OIDC external JWT auth

Ziti Overlay
1

Hello,

I am configuring OIDC external JWT authentication (Keycloak) with OpenZiti.

Deployment:

  • Controller: Docker

  • ZAC: Docker

  • Keycloak: Docker

  • Tunneller: running locally (not in Docker)

My goal is:
Run the tunnel locally and authenticate via Keycloak using OIDC external JWT signer through the Controller

When performing OIDC external authentication from the local tunneller, returns:

{
  "Success": false,
  "Error": "ziti context not found",
  "Code": 500
}

But I used absolute path.

External JWT Signer Configuration:

{
  "name": "keyclock",
  "audience": "ztnet-client",
  "issuer": "http://176.16.63.11:18080/realms/ztnet",
  "clientId": "ztnet-client",
  "claimsProperty": "email",
  "enabled": true,
  "useExternalId": true,
  "kid": "",
  "externalAuthUrl": "http://176.16.63.11:18080/realms/ztnet",
  "scopes": [
    "email"
  ],
  "tags": {},
  "jwksEndpoint": "ttp://176.16.63.11:18080/realms/ztnet/protocol/openid-connect/certs"
}

Does the tunnel need to run in the same environment or network as the Controller?

2

Hi @Guardiant314

I don't have a great vision in my head about your topology but the answer to this is 'certainly not'. To use external jwt's here's what is needed:

  • the controller needs to be able to create a trusted connection to the url in the ext-jwt-signer jwsk_uri -- or you need to provide the "Cert PEM" that allows the controller to validate the jwts. It's easy to use a self-signed cert for the IdP (Keycloak) but that won't allow the controller to connect to keycloak in a trusted way. That is a problem that's hit people before.
  • the tunneler needs to be able to connect to the IdP directly as the IdP is what generates the token for your tunneler
  • the tunneler needs to be able to connect to the controller and at least one router

that help any?

3

thanks TheLumberjack,

Is the identity mapping process failing?

Can see a 'login succeeded' message:

INFO    attempting to authenticate to controller with specified target token type: ACCESS 
Token: 88522d95-f87e-4841-8689-d72f72c60b1f
INFO    login succeeded

External authentication using tunnelers:

# ./ziti-edge-tunnel  ext-jwt-login -i '/home/zyb/run/oidc/sszg-linux-kc2.json'  -p keycloak
{
  "Success":true,
  "Data":{
    "identifier":"/home/zyb/run/oidc/sszg-linux-kc2.json",
    "url":"http://192.168.63.119:18080/realms/ztnet/protocol/openid-connect/auth?client_id=ztnet-client&scope=openid%20email%20profile&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A20314%2Fauth%2Fcallback&code_challenge=VpKtp_g_H4k1zZQdMOeWF_ZreoYFYrEC8vmZQzcv1oA&code_challenge_method=S256&state=W9xsLD3xTAmzBqA-AEURTNh-f6vISdb0M2DWBooP&audience=ztnet-client"
  },
  "Code":0
}

Certification passed:

image
image787×194 25.4 KB

The controller started looping errors:

[3057.481]   ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {authMethod=[ext-jwt]} encountered 0 candidate JWTs, verification cannot occur
[3057.483]   ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {authMethod=[ext-jwt]} encountered 0 candidate JWTs, verification cannot occur

Tunneler loop request aoisession:

(71771)[       16.904]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed POST[/authenticate] in 0.073 s
(71771)[       16.904]   DEBUG ziti-sdk:ziti_ctrl.c:394 ctrl_login_cb() ctrl[https://ctrl.ziti.com:1280] authenticated successfully session[cmjgr434y2acbr2j6jwz5d4wn]
(71771)[       16.904]   DEBUG ziti-sdk:legacy_auth.c:170 login_cb() logged in successfully => api_session[cmjgr434y2acbr2j6jwz5d4wn]
(71771)[       16.904]   DEBUG ziti-sdk:ziti.c:390 ziti_set_fully_authenticated() ztx[1] setting auth_state[0] to 3(71771)[       16.904]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed POST[/authenticate] in 0.073 s
(71771)[       16.904]   DEBUG ziti-sdk:ziti_ctrl.c:394 ctrl_login_cb() ctrl[https://ctrl.ziti.com:1280] authenticated successfully session[cmjgr434y2acbr2j6jwz5d4wn]
(71771)[       16.904]   DEBUG ziti-sdk:legacy_auth.c:170 login_cb() logged in successfully => api_session[cmjgr434y2acbr2j6jwz5d4wn]
(71771)[       16.904]   DEBUG ziti-sdk:ziti.c:390 ziti_set_fully_authenticated() ztx[1] setting auth_state[0] to 3

