How do we authenticate a client identity using two factors?

plakdawa · October 13, 2024, 2:46am

I am trying to experiment with 2FA for client authentication: The X509 certificate is used as the first factor and an ext-jwt-signer as the second factor.

The authentication policy I am using is as follows:

./bin/ziti edge create auth-policy auth0-okta-policy \
    --primary-cert-allowed \
    --secondary-req-ext-jwt-signer <auth0-okta-id>

I authenticate with the x509 certificate as:

curl -s -X POST -H "Accept: application/json" \
    --cert pki/certs/2faclient.cert \
    --key pki/keys/2faclient.key \
    --cacert pki/certs/2faclient.pem \
    https://localhost:8441/edge/client/v1/authenticate?method=cert | jq -r '.data.token' > etc/2faclient.tok

The /edge/client/v1/current-api-session endpoint then shows a pending ext-jwt request under authQueries.

I then attempt the following:

curl -s -X GET -H "Accept: application/json" \
    --cert pki/certs/2faclient.cert \
    --key pki/keys/2faclient.key \
    --cacert pki/certs/2faclient.pem \
    -H "zt-session: $(cat etc/2faclient.tok)" \
    -H "Authorization: Bearer $(cat etc/okta.jwt)" \
    https://localhost:8441/edge/client/v1/current-api-session

I get the following error in the controller log:

[5021.704]   ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {externalJwtSignerId=[7iqzZZ2maqJOE3K6mQ5EMP] claimsIssuer=[https://identity.oraclecloud.com/] idClaimProperty=[sub] authMethod=[ext-jwt]} external jwt authentication on auth policy is disabled

I have looked through the documentation on API session but cannot seem to make any headway in figuring out what I might be doing wrong:

Session Types | OpenZiti

Would appreciate any guidance.
Thanks in advance.

TheLumberjack · October 13, 2024, 2:48am

You want to have two forms of auth, but you're not using one of our SDKs nor tunnelers right? You're looking to do this with curl alone?

plakdawa · October 13, 2024, 2:50am

Correct @TheLumberjack.
I am not using the SDK. And AFAIK the tunnellers currently do not support ext-jwt-signer as the second factor.
So I am just experimenting with curl.

TheLumberjack · October 13, 2024, 3:27am

You need to use the authenticate url to obtain a session. Then use the session/cert/bearer. I think this will be enough for you, but if not lemme know

zt_session=$(curl -s -X POST -H "Accept: application/json" \
    --cert zsshSvcClient.cert \
    --key zsshSvcClient.key \
    --cacert zsshSvcClient.ca \
    -H "Authorization: Bearer ${tok}" \
    https://localhost:1280/edge/client/v1/authenticate?method=cert \
	| jq -r .data.token)

curl -v -s -X GET -H "Accept: application/json" \
    --cert zsshSvcClient.cert \
    --key zsshSvcClient.key \
    --cacert zsshSvcClient.ca \
    -H "Authorization: Bearer ${tok}" \
    -H "zt-session: $zt_session" \
    https://localhost:1280/edge/client/v1/current-api-session

plakdawa · October 13, 2024, 4:25am

I tried that too @TheLumberjack . It still fails:

curl -s -X POST -H "Accept: application/json" \
    --cert pki/certs/2faclient.cert \
    --key pki/keys/2faclient.key \
    --cacert pki/certs/2faclient.pem \
    -H "Authorization: Bearer $(cat etc/idcs.jwt)" \
    https://localhost:8441/edge/client/v1/authenticate?method=cert | jq -r '.data.token' > etc/2faclient.tok

Followed by:

curl -s -X GET -H "Accept: application/json" \
    --cert pki/certs/2faclient.cert \
    --key pki/keys/2faclient.key \
    --cacert pki/certs/2faclient.pem \
    -H "zt-session: $(cat etc/2faclient.tok)" \
    -H "Authorization: Bearer $(cat etc/idcs.jwt)" \
    https://localhost:8441/edge/client/v1/current-api-session | jq

Get the same error after each command:

[ 108.975]   ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {authMethod=[ext-jwt] externalJwtSignerId=[7iqzZZ2maqJOE3K6mQ5EMP] claimsIssuer=[https://identity.oraclecloud.com/] idClaimProperty=[sub]} external jwt authentication on auth policy is disabled

And the AuthQueries list shows EXT-JWT as pending.

