Trying to get secondary OIDC authentication working in Mac tunneler

Tunneler Apps Ziti Desktop Edge for MacOS
1

Hi all!

I can successfully enroll and connect my MacOS device using the default auth policy. Also can create an ext JWT provider (authentik) and enroll using the JWT token file from "Download network JWT" button and new auth policy.

Now I'm trying to have the primary cert and secondary OIDC policy. The policy:

{
  "name": "Hybrid device and human",
  "primary": {
    "cert": {
      "allowExpiredCerts": false,
      "allowed": true
    },
    "extJwt": {
      "allowed": false,
      "allowedSigners": []
    },
    "updb": {
      "allowed": false,
      "lockoutDurationMinutes": 0,
      "maxAttempts": 5,
      "minPasswordLength": 5,
      "requireMixedCase": false,
      "requireNumberChar": false,
      "requireSpecialChar": false
    }
  },
  "secondary": {
    "requireExtJwtSigner": "3UVqO63Q0SFrr17b48eG3g",
    "requireTotp": false
  },
  "tags": {}
}

If I simply add the enroll JWT to the Mac tunneler and then try connecting, it stays yellow. If I add the one I used for primary ext JWT, it also stays yellow (I think it's trying to do the primary external OIDC).

The one with external OIDC as secondary doesn't show any signs of the OIDC, the popup with the open browser button never appears.

What am I doing wrong?

2

Hello @dimm0 and welcome to the OpenZiti community!

What you're describing sounds a lot like what unfolded in this thread. If I'm right, the issue is being tracked with Secondary Auth via ext-jwt-signer fails · Issue #919 · openziti/ziti-sdk-c · GitHub .

Do you see anything like this in your controller log?

"error":"primary external jwt processing failed on authentication policy [ukNZvLkSy4J2B2BUmaXVt]: primary external jwt authentication on auth policy is disabled"

Thanks!

3

I saw the ticket, but I didn't see this error in the controller logs. Also not sure if that issue is still valid. Looks more like the client problem.

4

Is it supposed to work in the Mac client? Could you verify it's working for you?

5

Hi @dimm0,

Given the bug in the underlying SDK that handles controller authentication, I would not expect your setup to work with the Mac tunneler or any other tunneler that relies on ziti-sdk-c. This has been a known issue for us for a while, and the linked issue is still valid. In fact the developers that are most familiar with the SDK are currently working on changes to OIDC.

Hey @ekoby? Maybe you have some more details about this?

6

this could be caused by missing fields in ext signer configuration. Can you post it here (you can mask clientId)?

7

I upgraded to 2.0, the error I see now is:

Jun 05 22:16:11 zitictr ziti[49473]: {"authMethod":"ext-jwt","file":"github.com/openziti/ziti/v2/controller/model/authenticator_mod_ext_jwt.go:318","func":"github.com/openziti/ziti/v2/controller/model.(*AuthModuleExtJwt).ProcessSecondary","level":"error","msg":"encountered 0 candidate JWTs, verification cannot occur","time":"2026-06-05T22:16:11.062Z"}

Ext signer works when standalone. Config:

```

{
"name": "Authentik",
"audience": "...",
"issuer": "...",
"clientId": "...",
"claimsProperty": "sub",
"enabled": true,
"useExternalId": true,
"kid": "",
"externalAuthUrl": "...",
"scopes": ,
"tags": {},
"jwksEndpoint": "...",
"targetToken": "ACCESS",
"id": "3UVqO63Q0SFrr17b48eG3g"
}
8

Should anything match between the cert identity and OIDC identity? The IDs are different, and I'm not sure where it's coming from.