(71771)[       16.720]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed GET[/current-identity] in 0.014 s
(71771)[       16.720]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(71771)[       16.720]   ERROR ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(71771)[       16.720]    WARN ziti-sdk:ziti.c:1570 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(71771)[       16.720]    WARN ziti-sdk:ziti.c:224 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(71771)[       16.720]   DEBUG ziti-sdk:ziti.c:227 ziti_set_unauthenticated() ztx[1] setting auth_state[0] to 0
(71771)[       16.720]   DEBUG ziti-sdk:ziti_ctrl.c:380 ziti_ctrl_clear_auth() ctrl[https://ctrl.ziti.com:1280] clearing api session token for ziti_controller
(71771)[       16.720]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(71771)[       16.720]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/home/zyb/run/oidc/sszg-linux-kc1.json] context event : status is failed to authenticate
(71771)[       16.720]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/home/zyb/run/oidc/sszg-linux-kc1.json] failed to connect to controller due to failed to authenticate
(71771)[       16.720]   DEBUG ziti-edge-tunnel:ipc_event.c:119 send_events_message() Events Message => {"Op":"identity","Action":"added","Fingerprint":"/home/zyb/run/oidc/sszg-linux-kc1","Id":{"Name":"/home/zyb/run/oidc/sszg-linux-kc1","Identifier":"/home/zyb/run/oidc/sszg-linux-kc1.json","FingerPrint":"/home/zyb/run/oidc/sszg-linux-kc1","Active":true,"Loaded":true,"IdFileStatus":false,"NeedsExtAuth":false,"MfaEnabled":false,"MfaNeeded":false,"Metrics":{"Up":0,"Down":0},"MfaMinTimeout":0,"MfaMaxTimeout":0,"MfaMinTimeoutRem":0,"MfaMaxTimeoutRem":0,"MinTimeoutRemInSvcEvent":0,"MaxTimeoutRemInSvcEvent":0,"Deleted":false,"Notified":false}}
(71771)[       16.720]   DEBUG ziti-edge-tunnel:ipc_event.c:119 send_events_message() Events Message => {"Op":"controller","Action":"disconnected","Identifier":"/home/zyb/run/oidc/sszg-linux-kc1.json","Fingerprint":"/home/zyb/run/oidc/sszg-linux-kc1"}
(71771)[       16.720]   DEBUG ziti-sdk:ziti.c:452 ziti_force_api_session_refresh() ztx[1] forcing session refresh
(71771)[       16.720]   DEBUG ziti-sdk:legacy_auth.c:238 auth_timer_cb() refreshing session[(nil)]
(71771)[       16.720] VERBOSE ziti-sdk:ziti_ctrl.c:145 start_request() ctrl[https://ctrl.ziti.com:1280] starting POST[/authenticate]
(71771)[       16.720]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19985
(71771)[       16.721]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19984
(71771)[       16.722] VERBOSE ziti-sdk:ziti_ctrl.c:200 ctrl_resp_cb() ctrl[https://ctrl.ziti.com:1280] received headers GET[/current-identity/edge-routers?limit=25&offset=0]
(71771)[       16.722] VERBOSE ziti-sdk:ziti_ctrl.c:431 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] HTTP RESPONSE: {"error":{"code":"UNAUTHORIZED","message":"The request could not be completed. The session is not authorized or the credentials are invalid","requestId":"LcWcmRsu9"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}}

