OIDC external JWT auth

Ziti Overlay
1

Hello,

I am configuring OIDC external JWT authentication (Keycloak) with OpenZiti.

Deployment:

  • Controller: Docker

  • ZAC: Docker

  • Keycloak: Docker

  • Tunneller: running locally (not in Docker)

My goal is:
Run the tunnel locally and authenticate via Keycloak using OIDC external JWT signer through the Controller

When performing OIDC external authentication from the local tunneller, returns:

{
  "Success": false,
  "Error": "ziti context not found",
  "Code": 500
}

But I used absolute path.

External JWT Signer Configuration:

{
  "name": "keyclock",
  "audience": "ztnet-client",
  "issuer": "http://176.16.63.11:18080/realms/ztnet",
  "clientId": "ztnet-client",
  "claimsProperty": "email",
  "enabled": true,
  "useExternalId": true,
  "kid": "",
  "externalAuthUrl": "http://176.16.63.11:18080/realms/ztnet",
  "scopes": [
    "email"
  ],
  "tags": {},
  "jwksEndpoint": "ttp://176.16.63.11:18080/realms/ztnet/protocol/openid-connect/certs"
}

Does the tunnel need to run in the same environment or network as the Controller?

2

Hi @Guardiant314

I don't have a great vision in my head about your topology but the answer to this is 'certainly not'. To use external jwt's here's what is needed:

  • the controller needs to be able to create a trusted connection to the url in the ext-jwt-signer jwsk_uri -- or you need to provide the "Cert PEM" that allows the controller to validate the jwts. It's easy to use a self-signed cert for the IdP (Keycloak) but that won't allow the controller to connect to keycloak in a trusted way. That is a problem that's hit people before.
  • the tunneler needs to be able to connect to the IdP directly as the IdP is what generates the token for your tunneler
  • the tunneler needs to be able to connect to the controller and at least one router

that help any?