Hi Ziti Team,
I'm encountering an issue specifically with OIDC login for the Ziti Admin Console (ZAC) when using Azure Entra ID as the OIDC provider. ZAC is being served by my Ziti Controller.
Current Setup:
-
Controller Version: v1.5.4
-
Controller Listener: Single listener on my-controller.example.com:1280 (actual FQDN masked) using alt_server_certs.
-
Primary identity (for my-controller.example.com:1280) uses internal Ziti PKI.
-
alt_server_certs entry uses a Let's Encrypt certificate for public-api.example.com:1280 (actual FQDN masked).
-
-
ZAC Access: Accessed via browser at https://public-api.example.com:1280/ziti-console (served by the LE cert).
-
Entra ID App Registration for ZAC:
- Redirect URI configured in Entra ID: https://public-api.example.com:1280/zac/callback
-
Ziti Desktop Edge (ZDE) OIDC Enrollment: Works correctly using Entra ID. This confirms the controller's core OIDC client configuration (AuthPolicy and ExtJwtSigner for Entra ID) for its own interaction with Entra ID is functional.
Problem Specific to ZAC OIDC Login:
When attempting to log into ZAC using OIDC (targeting Entra ID):
-
The browser successfully fetches Entra ID's discovery document:
GET "https://login.microsoftonline.com/{my-tenant-id}/v2.0/.well-known/openid-configuration" returns 200 OK. -
Immediately after, ZAC's JavaScript client logs the following errors in the browser console:
-
error validating authorization_endpoint in discovery document ['Every url in discovery document has to start with …o see property strictDiscoveryDocumentValidation.']
-
Growler Msg: error Error Login Error Unable to initialize OAuth login: discovery_document_validation_error
This indicates that ZAC's internal OIDC client library is failing to validate Entra ID's discovery document, even though the document is fetched successfully.
Question:
-
How is ZAC's OIDC client (the JavaScript running in the browser) configured when ZAC is served by the Ziti controller? Specifically, where does it get its authority (Issuer URL for Entra ID) and client_id to use for its direct OIDC flow with Entra ID?
-
Is there a known issue or specific configuration required for ZAC's OIDC client library regarding strictDiscoveryDocumentValidation when used with Entra ID's v2.0 endpoints?
-
Given that ZDE OIDC enrollment (where the Ziti controller is the OIDC client to Entra ID) works, what could be different about ZAC's client-side OIDC initialization that leads to this validation error?
I'm trying to understand how to ensure ZAC's OIDC client is correctly initialized to work with Entra ID, especially concerning the discovery document validation.
Thanks for any guidance!