OpenZiti use External JWT Signers with keycloak

I have own keycloak,but error like this,I dont know where the problem

keycloak config

ontinue with the previous question my keycloak config

Continue with the previous question ,openziti config

Hi @zzh, welcome to the community and to OpenZiti!

I've got some preliminary documentation (I'm still working on it but it should be done today/tomorrow) about this you can have a look at. I can give you the answer here, but would you be willing to look at the doc to see if it makes enough sense for you to figure it out? It would help me help the project to get a very fresh set of eyes on the doc and to know whether it covers what you would want to find in documentation. Would you be willing to do that for me and the project?

also the root of the OIDC doc has other information that might be relevant and helpful to you.

If you get stuck after reading the doc, your feedback on what had you stuck would be really helpful.

That sound ok? Thanks so much

Hi client,I found my question because my console version to low,but now I can successfully authenticate,my ZDEW client also have not permission


Ok. I might have to add more generic doc telling people how to troubleshoot this situation. The problem will be a mismatch between the security tokens obtained by the tunneler and the ext jwt signer.

Keycloak is one of the better, and helpful idps. Specifically at the bottom of that page here Keycloak | OpenZiti tells you how to verify the tokens.

Did you find that section and was it sufficient? Or did you find that section but the doc still wasn't sufficient?

Since you're successfully completing the flow, my expectation is that either the issuer or the audience is incorrect. It's easy to get them wrong. Pay very careful attention to the audience and if it ends with a slash. That's a very very common error.

Hi,client,I found the doc and I think I have the correct configuration,I verify the tokens

to continue

to continue

to continue