(71771)[       16.722]   DEBUG ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed paging request GET[/current-identity/edge-routers] in 0.016 s
(71771)[       16.722]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] API request[/current-identity/edge-routers?limit=25&offset=0] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(71771)[       16.722]   ERROR ziti-sdk:ziti.c:1492 edge_routers_cb() ztx[1] failed to get current edge routers: code[401] UNAUTHORIZED/The request could not be completed. The session is not authorized or the credentials are invalid
(71771)[       16.722]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19983
(71771)[       16.722]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19983
(71771)[       16.725] VERBOSE ziti-sdk:ziti_ctrl.c:200 ctrl_resp_cb() ctrl[https://ctrl.ziti.com:1280] received headers GET[/controllers?limit=25&offset=0]
(71771)[       16.725] VERBOSE ziti-sdk:ziti_ctrl.c:431 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] HTTP RESPONSE: {"error":{"code":"UNAUTHORIZED","message":"The request could not be completed. The session is not authorized or the credentials are invalid","requestId":"wcWcmsRD9"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}}

(71771)[       16.725]   DEBUG ziti-sdk:ziti_ctrl.c:500 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed paging request GET[/controllers] in 0.020 s
(71771)[       16.725]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] API request[/controllers?limit=25&offset=0] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(71771)[       16.725]    WARN ziti-sdk:ziti_ctrl.c:288 internal_ctrl_list_cb() ctrl[https://ctrl.ziti.com:1280] failed to get list of HA controllers: The request could not be completed. The session is not authorized or the credentials are invalid
(71771)[       16.725]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19980
(71771)[       16.726]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19979
(71771)[       16.727] VERBOSE ziti-sdk:ziti_ctrl.c:200 ctrl_resp_cb() ctrl[https://ctrl.ziti.com:1280] received headers GET[/current-api-session/service-updates]
(71771)[       16.727] VERBOSE ziti-sdk:ziti_ctrl.c:431 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] HTTP RESPONSE: {"error":{"code":"UNAUTHORIZED","message":"The request could not be completed. The session is not authorized or the credentials are invalid","requestId":"kEQciRsu9"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}}

(71771)[       16.727]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed GET[/current-api-session/service-updates] in 0.021 s
(71771)[       16.727]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] API request[/current-api-session/service-updates] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(71771)[       16.727]    WARN ziti-sdk:ziti.c:1440 check_service_update() ztx[1] failed to poll service updates: code[401] err[-14/The request could not be completed. The session is not authorized or the credentials are invalid]

Could you please help me check if this is a ZAC configuration issue?

{
  "name": "keycloak",
  "audience": "ztnet-client",
  "issuer": "http://176.16.63.11:18080/realms/ztnet",
  "clientId": "ztnet-client",
  "claimsProperty": "email",
  "enabled": true,
  "useExternalId": true,
  "kid": "",
  "externalAuthUrl": "http://176.16.63.11:18080/realms/ztnet",
  "scopes": [
    "email",
    "profile"
  ],
  "tags": {
    "TARGET TOKEN TYPE": "Access"
  },
  "jwksEndpoint": "http://176.16.63.11:18080/realms/ztnet/protocol/openid-connect/certs",
  "id": "71BxjQMRcm4DbZiIFzlISh"
}{
  "name": "keycloak",
  "audience": "ztnet-client",
  "issuer": "http://176.16.63.11:18080/realms/ztnet",
  "clientId": "ztnet-client",
  "claimsProperty": "email",
  "enabled": true,
  "useExternalId": true,
  "kid": "",
  "externalAuthUrl": "http://176.16.63.11:18080/realms/ztnet",
  "scopes": [
    "email",
    "profile"
  ],
  "tags": {
    "TARGET TOKEN TYPE": "Access"
  },
  "jwksEndpoint": "http://176.16.63.11:18080/realms/ztnet/protocol/openid-connect/certs",
  "id": "71BxjQMRcm4DbZiIFzlISh"
}

Use "externalId": "bing@gmail.com" to match the corresponding user in Keycloak.

I can't find the problem, please help me.

4

Stop your tunneler first. You've apparently encountered some bug causing endless authentication attempts.

Next, have you assigned an auth policy other than the default? If so change it back to the default and try again. If you can reproduce this easily, we might ask you for logs to help us diagnose the issue. It might be worthwhile to update your tunneler to whatever the latest is (i don't think you listed what kind and version or i just missed it)

5

I’m using the latest linux_x86-64 version of the tunneler. I need to confirm the version of the controller. The authentication policy I’m using is Keycloak. Do I need to switch back to the default one? I’ve tested that using the default policy will result in failure to obtain an api-session. (Just to double-check, are we referring to the authentication policy under the policy group?)

