I'm trying to use ODIC for third-party authentication, but the network information in Windows Edge is empty when importing network.jwt or using the URL method.
Here's my installation process:
-
Using the Express Install method.
-
Using Let's Encrypt:
sudo certbot certonly --standalone -d [my_domain]
/etc/letsencrypt/live/[my_domain]/fullchain.pem
/etc/letsencrypt/live/[my_domain]/privkey.pem
- alt_server_certs:
Hi @Jameshclai,
The information you've provided so far doesn't help me enough I'm afraid. Here's what I would ask you to do, the ziti cli command has within it a ziti ops verify ext-jwt-signer command. You can also test it, and see your token details.
For example here's me using my ext-jwt-signer named "keycloak" and asking to verify authentication:
ziti ops verify ext-jwt-signer oidc --controller-url $ZITI_ADDR --authenticate keycloak
It will print out your ID token details, access token details and refresh token details. These are useful so you can use them to map to your target identity.
I would ask that you confirm you can do this successfully first. If not successful you'll see something like:
You also should look at the ZDEW's 'service' logs (ziti-tunnel.log) along with the controller's logs at that time. It's rediculously easy to misconfigure your ext-jwt-signer.
Before we continue, can you confirm you see a 'login succeeded' message?
Thank you. Based on your guidance, I have obtained the following information. Please suggest how to find the problem.
Are you considering providing a detailed tutorial course (ZitiTV) or operation guide manual on integrating Ziti with OIDC? Examples: Azure, Auth0, Google (common practical application cases)
-
OpenZiti Controller, Router, ZAC Installation and Deployment
-
Let's Encrypt Key Application and Configuration
-
Certificate Authorities Configuration
Different OIDC Configuration (Examples: Azure, Auth0, Google)
-
JWT Signers Configuration
-
Auth Policies
-
ZitiDesktopEdgeClient Operation
I think this would be helpful for those who want to learn more about Ziti.
If you haven't tried GPT or Claude, I bet they'd be able to help you on this one. That error means the process couldn't open a browser for you to complete the OIDC flow. You need to run that command on a machine that has a browser/UI, you can't run it from the remote machine.
A Ziti TV focusing around on ext-jwt-signers? That seems like it'd be a good one, sure. It's been a while since Ziti TV's aired but we are getting ready to start them back up again, I might even be able to do this soon. I'll see what I can do.
Right now, you just need to run that command on your workstation or anywhere you have a browser to get the next bit of details. After that make sure you're always looking at your tunneler logs, controller logs and router logs (i usually check them in that order) for clues.
Thank you for the explanation and the guidance, I understand now that the OIDC flow requires running the command on a machine with a browser/UI available, and I will retry the process from my workstation and continue troubleshooting by closely reviewing the tunneler, controller, and router logs in that order.
Also, I’m very much looking forward to the return of Ziti TV — a session focused on ext-jwt-signers would be extremely valuable.
