I'd like to ask if the router currently supports Keycloak authentication.If it's supported, how do I do it?
Routers connect exclusively using mTLS. It doesn't make sense to me to have a router use Keycloak so I don't think I understand what you have in mind. Maybe you can outline what you are thinking?
The tunnel router's authentication to the controller uses third-party authentication(oidc), such as ziti-edge-tunnel ext-jwt-login -p keycloak, to ensure that the user of the tunnel router is a specific person.
I'm pretty sure the routers do not use any third party auth. That would surprise me. They utilize the OpenZiti oidc authorization endpoint but they are using certs and they are using OpenZitis internal PKI only, unless I'm not aware of something?
These words don't fully make sense to me but if i understand what you're getting at here this sounds like an edge router policy or possibly a service edge router policy.
Let's say you want to allow Clint to use the ssh service using some clint-only router to offload ssh but you don't want to allow @McGonagall666 to use the Clint only router. In that case you would use a service edge router policy allowing ssh to offload this ssh service from that router. Then you allow Clint (only) to ssh via a service policy and now only Clint is able to offload ssh from that router.
If that is what you're looking for, start exploring service edge router policy.
Hope that helps
That's not what I meant. The command ziti-edge-tunnel ext-jwt-login -p keycloak starts the tunneler's program via Keycloak authentication. I want to know if the tunnel router also has this function, ensuring that the tunnel router starts up after logging in with a Keycloak user.
The goal is to ensure that the tunnel router device is bound to a user, rather than allowing just anyone to use the router.
I've checked the documentation, and OIDC only supports Tunnelers, Browzer, and ZAC, but tunnel routers don't.
No. Routers are not intended to operate in the same way that a user-focused tunneler operates.