Hello everyone, It has been a while. We are moving the POC to production 
The windows client works flawlessly with individual jwt identities.
I have been working through implementing iDP. However when I have export the network JWT and add the Network identity into the UI, it seems to register as I get the golden padlock (authorized iDP), however it is dull in color verses the standard identity JWT which is bright in color and have the controller network detail displayed.
When I attempt to authenticate the client crashes, after investigating I noticed the Network JWT doesn't have the network field populated with the controller dns addr, it is just blank.
ZD POC setup
Controller hosted on K3S using Kube-VIP for the LoadBalancer ip, deployed via helm
Standard JWT's have the network populated and work flawlessly
Is there away to regenerate the Network JWT with the network details? I am noticing the same issue with our production install as well. Production is also deployed via helm in K3S
Decoding the network jwt, I noticed there are no entries in the "ctrls": section of the jwt
Any help would be amazing.
Cheers
Hi @macbook_user,
That shouldn't be an issue. The important part is that the issuer is filled in and the jwt is signed by the certificate presented by the server at that address. My guess is that is where your problem is, but you haven't provided any logs so it's hard to know for sure. My network jwt also doesn't have ctrls - so it shouldn't be relevant.
If you wanted to provide me a "feedback.zip" (main menu -> feedback and DM me the zip here) or if you could tail the log and show the output that'd most likely help. Alternatively you could send me your server's JWT and I could try enrolling it on my end to see what happens.
It could be that you're hitting some bug we haven't tested fully yet. We are still trying to find all those corner cases that crop up whenever a new feature is released like OIDC-based auth.
Thank you,
I have tailed the log from the client. The ziti windows services were running
[2025-07-03T19:28:03.729Z] DEBUG ZitiDesktopEdge.MainWindow ==== IdentityEvent : action:added identifer:c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\client.ziti.lab.json name:client.ziti.lab
[2025-07-03T19:28:03.729Z] WARN ZitiDesktopEdge.MainWindow Identity: "c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\client.ziti.lab.json" AuthInProgress but still NeedsExtAuth? Check the tunneler logs
[2025-07-03T19:28:03.747Z] DEBUG ZitiDesktopEdge.MainWindow IDENTITY EVENT. Action: added identifier: c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\client.ziti.lab.json
[2025-07-03T19:28:03.747Z] DEBUG ZitiDesktopEdge.ServiceClient.DataClient Controller event received
[2025-07-03T19:28:03.747Z] DEBUG ZitiDesktopEdge.MainWindow ==== ControllerEvent : action:disconnected identifier:c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\client.ziti.lab.json
[2025-07-03T19:28:06.723Z] ERROR ZitiDesktopEdge.ServiceClient.DataClient Unexpected error System.TimeoutException: Read operation timed out waiting for a response. If the UI-DataClient service is running, this is highly unepxected and should be reported.
at ZitiDesktopEdge.ServiceClient.AbstractClient.<readAsync>d__54`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ZitiDesktopEdge.ServiceClient.DataClient.<readDataClientAsync>d__52`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at ZitiDesktopEdge.ServiceClient.DataClient.<ExternalAuthLogin>d__64.MoveNext()
[2025-07-03T19:28:06.741Z] ERROR ZitiDesktopEdge.IdentityItem external auth failed: ["unexpected error during external authentication!"]
[2025-07-03T19:28:06.741Z] INFO ZitiDesktopEdge.ServiceClient.DataClient service is down. attempting to connect to service...
Thank you again.
That log is from the UI and probably means some unexpected error happened in the data service (ziti/ziti-edge-tunnel, logs in C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service). Then the service doesn't respond to the UI in time.
Can you tail that log when the error happens and the controller log at the same time and see if there's an error logged in those logs at this time?
Hello,
Thank you for your help. I think that I have tracked down the issue.
After looking through logs to send you I noticed an error, I decided to go back to first principles. Testing the external idp with a known working provider Auth0, as I was self hosting my idp.
I got past my initial fault. So there is an issue with my idp.
Before I sign this off, one last question. Do I need to create an identity in Ziti, that matches the username in IDP provider. If I am using an email address the identity needs to be an email address well?
Thank you again
1 Like
You are free to use any 'claim' contained within the JWT. OFTEN this is email address, but it might be the preferred_username (MS Entra has this field) or it might be sub, or it might be some custom claim you add to the IdP. You set the externalId and claim param accordingly on your identities.
You are not limited to email or name. I'm glad you found your issue 
