I was going through BrowZer installation guide based on the documentation -> Example Enabling BrowZer | OpenZiti.
Once the auth0 is redirected to actual brozer domian i am getting error as
ZBSW-warn _shouldRouteOverZiti: no associated Ziti config, bypassing intercept of [https://brozac.openziti....]
And is continuously loading the page indefinitely . Can you please help .
Hi @Suvankar. Welcome to the community and to OpenZiti and BrowZer!
no associated Ziti config,
Hmmm. That seems like something isn't quite setup correctly. During development, it's possible for BrowZer to get some state stuck and clearing that state can fix the issue. Could you start by opening developer tools and going to "Application" and "Clear Site Data" and see if that fixes this particular issue? @curt will probably have more/better help to offer but in the mean time, you can try that to see if it kickstarts the process
When log msgs indicate that no associated Ziti config, bypassing intercept... it usually means one of the following things:
Service in the network that maps to the URL mentioned in the warningIdentity being used lacks the necessary Policy attributes to reach the Service if it does indeed existI did that and also ran in incognito mode but the site is continuously reloading itself . All XHR calls is giving 200 though.
As per the guide this was the service and identities created .
intercept_address="${ZITI_BROWZER_SERVICE}.ziti"
intercept_port=80
offload_address=127.0.0.1
offload_port=1408
function createService {
ziti edge create config ${ZITI_BROWZER_SERVICE}.host.config host.v1 '{"protocol":"tcp", "address":"'"${offload_address}"'", "port":'${offload_port}'}'
ziti edge create config ${ZITI_BROWZER_SERVICE}.int.config intercept.v1 '{"protocols":["tcp"],"addresses":["'"${intercept_address}"'"], "portRanges":[{"low":'${intercept_port}', "high":'${intercept_port}'}]}'
ziti edge create service "${ZITI_BROWZER_SERVICE}" --configs "${ZITI_BROWZER_SERVICE}.host.config","${ZITI_BROWZER_SERVICE}.int.config"
ziti edge create service-policy "${ZITI_BROWZER_SERVICE}.bind" Bind --service-roles "@${ZITI_BROWZER_SERVICE}" --identity-roles "#${ZITI_BROWZER_SERVICE}.binders"
ziti edge create service-policy "${ZITI_BROWZER_SERVICE}.dial" Dial --service-roles "@${ZITI_BROWZER_SERVICE}" --identity-roles "#${ZITI_BROWZER_SERVICE}.dialers"
}
function deleteService {
ziti edge delete config where 'name contains "'"${ZITI_BROWZER_SERVICE}"'."'
ziti edge delete service where 'name = "'"${ZITI_BROWZER_SERVICE}"'"'
ziti edge delete sp where 'name contains "'"${ZITI_BROWZER_SERVICE}"'."'
}
createService
echo "creating users specified by ZITI_BROWZER_IDENTITIES: ${ZITI_BROWZER_IDENTITIES}"
for id in ${ZITI_BROWZER_IDENTITIES}; do
ziti edge create identity user "${id}" --auth-policy ${auth_policy} --external-id "${id}" -a "${ZITI_BROWZER_SERVICE}.dialers"
done
#ziti edge update identity "${id}" -a $(ziti edge list identities 'name="'${id}'"' -j | jq -r '.data[].roleAttributes | map(. // "") | @csv'),"${ZITI_BROWZER_SERVICE}.dialers"
ziti edge update identity "${ZITI_ROUTER_NAME}" -a "${ZITI_BROWZER_SERVICE}.binders"
Here are some configrations
[root@ip-172-31-49-247 ~]# ziti edge list identities
╭────────────┬───────────────────────────────────────────┬─────────┬────────────────┬───────────────────────────╮
│ ID │ NAME │ TYPE │ ATTRIBUTES │ AUTH-POLICY │
├────────────┼───────────────────────────────────────────┼─────────┼────────────────┼───────────────────────────┤
│ -zNcxP0r5 │ suvankar@info.com │ Default │ brozac.dialers │ browzer-auth0-auth-policy │
│ 0UnL-AEGlU │ ip-172-31-49-247.ec2.internal-edge-router │ Router │ brozac.binders │ Default │
│ 6-NLxsar5 │ svarna@info.com │ Default │ brozac.dialers │ browzer-auth0-auth-policy │
│ JXX9EPBGs │ Default Admin │ Default │ │ Default │
│ KmNLjPar5I │ debabarna@info.com │ Default │ brozac.dialers │ browzer-auth0-auth-policy │
╰────────────┴───────────────────────────────────────────┴─────────┴────────────────┴───────────────────────────╯
[root@ip-172-31-49-247 ~]# ziti edge list service-policies
╭────────────────────────┬─────────────┬──────────┬───────────────┬─────────────────┬─────────────────────╮
