External JWT Signer with Authentik

Support General Questions
1

Hey, I’m having trouble setting up an external JWT Signer with Authentik.

I was wondering if anyone was willing to share his configuration, to see if I’m missing anything in mine…

Here’s my setup right now:

{
  "_links": {
    "self": {
      "href": "./external-jwt-signers/72V8njB3x4GtajoXAlEtWh"
    }
  },
  "createdAt": "2025-12-17T22:48:31.971Z",
  "id": "72V8njB3x4GtajoXAlEtWh",
  "tags": {},
  "updatedAt": "2025-12-17T22:48:31.971Z",
  "audience": "openziti",
  "certPem": null,
  "claimsProperty": "email",
  "clientId": "openziti",
  "commonName": "",
  "enabled": true,
  "enrollAttributeClaimsSelector": "email",
  "enrollAuthPolicyId": "kdQ6IdEN8waW8JtQ1ShGl",
  "enrollNameClaimsSelector": "email",
  "enrollToTokenEnabled": true,
  "externalAuthUrl": "https://auth.mydomain.com/application/o/openziti/",
  "fingerprint": null,
  "issuer": "https://auth.mydomain.com/application/o/openziti/",
  "jwksEndpoint": "https://auth.mydomain.com/application/o/openziti/jwks/",
  "kid": null,
  "name": "authentik",
  "notAfter": "0001-01-01T00:00:00.000Z",
  "notBefore": "0001-01-01T00:00:00.000Z",
  "scopes": [
    "email"
  ],
  "targetToken": "ACCESS",
  "useExternalId": true
}

With that config I always get the following error when enrolling a client:

{
  "authMethod":"ext-jwt",
  "file":"github.com/openziti/ziti/controller/model/authenticator_mod_ext_jwt.go:183",
  "func":"github.com/openziti/ziti/controller/model.(*AuthModuleExtJwt).process",
  "level":"error",
  "msg":"encountered 0 candidate JWTs, verification cannot occur",
  "time":"2025-12-17T21:27:07.984Z"
}

And on the client side I get a “Partially Available“ status…

I also already have a Auth Policy and I manually created my client identity

Thank you !!

2

"msg":"encountered 0 candidate JWTs, verification cannot occur",

Hi @astro, this error seems to me to be more of an OpenZiti configuration issue. Before trying an Auth Policy, I'd recommed you set your client's identity back to the default policy (which allows for ext-jwt-signer auth by default). What this is telling you is that there are no eligible signers for the JWT provided. My guess is that you have misconfigured that auth policy.

See what you get from the default auth policy first and then we can look at the auth policy assuming default works fine.

3

Also, have a look at this post from just a few days ago Problem with importing network.jwt or using the URL method - #2 by TheLumberjack

It discusses using the ziti ops verify ext-jwt-signer oidc to help troubleshoot these sorts of issues

4

Wow, it was indeed the custom policy, not sure what was wrong with it, it was a simple super basic Auth Policy with only Ext Jwt checked (maybe it’s not as simple as taught)

Anyway, switching back to the Default policy worked right away, thanks !