---- Replied Message ----

From | Clint via openzitinotifications@netfoundry.discoursemail.com |

  • | - |
    Date | 12/22/2025 20:21 |
    To | zhuyb314@163.com |
    Cc | |
    Subject | [openziti] [Ziti Overlay] OIDC external JWT auth |

| TheLumberjack OpenZiti Maintainer
December 22 |

  • | - |

Stop your tunneler first. You've apparently encountered some bug causing endless authentication attempts.

Next, have you assigned an auth policy other than the default? If so change it back to the default and try again. If you can reproduce this easily, we might ask you for logs to help us diagnose the issue. It might be worthwhile to update your tunneler to whatever the latest is (i don't think you listed what kind and version or i just missed it)

7

Yes. Use the default policy and get it working. The default policy allows for all authentication methods. If it doesn't work for the default it won't work for any other.

8

OK, I will redeploy the controller and try again with the default authentication policy. May I ask if the controller error is caused by a match email value failure? I have added /api/cert/ca.cst as the root certificate to the local trust chain.

---- Replied Message ----

From | Clint via openzitinotifications@netfoundry.discoursemail.com |

  • | - |
    Date | 12/22/2025 21:07 |
    To | zhuyb314@163.com |
    Cc | |
    Subject | [openziti] [Ziti Overlay] OIDC external JWT auth |

| TheLumberjack OpenZiti Maintainer
December 22 |

  • | - |

Yes. Use the default policy and get it working. The default policy allows for all authentication methods. If it doesn't work for the default it won't work for any other.

9

I don't know why you need (or want) to redeploy the controller? You just need to change the auth policy for the given identity.

"Which" error are you talking about? "encountered 0 candidate JWTs"? That means you don't have a policy that matches the JWT submitted. None were found to even attempt to validate.

10

I'm using Controller v1.6.9 and the tunneler v1.9.5.

I successfully matched the expectedAudience in the controller logs, but subsequently entered an infinite loop.

The same error occurs when I use Auth Policy DetailsDefault.

controller log:

[ 157.593]   DEBUG ziti/controller/model.(*candidateResult).LogResult: {tokenAudiences=[ztnet] expectedAudience=[ztnet] extJwtSignerId=[71BxjQMRcm4DbZiIFzlISh] authMethod=[ext-jwt] authPolicyId=[2HF7gU46BbMS9yLSAb57r2] identityId=[lT-xHH8tEl] issuer=[http://176.16.63.11:18080/realms/ztnet]} validated candidate JWT at index 0
[ 157.593]   DEBUG ziti/controller/sync_strats.getFingerprints: {apiSessionId=[cmjiisdu2007twnj676bcqrqc] fingerprints=[[8742a589a6af6ca1121120eec68a8b3abff44b14]]} resolving fingerprints for apiSession
[ 157.593]   DEBUG ziti/controller/sync_strats.(*InstantStrategy).ApiSessionAdded: {strategy=[instant] apiSessionId=[cmjiisdu2007twnj676bcqrqc] fingerprints=[[8742a589a6af6ca1121120eec68a8b3abff44b14]]} adding apiSession
[ 157.595]   ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {authMethod=[ext-jwt]} encountered 0 candidate JWTs, verification cannot occur
[ 157.597]   ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {authMethod=[ext-jwt]} encountered 0 candidate JWTs, verification cannot occur

tunneler logs:

