Session not authorized or credentials invalid

I have ziti-edge-tunneler working, and I'm basically continuing where I ended in the thread to set up the tunneler: How to login using external jwt signer with Linux tunneler - #36 by rochecompaan.

I downloaded the JWT token for the JWT signer and enrolled it, started the tunnel and tried to authenticate:

1. sudo ziti-edge-tunnel enroll --jwt ~/Downloads/ziti-entra.jwt --identity /opt/openziti/etc/identities/entra.json 
2. sudo ziti-edge-tunnel run --identity-dir /opt/openziti/etc/identities
3. sudo ziti-edge-tunnel ext-jwt-login -i /opt/openziti/etc/identities/entra.json -p entra

I have an external identity (roche-ziti-client) with the email returned from the IdP response set as external ID. This identity has access to several services.

It seems like authentication succeeds, but authorisation fails:

(2209788)[       28.382]    INFO ziti-sdk:oidc.c:416 request_token() requesting
token path[https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token] auth[... TOKEN ...]
(2209788)[       30.041]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[1] first run or potential controller restart detected
(2209788)[       30.574]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       30.574]   ERROR ziti-sdk:ziti.c:1566 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(2209788)[       30.574]    WARN ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(2209788)[       30.574]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       30.574]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       30.574]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       30.574]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       30.574]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       30.574]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       30.574]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       30.574]    WARN ziti-sdk:ziti_ctrl.c:815 verify_api_session()
ctrl[https://ziti-api.mydomain.com:443/] no API session
(2209788)[       30.574]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: no api session token set for ziti_controller
(2209788)[       30.574]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       30.574]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       30.574]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       30.750]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-api-session/certificates] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       30.750]   ERROR ziti-sdk:ziti.c:1586 on_create_cert() ztx[1] failed to create session cert: -14/The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       30.926]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       30.926]   ERROR ziti-sdk:ziti.c:1566 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(2209788)[       30.926]    WARN ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(2209788)[       30.926]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       30.926]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       30.926]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       30.926]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       31.103]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity/edge-routers?limit=25&offset=0] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       31.103]   ERROR ziti-sdk:ziti.c:1489 edge_routers_cb() ztx[1] failed to get current edge routers: code[401] UNAUTHORIZED/The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       31.280]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-api-session/service-updates] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       31.280]    WARN ziti-sdk:ziti.c:1437 check_service_update() ztx[1] failed to poll service updates: code[401] err[-14/The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       32.185]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       32.185]   ERROR ziti-sdk:ziti.c:1566 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(2209788)[       32.185]    WARN ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(2209788)[       32.185]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       32.185]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       32.185]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       32.185]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       32.186]    WARN ziti-sdk:ziti_ctrl.c:815 verify_api_session()
ctrl[https://ziti-api.mydomain.com:443/] no API session
(2209788)[       32.186]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: no api session token set for ziti_controller
(2209788)[       32.186]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       32.186]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       32.186]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       32.362]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-api-session/certificates] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       32.362]   ERROR ziti-sdk:ziti.c:1586 on_create_cert() ztx[1] failed to create session cert: -14/The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       32.540]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       32.540]   ERROR ziti-sdk:ziti.c:1566 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(2209788)[       32.540]    WARN ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(2209788)[       32.540]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       32.540]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       32.540]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       32.540]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       32.716]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity/edge-routers?limit=25&offset=0] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       32.716]   ERROR ziti-sdk:ziti.c:1489 edge_routers_cb() ztx[1] failed to get current edge routers: code[401] UNAUTHORIZED/The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       32.894]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-api-session/service-updates] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       32.894]    WARN ziti-sdk:ziti.c:1437 check_service_update() ztx[1] failed to poll service updates: code[401] err[-14/The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       33.426]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       33.426]   ERROR ziti-sdk:ziti.c:1566 update_identity_data() ztx[1] failed to get identity_data: The request could not be completed. The session is not authorized or the credentials are invalid[UNAUTHORIZED]
(2209788)[       33.426]    WARN ziti-sdk:ziti.c:1568 update_identity_data() ztx[1] api session is no longer valid. Trying to re-auth
(2209788)[       33.426]    WARN ziti-sdk:ziti.c:223 ziti_set_unauthenticated() ztx[1] auth error: The request could not be completed. The session is not authorized or the credentials are invalid
(2209788)[       33.426]    WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: failed to authenticate
(2209788)[       33.426]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[/opt/openziti/etc/identities/entra.json] context event : status is failed to authenticate
(2209788)[       33.426]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate
(2209788)[       33.604]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-api-session/certificates] failed code[UNAUTHORIZED] message[The
request could not be completed. The session is not authorized or the credentials are invalid]
(2209788)[       33.604]   ERROR ziti-sdk:ziti.c:1586 on_create_cert() ztx[1] failed to create session cert: -14/The request could not be completed. The session is not authorized or the credentialsare invalid
(2209788)[       33.780]   ERROR ziti-sdk:ziti_ctrl.c:524 ctrl_body_cb()
ctrl[https://ziti-api.mydomain.com:443/] API request[/current-identity] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]