│ ID │ NAME │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼─────────────┼──────────┼───────────────┼─────────────────┼─────────────────────┤
│ 4nMxxeq8w2pzxdtTnoLylO │ brozac.bind │ AllOf │ @brozac │ #brozac.binders │ │
│ NGetsc8uEt8Au42kRtvZq │ brozac.dial │ AllOf │ @brozac │ #brozac.dialers │ │
╰────────────────────────┴─────────────┴──────────┴───────────────┴─────────────────┴─────────────────────╯
[root@ip-172-31-49-247 ~]# ziti edge list configs
╭────────────────────────┬────────────────────┬──────────────╮
│ ID │ NAME │ CONFIG TYPE │
├────────────────────────┼────────────────────┼──────────────┤
│ 7ev08WaxdV0qR8eJhBAPur │ brozac.host.config │ host.v1 │
│ fE5NwqdBcA2VnogvhrWck │ brozac.int.config │ intercept.v1 │
root@ip-172-31-49-247 ~]# ziti edge policy-advisor services brozac -q
OKAY : suvankar@info.com (1) -> brozac (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : ip-172-31-49-247.ec2.internal-edge-router (1) -> brozac (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : svarna@info.com (1) -> brozac (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : debabarna@info.com (1) -> brozac (1) Common Routers: (1/1) Dial: Y Bind: N
[root@ip-172-31-49-247 ~]# ziti edge list services
╭────────────────────────┬────────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼────────┼────────────┼─────────────────────┼────────────┤
│ 6OR9TTB7fjBJCzi2dOtcHe │ brozac │ true │ smartrouting │ │
╰────────────────────────┴────────┴────────────┴─────────────────────┴────────────╯
[root@ip-172-31-49-247 ~]# ziti edge list service-policies
╭────────────────────────┬─────────────┬──────────┬───────────────┬─────────────────┬─────────────────────╮
│ ID │ NAME │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼─────────────┼──────────┼───────────────┼─────────────────┼─────────────────────┤
│ 4nMxxeq8w2pzxdtTnoLylO │ brozac.bind │ AllOf │ @brozac │ #brozac.binders │ │
│ NGetsc8uEt8Au42kRtvZq │ brozac.dial │ AllOf │ @brozac │ #brozac.dialers │ │
╰────────────────────────┴─────────────┴──────────┴───────────────┴─────────────────┴─────────────────────╯
Can you look at (or show us) the "externalId" from those identities? For example, if you have jq installed, you can run something like:
ziti edge list identities -j | jq -r '.data[] | [.name, .authPolicyId, .externalId]'
[
"ip-172-31-11-231-edge-router",
"default",
null
]
[
"Default Admin",
"default",
null
]
[
"clint@my.email.addresss",
"73XdDHYATp8ooPoS5obSmq",
"clint@my.email.addresss"
]
[
"public",
"default",
null
]
See how the result is that the externalId is clint@my.email.addresss. Do you have that setup properly? It's a very easy thing to misconfigure.
Then check that the identites are all mapped to the proper auth policy (mine is id: 73XdDHYATp8ooPoS5obSmq)
Then verify is the JWT that's returning from the IdP uses the proper claim field and that the value is correct:
ziti edge list ext-jwt-signers
╭────────────────────────┬─────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ID │ NAME │ CONFIG │
├────────────────────────┼─────────────────────────────────┼─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┤
│ 67owcEocxNZ71LmCXWcEYx │ browzer-keycloak-ext-jwt-signer │ Audience │ browzerBootstrapClient │
│ │ ├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ │ │ Claim Property │ email │
│ │ ├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ │ │ Enabled │ true │
│ │ ├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ │ │ Issuer │ https://keycloak.clint.demo.openziti.org:8446/realms/zitirealm │
│ │ ├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ │ │ JWKS URL │ https://keycloak.clint.demo.openziti.org:8446/realms/zitirealm/protocol/openid-connect/certs │
│ │ ├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ │ │ Type │ JWKS │
│ │ ├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ │ │ Use External Id │ true │
╰────────────────────────┴─────────────────────────────────┴─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────╯
results: 1-1 of 1
see how my "Claim Property" is set to "email"? The jwt that comes back from the IdP needs to have a field called "email" with a value of clint@my.email.addresss.
If you can check all those things -- one of them will probablybe wrong 