I have read a lot of documents and projects related to browZer, and after building the browZer project. BrowZer uses the idp verification method, while other client platforms use the jwtfile, I found that the verification methods are not quite the same. So I checked the code of the browZer dependency library , returned access in idp after the token is passed into the browzer-core library, authenticate?method=ext-jwt validated.
Through this blog Integrate OpenZiti with JWTs, PKIs for seamless service authentication, and I was wondering if it's possible to use jwtfile to verify it, can I use jwtfile's token to replace the access_token returned by idp. The idp verification process is completely different from the jwtfile+ott process. I would like to know where the key points of using a jwtfile are for BrowZer. The entire process of BrowZer seems to be for idp services, without jwtfile interface.
If create a html and pass in a jwtfile, click enroll to connect to the zac or dark web, like other clients, and the serviceworker is responsible for fetch work in background
Hi @McGonagall666,
Yes, the Ziti BrowZer Runtime (ZBR) authenticates with the Ziti Control plane via a REST call to authenticate?method=ext-jwt
. The Bearer token (i.e. the JWT) used on this REST call is dynamically obtained from whatever IdP is configured for the particular browZer stack. (These IdP-based JWTs are ephemeral and tend to have a short lifespan, e.g. 8 hours, 24 hours, or similar, depending on how the system admin wishes to control it).
The design of browZer involves no access to the client-side file system and no usage of the type of JWTs that are used in non-browZer enrollments and authentication flows.
It is not possible to do what you suggest.