(2209788)[ 30.926] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[/opt/openziti/etc/identities/entra.json] failed to connect to controller due to failed to authenticate

I think you mean you auth with the IdP properly but can't auth with OpenZiti. Authorization happens after OpenZiti's authentication... Anyway, this is incredibly easy to get it wrong. Usually this comes down to:

• audience expects a trailing slash but us humans don't put the trailing slash (this one bit me, myself yesterday)
• user forgets to add external id to an identity to an identity
• misconfigured ext-jwt-signer for jwks uri
• Access token is opaque forcing you to use ID token

The easiest thing imo to do is to use the ziti CLI for this debugging.

ziti ops verify ext-jwt-signer oidc keycloak --authenticate

Are you able to successfully auth using ziti cli? You'll see either:

INFO    attempting to authenticate to controller with specified target token type: ACCESS
Token: xxxxxxx
INFO    login succeeded

or

INFO    attempting to authenticate to controller with specified target token type: ACCESS
FATAL   error authenticating with token: unable to authenticate to https://ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441/edge/management/v1. Status code: 401 Unauthorized, Server returned: {
    "error": {
        "code": "INVALID_AUTH",
        "message": "The authentication request failed",
        "requestId": "ipfj..rR3"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}

I expect you'll get a failure. Scrutinize the output of the tokens, make sure you have a proper token selected sometimes IdPs don't return Access tokens OpenZiti can use (they are opaque)

Oh also look at the controller logs in this case. Often it will have a log that helps you understand why the auth is failing.

> ziti ops verify ext-jwt-signer oidc --username $ZITI_USER --password $ZITI_PWD --authenticate entra is successful:

INFO    attempting to authenticate to controller with specified target token type: ID
Token: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
INFO    login succeeded

The controller logs show:

{"authMethod":"ext-jwt","file":"github.com/openziti/ziti/controller/model/authenticator_mod_ext_jwt.go:382","func":"github.com/openziti/ziti/controller/model.(*AuthModuleExtJwt).process","level":"error","msg":"encountered 0 candidate JWTs, verification cannot occur","time":"2025-10-03T12:17:12.137Z"}

I'm using an ID rather than an access token. When you say "audience expects a trailing slash", where should I check. In Entra or OpenZiti?

INFO login succeeded

Hmmm. This indicates to me that your ext-jwt-signer is setup correctly. I expect you configured the ext-jwt-signer to use ID token and you have the audience setup correctly since it authenticated. Are there any logs in the controller that are relevant when your tunneler tries to auth?

Yes, "encountered 0 candidate JWTs, verification cannot occur" is logged repeatedly by the controller:

{"authMethod":"ext-jwt","file":"github.com/openziti/ziti/controller/model/authenticator_mod_ext_jwt.go:382","func":"github.com/openziti/ziti/controller/model.(*AuthModuleExtJwt).process","level":"error","msg":"encountered 0 candidate JWTs, verification cannot occur","time":"2025-10-03T12:17:12.137Z"}

Does your identity use a custom auth policy or is it using the default auth policy and is ext-jwt-auth enabled? -- it must be enabled oops you just authenticated --

I wonder if this is some sort of C SDK issue. I'll ask @ekoby to have a look here.

Also, maybe restart the tunneler ? I'm interested to know if that clears any sort of cache perhaps. Just to rule that out? (which would obviously be some sort of bug to figure out)

My identity is using the "entra" policy:

image1310×668 93 KB

The auth policy uses the entry JWT signer:

image1314×954 91.8 KB

And the entra JWT signer is enabled.

Restarting the tunnel doesn't fix the issue.

Try assigning the default policy to see if that matters (we would hope it doesn't). I think @ekoby is gonna have to have a look at this. I don't quite see why it would fail if the zit CLI succeeds

Jackpot! Assigning the default policy works! Is this expected or is it weird behavior?

No definitely NOT expected. We'll have to try to replicate. Sure seems like some kind of bug so far to me

Bug aside, this is awesome! I can now demo the complete workflow end-to-end at our company tech show and share meeting today!

there seems to be some unexpected behavior when the signers are enumerated in the auth policy. I am looking into that.
The workaround is to let user authenticate with any of the configured signers (if you only have one then the outcome is the same)