(46380)[       40.773]    INFO ziti-sdk:ext_oidc.c:318 request_token() requesting token path[http://176.16.63.11:18080/realms/ztnet/protocol/openid-connect/token] auth[66173c33-3d48-4a9d-aa2a-c345a23a3ef9.e6fdab11-f814-4678-a138-95cfdaaf802e.7bf12fa4-6b1d-4f87-9d6e-a740dd1224d1]
(46380)[       40.787]   DEBUG ziti-sdk:ext_oidc.c:302 token_cb() oidc[keycloak] 200 OK err[(null)]
(46380)[       40.787]   DEBUG ziti-sdk:ext_oidc.c:735 ext_oidc_client_set_tokens() oidc[keycloak] using access_token={"exp":1766491459,"iat":1766491159,"auth_time":1766491159,"jti":"370b0a7b-2e26-47db-8a71-7da8dbcdc9a0","iss":"http://176.16.63.11:18080/realms/ztnet","aud":"ztnet","sub":"a5b9ed68-edd5-44f0-8b98-447210a45166","typ":"Bearer","azp":"ztnet-client","session_state":"e6fdab11-f814-4678-a138-95cfdaaf802e","acr":"1","allowed-origins":["http://176.16.63.11:1280"],"scope":"openid email profile","sid":"e6fdab11-f814-4678-a138-95cfdaaf802e","email_verified":true,"preferred_username":"bing","email":"bing@gmail.com"}
(46380)[       40.787]   DEBUG ziti-sdk:external_auth.c:154 ziti_ext_auth_token() ztx[1] received access token: eyJhbGciOiJSUzI1NiIs...
(46380)[       40.787]   DEBUG ziti-sdk:ext_oidc.c:752 ext_oidc_client_set_tokens() oidc[keycloak] scheduling token refresh in 270 seconds
(46380)[       40.788]   DEBUG ziti-sdk:legacy_auth.c:238 auth_timer_cb() refreshing session[(nil)]
(46380)[       40.788] VERBOSE ziti-sdk:ziti_ctrl.c:145 start_request() ctrl[https://ctrl.ziti.com:1280] starting POST[/authenticate]
(46380)[       40.818] VERBOSE ziti-sdk:ziti_ctrl.c:200 ctrl_resp_cb() ctrl[https://ctrl.ziti.com:1280] received headers POST[/authenticate]
(46380)[       40.818] VERBOSE ziti-sdk:ziti_ctrl.c:431 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] HTTP RESPONSE: {"data":{"_links":{"self":{"href":"./api-sessions/cmjij869e000rzqj6ye93ctuo"},"sessions":{"href":"./api-sessions/cmjij869e000rzqj6ye93ctuo/sessions"}},"createdAt":"2025-12-23T11:59:19.731Z","id":"cmjij869e000rzqj6ye93ctuo","tags":{},"updatedAt":"2025-12-23T11:59:19.731Z","authQueries":[],"authenticatorId":"extJwtId:71BxjQMRcm4DbZiIFzlISh","cachedLastActivityAt":"2025-12-23T11:59:19.732Z","configTypes":[],"identity":{"_links":{"auth-policies":{"href":"./auth-policies/2HF7gU46BbMS9yLSAb57r2"},"authenticators":{"href":"./identities/lT-xHH8tEl/authenticators"},"edge-router-policies":{"href":"./identities/lT-xHH8tEl/edge-router-policies"},"edge-routers":{"href":"./identities/lT-xHH8tEl/edge-routers"},"enrollments":{"href":"./identities/lT-xHH8tEl/enrollments"},"failed-service-requests":{"href":"./identities/lT-xHH8tEl/failed-service-requests"},"posture-data":{"href":"./identities/lT-xHH8tEl/posture-data"},"self":{"href":"./identities/lT-xHH8tEl"},"service-configs":
(46380)[       40.818]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed POST[/authenticate] in 0.031 s
(46380)[       40.818]   DEBUG ziti-sdk:ziti_ctrl.c:394 ctrl_login_cb() ctrl[https://ctrl.ziti.com:1280] authenticated successfully session[cmjij869e000rzqj6ye93ctuo]
(46380)[       40.818]   DEBUG ziti-sdk:legacy_auth.c:170 login_cb() logged in successfully => api_session[cmjij869e000rzqj6ye93ctuo]
(46380)[       40.818]   DEBUG ziti-sdk:ziti.c:390 ziti_set_fully_authenticated() ztx[1] setting auth_state[4] to 3
the error part of the tunneler 