TheLumberjack · October 13, 2024, 4:29am

I tested it all locally before sending it to you. I'm pretty certain it works. I'd expect you haven't created and assigned the auth policy quite right then. I used the zssh commands to setup my identity. You might want to check that out and see what I did differently. You can find the commands here GitHub - openziti-test-kitchen/zssh: Ziti SSH

You'll want to use the "....-identity-and-oidc" one. Created by:

identity_and_oidc=$(ziti edge create auth-policy "${service_name}.${auth_policy_name}-identity-and-oidc" \
--primary-cert-allowed \
--primary-cert-expired-allowed \
--secondary-req-ext-jwt-signer "${ext_jwt_signer_id}")
echo "identity_and_oidc created with id: ${identity_and_oidc}"

TheLumberjack · October 13, 2024, 4:31am

You have created an identity with an external id that matches the sub field of your jwt and issuer ? I can make a short video demonstrating how I did this with keycloak and the zssh stuff found on that page if you need it, but it won't be for a while. it's quite late here local time

plakdawa · October 13, 2024, 4:35am

Thank you @TheLumberjack .
I will go over the video. So sorry to keep you up so late

I think I have got the auth-policy correct. In fact exactly the same command as yours except for the --primary-cert-expired-allowed option. And things do work if I make the ext-jwt-signer as primary on the auth-policy.

However, to be sure I am on v1.1.7. So I will try and upgrade as well.

TheLumberjack · October 13, 2024, 1:09pm

Here you go.

Commands issued:

ziti cli commands shown

ziti edge quickstart

ziti edge create identity --admin curladmin -o curladmin.jwt
ziti edge enroll curladmin.jwt
ziti ops unwrap curladmin.jwt
chmod 700 curladmin.*

get a JWT from the IdP, set it into $bearer

bearer="token here"

authenticate to get a zt-session

zt_session=$(curl -s -X POST -H "Accept: application/json" \
    --cert curladmin.cert \
    --key curladmin.key \
    --cacert curladmin.ca \
    -H "Authorization: Bearer ${bearer}" \
    https://localhost:1280/edge/management/v1/authenticate?method=cert \
	| jq -r .data.token)
echo $zt_session

use the session to list identities:

curl -v -s -X GET -H "Accept: application/json" \
    --cert curladmin.cert \
    --key curladmin.key \
    --cacert curladmin.ca \
    -H "Authorization: Bearer ${bearer}" \
    -H "zt-session: $zt_session" \
    https://localhost:1280/edge/management/v1/identities \
	| jq .data[].name

use it to call the client API

curl -v -s -X GET -H "Accept: application/json" \
    --cert curladmin.cert \
    --key curladmin.key \
    --cacert curladmin.ca \
    -H "Authorization: Bearer ${bearer}" \
    -H "zt-session: $zt_session" \
    https://localhost:1280/edge/client/v1/current-api-session

plakdawa · October 13, 2024, 10:00pm

Thanks a ton @TheLumberjack for your help.

plakdawa · October 14, 2024, 2:25am

@TheLumberjack

Confirming that the error is not observed with ziti v1.1.11.
2FA works properly and services are accessible.

Surprisingly the glibc issue is also resolved and I can continue to work with OracleLinux 8

Thank you again for your help with this.

Topic		Replies	Views
A spurious error message on controller with ext-jwt-signer? Support	3	23	October 14, 2024
Ziti Auth Policies General Questions	11	246	August 23, 2023
Confused about External JWT integration Ziti Overlay	4	37	October 31, 2024
Third-party CA certificate management	8	34	September 14, 2024
Setting up primary/secondary auths for controller Ziti Overlay	3	35	June 19, 2024