Hi any updates or dates about OIDC for MacOS Desktop edge?
Hey K1ckMan,
Thanks for asking, and welcome to the community! We know there's a lot of interest in OIDC, and we have a decent number of users on Apple so we're keen to get this feature out.
We're currently wrapping up som HA-related work in the Apple clients. Once that's done we'll get back to adding OIDC support. My best guess right now is that this will hit the app stores some time in mid/late May.
3 Likes
This is very good news, thank you. We are preparing large project on migration to OpenZiti - that's why this function is important for us.
Any updates about OIDC auth apple devices?
I'm looking to have the first cut next week. DM me with your Apple ID if you'd like to see it in test flight.
2 Likes
Hi there, I am interested in implementing openziti but I have been holding out for mac oidc support, is there any updated timeline for this feature?
Hi @sadri, it's still in the works. There have been other priorities that interrupted this work, but we're getting back to it soon.
Hi! Thanks for all your work!!
I was wondering if it was still possible to get into testflight? I have a few MAC users and for now I am using the enrollment jwt instead of OIDC (though all my windows users are using OIDC). If I could test OIDC that would be great. Alternatively, I can just wait, it's not a huge rush.
Sure thing. Please dm the email address that’s associated with your Apple ID.
any news about OIDC integration mac os devices?
Hi. The work for macOS is currently available in Test Flight. It will be released to the App Store once we get the iOS app updated as well. I’m wrapping up the iOS work this week.
Hi. is there any update?
it's so important feature for us
Hi, and welcome to OpenZiti!
Support was added in Ziti Desktop Edge for macOS version 2.51, which is currently in the Mac App Store.
big thanks! we will check the new version
A colleague just installed the latest MacOS version from the App Store, and trying to enroll with a JWT signer token fails with "Only OTT enrollment supported":
He is on Version 2.51 (548).
Hi @rochecompaan, yeah we ran into that just the other day too. The workaround for MacOS for now is to use a "by url" enrollment instead of the JWT. If you use an 'alt server cert' setup and provision a trusted third party MacOS will work. Until we fix that bug that's the only workaround I know of. @scareything is there any other workaround?
Thanks @TheLumberjack! How do you enrol by URL on macOS? I see a "By URL" section in the docs for the Windows tunneler, but not for macOS.
Hello,
The docs for the macOS app are not yet updated, but the version that’s currently in the Mac app store (2.51) allows you to enroll by URL:
1 Like
Hi, i'm not sure for creating new topic for this
we try to use Keycloak authentication with ziti desktop edge (2.5.1) on MacOS (15.3) (so important feature for us)
apply policy with Keycloak for identity
for enroll we use “With URL" and client has status = enrolled
But when we try to connect - nothing happen(Keycloak window in browser doesn't pop up)
in logs (trace level) we found the error
appex.txt (17.8 KB)
[2025-10-07T13:19:21:368Z] INFO PacketTunnelProvider:UserNotifications.swift:107 post() Attempting to post Ext notification, subitile:Optional("External Auth Required"), body:Optional("<ziti_controller_url>"), zid:Optional("<ziti_controller_url>")
[2025-10-07T13:19:21:368Z] DEBUG PacketTunnelProvider:UserNotifications.swift:111 post() Notification settings: <UNNotificationSettings: 0x15a26d940; authorizationStatus: Denied, notificationCenterSetting: Enabled, soundSetting: Enabled, badgeSetting: Enabled, lockScreenSetting: Enabled, carPlaySetting: NotSupported, remoteNotifications: NotSupported, announcementSetting: NotSupported, criticalAlertSetting: NotSupported, timeSensitiveSetting: NotSupported, alertSetting: Enabled, scheduledDeliverySetting: NotSupported, directMessagesSetting: NotSupported, summarizationSetting: Enabled, showsPreviewsSetting: WhenAuthenticated, alertStyle: Banner, groupingSetting: Default providesAppNotificationSettings: No>
[2025-10-07T13:19:21:369Z] WARN PacketTunnelProvider:UserNotifications.swift:114 post() Not authorized to send notifications
We would be appreciate for help
Hello and welcome to the OpenZiti Discourse! I’ll try to help with your oidc question in this message, but please start a new thread for this issue if you need more help with this.
The error that you noticed relates to the macOS notification that Ziti Desktop Edge puts up when external authentication is required. It’s actually a benign message (not an error), so let’s ignore it for now. You probably noticed a notification in the upper-right corner of your desktop when you pressed “Connect”. It would look like this:
You’d also see a notification like this in the Ziti Desktop Edge window if you’re focused on it when connecting. Clicking on the “Auth Now” button in the notification should pop up a list of auth providers:
When you select your provider from the list and click “OK” your browser should open the URL for your auth provider, and if you successfully authenticate you’ll see a page like this:
At that point you’ll see services and connection status for your identity in the Ziti Desktop Edge main window.
Going back to the “External Authentication” notifications for a sec… If you aren’t seeing those for some reason (notification settings in macOS maybe?) or you just don’t want to chase the fast-moving/sliding notifications with your mouse cursor, you can also initiate external authentication directly from the Ziti Desktop Edge window.
To do this, select your identity in the list and look for the cloud/key button in the upper-right corner of the Ziti Desktop Edge window. It should be yellow if you aren’t currently authenticated:
Clicking on this button presents a list of authentication providers that you can select to initiate authentication:
Hopefully this gets you going! If not please feel free to start a new topic and we’ll go from there.