(46380)[       40.828]   DEBUG ziti-sdk:ziti_ctrl.c:394 ctrl_login_cb() ctrl[https://ctrl.ziti.com:1280] authenticated successfully session[cmjij869e000rzqj6ye93ctuo]
(46380)[       40.828]   DEBUG ziti-sdk:ziti.c:2205 api_session_cb() ztx[1] identity certificate is not renewable
(46380)[       40.828]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19992
(46380)[       40.828]   TRACE ziti-sdk:ziti.c:1778 ztx_prep_deadlines() ztx[1] processing deadlines in 19992
(46380)[       40.831] VERBOSE ziti-sdk:ziti_ctrl.c:200 ctrl_resp_cb() ctrl[https://ctrl.ziti.com:1280] received headers GET[/current-identity]
(46380)[       40.831] VERBOSE ziti-sdk:ziti_ctrl.c:431 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] HTTP RESPONSE: {"error":{"code":"UNAUTHORIZED","message":"The request could not be completed. The session is not authorized or the credentials are invalid","requestId":"fly8UySrY"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}}

(46380)[       40.831]   DEBUG ziti-sdk:ziti_ctrl.c:505 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] completed GET[/current-identity] in 0.011 s
(46380)[       40.831]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[https://ctrl.ziti.com:1280] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(46380)[       40.831]   ERROR ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(46380)[       40.831]    WARN ziti-sdk:ziti.c:1570 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(46380)[       40.831]    WARN ziti-sdk:ziti.c:224 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(46380)[       40.831]   DEBUG ziti-sdk:ziti.c:227 ziti_set_unauthenticated() ztx[1] setting auth_state[3] to 0
(46380)[       40.831]   DEBUG ziti-sdk:ziti_ctrl.c:380 ziti_ctrl_clear_auth() ctrl[https://ctrl.ziti.com:1280] clearing api session token for ziti_controller
(46380)[       40.831]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(46380)[       40.831]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/home/zyb/run/oidc/sszg-linux-kc4.json] context event : status is failed to authenticate
(46380)[       40.831]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/home/zyb/run/oidc/sszg-linux-kc4.json] failed to connect to controller due to failed to authenticate
(46380)[       40.831]   DEBUG ziti-edge-tunnel:ipc_event.c:119 send_events_message() Events Message => {"Op":"identity","Action":"added","Fingerprint":"/home/zyb/run/oidc/sszg-linux-kc4","Id":{"Name":"/home/zyb/run/oidc/sszg-linux-kc4","Identifier":"/home/zyb/run/oidc/sszg-linux-kc4.json","FingerPrint":"/home/zyb/run/oidc/sszg-linux-kc4","Active":true,"Loaded":true,"IdFileStatus":false,"NeedsExtAuth":false,"MfaEnabled":false,"MfaNeeded":false,"Metrics":{"Up":0,"Down":0},"MfaMinTimeout":0,"MfaMaxTimeout":0,"MfaMinTimeoutRem":0,"MfaMaxTimeoutRem":0,"MinTimeoutRemInSvcEvent":0,"MaxTimeoutRemInSvcEvent":0,"Deleted":false,"Notified":false}}
(46380)[       40.831]   DEBUG ziti-edge-tunnel:ipc_event.c:119 send_events_message() Events Message => {"Op":"controller","Action":"disconnected","Identifier":"/home/zyb/run/oidc/sszg-linux-kc4.json","Fingerprint":"/home/zyb/run/oidc/sszg-linux-kc4"}
(46380)[       40.831]   DEBUG ziti-sdk:ziti.c:452 ziti_force_api_session_refresh() ztx[1] forcing session refresh
(46380)[       40.831]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate

I modified the auth policy configuration:

  "name": "keycloak",
  "audience": "ztnet",
  "issuer": "http://176.16.63.11:18080/realms/ztnet",
  "clientId": "ztnet-client",

keycloak configuration:

  "aud": "ztnet",
  "sub": "a5b9ed68-edd5-44f0-8b98-447210a45166",
  "typ": "Bearer",
  "azp": "ztnet-client",

Wishing you success in your work!

11

I looked through the code again to check and this error can also occur if you don't have a JWT submitted for authentication as well.

What version of which tunneler is this?

I think it would be useful to try using the ziti ops verify ext-jwt-signer like I showed in this post? Problem with importing network.jwt or using the URL method - #2 by TheLumberjack

Let's make sure you can authenticate using the ziti CLI first and then let's try to diagnose the tunneler issue. This ziti CLI command will hopefully prove that your signer is setup and your controller so that we can leave the tunneler out of this equation for now.

Once you can verify the ext-jwt-signer with the cli, let's try to diagnose the tunneler (if necessary).