Activity$$ExternalSyntheticLambda0@4e7bd2d
11-02 22:57:12.442  7347  7347 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): null
11-02 22:57:12.443  7347  7347 D ImeBackDispatcher: Clear (mImeCallbacks.size=0)
11-02 22:57:12.444  7347  7347 I ImeTracker: org.openziti.mobile:6af7aad1: onRequestHide at ORIGIN_CLIENT reason HIDE_WINDOW_LOST_FOCUS fromUser false
11-02 22:57:12.444  7347  7347 D InsetsController: hide(ime())
11-02 22:57:12.445  7347  7347 I ImeTracker: org.openziti.mobile:6af7aad1: onCancelled at PHASE_CLIENT_ALREADY_HIDDEN
11-02 22:57:12.445  7347  7347 D ImeBackDispatcher: switch root view (mImeCallbacks.size=0)
11-02 22:57:12.452  7347  7347 D ViewRootImpl: Skipping stats log for color mode
11-02 22:57:12.458  7347  7347 D ImeBackDispatcher: Clear (mImeCallbacks.size=0)
11-02 22:57:12.458  7347  7347 D ImeBackDispatcher: switch root view (mImeCallbacks.size=0)
11-02 22:57:13.737  7347  7347 I ContentCaptureHelper: Setting logging level to OFF
11-02 22:57:13.742  7347  7347 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): android.app.Activity$$ExternalSyntheticLambda0@ece8fe6
11-02 22:57:13.742  7347  7347 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): androidx.activity.OnBackPressedDispatcher$Api34Impl$createOnBackAnimationCallback$1@faf8927
11-02 22:57:13.801  7347  7347 D ImeBackDispatcher: switch root view (mImeCallbacks.size=0)
11-02 22:57:14.442  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:57:15.100  7347  7347 I ZitiVPNService: onStartCommand Intent { act=start xflg=0x4 cmp=org.openziti.mobile/.ZitiVPNService }, 11
11-02 22:57:15.100  7347  7347 I ZitiVPNService: monitor=StandaloneCoroutine{Active}@2fe2e5f
11-02 22:57:15.101  7347  7412 I ZitiVPNService: received cmd[start]
11-02 22:57:15.103  7347  7412 I ZitiVPNService: link[386] addresses: [/my.client.net196]
11-02 22:57:15.103  7347  7412 I ZitiVPNService: link[386] nameservers: [/my.client.net252]
11-02 22:57:15.103  7347  7412 I ZitiVPNService: set upstream DNS[[my.client.net252]]
11-02 22:57:15.104  7347  7412 D Tunnel  : cmd[61] = SetUpstreamDNS:[{"host":"my.client.net252"}]
11-02 22:57:15.105  7347  7412 I ZitiVPNService: startTunnel()
11-02 22:57:15.105  7347  7378 I tunnel-cbs:ziti_dns.c:273 ziti_dns_set_upstream(): DNS upstream[1] is set to my.client.net252:53
11-02 22:57:15.105  7347  7378 I Tunnel  : resp = {"Success":true,"Code":0}
11-02 22:57:15.106  7347  7378 D Tunnel  : result[61] = SetUpstreamDNS:TunnelResult(success=true, code=0, error=null, data=null)
11-02 22:57:15.109  7347  7412 D ZitiVPNService: adding route Route(address=/100.64.0.0, bits=10)
11-02 22:57:15.111  7347  7412 I ZitiVPNService: creating tunnel interface
11-02 22:57:15.155  7347  7412 I ZitiVPNService: starting tunnel for fd=java.io.FileDescriptor@19fab3e
11-02 22:57:15.155  7347  7412 I ZitiVPNService: tunnel start success
11-02 22:57:15.155  7347  7378 I tunnel:netif.cpp:111 android_netif_do(): starting android netif
11-02 22:57:28.862  7347  7376 D ziti    : log is 16415 bytes
11-02 22:57:34.444  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]
11-02 22:57:54.445  7347  7378 D ziti-sdk:posture.c:213 ziti_send_posture_data(): ztx[3] posture checks must_send set to TRUE, new_session_id[FALSE], must_send_every_time[TRUE], new_controller_instance[FALSE]

To me, it looks like it's connected. However, in the GUI, the identities are shown as "Offline."

I checked the services while the phone was connected to the cellular network. I could access the services connected via the 1.7.1 controller. So, it might just be a GUI update issue.

I tried the same thing with the 1.6.9 controller. But it did not work.

Chris

ekoby · November 3, 2025, 12:59am

Thank you for the update!

it seems that 1.6.9 controller is configured with OIDC. SDK seems to follow the authentication flow but gets 401/Unauthorized. Is it possible that your identity got messed up somehow? could you try to re-enroll it or add another identity from that controller?
Did you disable OIDC on 1.7.1 controller? It would be great if you turn the identity off and on, and collect the log right after.

marvkis · November 3, 2025, 7:38am

Hi @ekoby ,

I'm not aware of any OIDC configurations on this controller. This is our "production" environment, and many clients are connected to it. I'm also unaware of any other clients currently experiencing issues. There is one more Android device that is still on the previous release, also without issues.
I tried reenrolling my mobile device, but it didn't change anything.

What is the official way to disable OIDC? Should I remove the edge-oidc configuration from the YAML file, or is there another method?
(Hint: The controller is deployed via the Helm template and there currently seems to be no official way to disable edge-oidc - helm-charts/charts/ziti-controller/templates/configmap.yaml at main · openziti/helm-charts · GitHub @qrkourier )

I can try patching it manually during off-hours, though.
I'm not aware of any OIDC config on this controller.

I Did it for both identities. I'll send you a PM with a download link to the logs.

@scareything Related to the new OSX client: This morning after waking up the Machine only 1 of 3 Identities succeeded to reconnect. I had to disconnect/reconnect Ziti to get them up again. You'll also get a PM with the logs

Thanks!
/chris

rja · November 3, 2025, 12:28pm

ekoby,

Hello. Could this be related to the issue I reported at MFA with Go SDK ?

Thanks,
rja

qrkourier · November 3, 2025, 3:41pm

Should the edge-oidc binding be enabled by default, disabled by default, or enabled only when the controller is deployed in clustered mode?

I may have assumed incorrectly it is harmlessly enabled by default for non-clustered, standalone controllers.

ekoby · November 3, 2025, 4:39pm

we would prefer to deploy with edge-oidc to future-proof deployments as it is required for transitioning to HA

Topic		Replies	Views
Configuring the http example that connects to ZitiMobileEdge client Building/Development	44	960	April 21, 2022
Android client stopped to authenticate "subject_token is invalid" Ziti Mobile Edge for Android	14	83	November 3, 2025
Edge client unable to connect from WAN after reboot	8	241	September 19, 2023
Getting Authentik and OpenZiti to work with External JWTs Ziti Overlay	14	220	January 30, 2025
Ziti-edge-controller url Support	14	298	April 26, 2024

Edge-oidc URL order

Related topics