ZAC OIDC Login Fails: "discovery_document_validation_error" with Entra ID

Hi Ziti Team,

I'm encountering an issue specifically with OIDC login for the Ziti Admin Console (ZAC) when using Azure Entra ID as the OIDC provider. ZAC is being served by my Ziti Controller.

Current Setup:

Problem Specific to ZAC OIDC Login:

When attempting to log into ZAC using OIDC (targeting Entra ID):

  1. The browser successfully fetches Entra ID's discovery document:
    GET "https://login.microsoftonline.com/{my-tenant-id}/v2.0/.well-known/openid-configuration" returns 200 OK.

  2. Immediately after, ZAC's JavaScript client logs the following errors in the browser console:

  • error validating authorization_endpoint in discovery document ['Every url in discovery document has to start with …o see property strictDiscoveryDocumentValidation.']

  • Growler Msg: error Error Login Error Unable to initialize OAuth login: discovery_document_validation_error

This indicates that ZAC's internal OIDC client library is failing to validate Entra ID's discovery document, even though the document is fetched successfully.

Question:

  1. How is ZAC's OIDC client (the JavaScript running in the browser) configured when ZAC is served by the Ziti controller? Specifically, where does it get its authority (Issuer URL for Entra ID) and client_id to use for its direct OIDC flow with Entra ID?

  2. Is there a known issue or specific configuration required for ZAC's OIDC client library regarding strictDiscoveryDocumentValidation when used with Entra ID's v2.0 endpoints?

  3. Given that ZDE OIDC enrollment (where the Ziti controller is the OIDC client to Entra ID) works, what could be different about ZAC's client-side OIDC initialization that leads to this validation error?

I'm trying to understand how to ensure ZAC's OIDC client is correctly initialized to work with Entra ID, especially concerning the discovery document validation.

Thanks for any guidance!

Hi @jamesfear,

In my experience, Entra can sometimes be a pain. I'll see if I can confirm (or deny) Entra working on my side and follow up in a bit...

Oh and as to why it would error, it's not clear. If you are able to auth using a tunneler (ZDEW) then I would expect adding the callback uri to entra would allow you to use Entra for ZAC auth.

I was able to validate that Entra will indeed work when properly configured. However, I ran into an issue possibly similar to yours where the ZDEW works fine, but logging into the ZAC failed beause my identity wasn't an admin.

The identity you're authenticating as, is it perhaps not an admin? I had similar problems with my first attempt at logging into ZAC but it was due to my identity not having the admin permission.

Other than that, can you run ziti edge list ext-jwt-signers -j 'name = "entra"' | jq -r '.data[] | [.externalAuthUrl, .jwksEndpoint] | @csv' and make sure the externalAuthUrl looks right along with the jwks uri?

for example from my controller:

ziti edge list ext-jwt-signers -j 'name = "entra"' | jq -r '.data[] | [.externalAuthUrl, .jwksEndpoint] | @csv'
"https://login.microsoftonline.com/25445e86-2ae6-4434-b116-25c66c27168d/v2.0","https://login.microsoftonline.com/25445e86-2ae6-4434-b116-25c66c27168d/discovery/v2.0/keys"

Hey,

I'm facing the same issue with entra, did you find any solution? @jamesfear
Linux and Windows edge tunneleres are working fine.
After a little digging I found that it's the angular-oauth2-oidc lib that's being "too secure", there is an option to turn this off called strictDiscoveryDocumentValidation, but as I understand correctly it should be set at build time.

Did you Mark your identify as an admin? That was the problem i had. Once i resolved that, logging in was fine

Yes, it is admin, I'll give it a try with the newest docker image, my current zac is 3.10.0.
Update: No luck, 1.6.2 had the same zac version
Update 2: My browser cached the previous zac, after reloading it correctly now it's version 3.12.3, and oidc login is working fine :partying_face:

I am sorry to you both as I belived I had replyed to you but it seems I can not just reply to the emails that I recive from discourse when there is a update on the topic.

I have not had a lot of time to look at this issue yet.
I just updated to 1.6.0 as indicated by gmat98, which gets past the frist error but now just have a spining zac logo.