Hi @Jameshclai,
The information you've provided so far doesn't help me enough I'm afraid. Here's what I would ask you to do, the ziti cli command has within it a ziti ops verify ext-jwt-signer command. You can also test it, and see your token details.
For example here's me using my ext-jwt-signer named "keycloak" and asking to verify authentication:
ziti ops verify ext-jwt-signer oidc --controller-url $ZITI_ADDR --authenticate keycloak
It will print out your ID token details, access token details and refresh token details. These are useful so you can use them to map to your target identity.
I would ask that you confirm you can do this successfully first. If not successful you'll see something like:
You also should look at the ZDEW's 'service' logs (ziti-tunnel.log) along with the controller's logs at that time. It's rediculously easy to misconfigure your ext-jwt-signer.
Before we continue, can you confirm you see a 'login succeeded' message?
