Firstly, apologies for the longer post and many questions. No pressure to answer this all. Just observations/thoughts and I am excited to be back hands-on tinkering after being unexpectedly sidelined for a little while.
I went through upgrades for the first time on my original quick start docker compose setup to the latest 1.4.3 and it was a breeze. Found my Ziti instance where I left it otherwise, authenticated via my IDP and for the first time I had to go through my full MFA process (expected).
Through this, I noticed that the localhost 'listener' had already stopped by the time I finished my MFA process. So the browser redirect timed out and my auth attempt was interrupted and failed. Is this auth timeout length customizable to prevent this browser timeout from occurring?
I don't know if its my laptop or what but I've seen sometimes after a wakeup that my zdew client shows me connected without issue when in reality I am not, and I need to toggle on/off to get the IDP icon to show up.
Potentially to help the above issue/concern, does it make sense to use a posture check to check for ext JWT auth for either a primary or secondary auth config? I see this in the docs for the TOTP MFA but is it possible in a similar way for JWT auth? I feel like the unlock/wakeup options could be useful in such a case
Is there a way to add a dns suffix/search domain to connecting edge tunnel clients (Windows) in the same way as the NRPT rules are automagically added?
How feasible would it be to have it so that the authorize IDP process automatically occurs without having to click the IDP button? This might make sense in certain scenarios (after boot/wake/etc) where one intends to always be connected, such that the browser automatically opens up when needed
Potential ZAC 3.110 bug maybe already known. The selected Auth Policy name doesn't seem to show up on the add identity page in the dropdown. Changing it works, and this is reflected in the json preview too, but the dropdown remains as if nothing has been selected.
Edit: Perhaps I should have opened separate posts for each. Sorry if so and I can abandon this and do that if preferred.
Right now it's not configurable. It's set to 30 seconds. That felt like a reasonable amount of time as a default but you're the second person I've seen/heard say that it wasn't quite long enough so it seems like we'll have to change that. I'll file an issue to allow for it to be configurable. You can track that issue if you like.
Oh, really? Interesting. If you're willing to capture a Main Menu->Feedback zip file and email it to clint at openziti.org I'll have a look. I specifically need both the logs from the tunneler and the logs from the UI to get a full picture. It's possible you simply have to add the offline_access scope to your ext-jwt-signer. That scope, if your IdP supports it, will allow your client to get a refresh token, keeping your identity available. If you have set that and it's still not working, it sounds like there's possibly a bug we need to find / fix.
I personally haven't tested this yet. Support for OIDC is still relatively new for the tunnelers so it's highly likely there are goign to be bugs that need to be found for situations like this. I also don't know how we support secondary jwt auth. I know that it's come up as something we want to support, I just don't know if we have yet is all. It's on my list, but that "list" is long so we get to those things as we can.
Are you possibly referring to "wildcard intercepts"? Such as: ".my.cool.domain"? You can do that right now, sure. You can also then send that request to an appropriate identity with a couple of caveats, most notably is the identity will need to be named the same as the intercepted address. For example, if you have "httpserver.my.cool.domain" and a ".my.cool.domain" intercetpt, you can make an identity named "httpserver.my.cool.domain" and then traffic will be intercepted and sent to that identity. This is accomplished using two tunneler techniques, on the hosting side you use listen options: "listenOptions": {"bindUsingEdgeIdentity":true} and on the dialing side you use dial options: "dialOptions": {"identity": "$dst_hostname"}. We can discuss that more if you like but it might be best as a new topic so that people might find it if anyone ever searches for 'wildcard domain intercept' type stuff. (assuming i understand what you're asking)
I don't understand this question. It might be related to the offline_access scope I mention above. It should "just work" tbh.
I have this all the time too... and I've had it on my phone after network changes (Wi-Fi AP/Mobile). I noticed all my scopes were mushed together in the JWT signer details for my IDP in the ZAC so i've split them up to ensure offline_access is used. I do have offline_access enabled in authentik (my IDP) though. Will reply back to let you know if my fix in scopes worked.
I think this would make a HUGE user experience improvement as well... it's annoying to have to click the lock icon for the IDP under the identity every time you connect/disable and enable identity. Even better would be an integrated browser window that opens, authenticates, closes if no login is needed so it's seamless (the whole point of SSO/having an IDP is staying logged in if your session is valid). Some apps such as AudioBookShelf do this (or something like it - no external browser even opened) - very seamless integration on Android with their app.
Thanks for the reply and insights. Much appreciated.
Topic: OIDC timeout
That's great, thanks. Would be curious to know what best practice is. I actually first hit it while 165ms away from my server, so a corner case. I'd imagine it might be a bigger issue for those that have to go through MFA with their IDP though.
Topic: Missing offline_access leading to issues after sleep/hibernate/network changes.
Awesome, adding this has definitely helped.. I am following along with the other recent post on this topic too.
Maybe I am imagining things but I think I may have contributed to stability weirdness in these scenarios by keeping trace logging on accidentally. I guess this should be obvious to most but I only ever realized it after stumbling on the note in the docs about not keeping it on. Probably not neccasary but perhaps a little tooltip in the log level choice GUI next to those bottom 2 options couldn't hurt..
Topic: Suffix list
The suffix/search domain topic I mentioned is referring to when using an unqualified name in windows and the system knowing to automatically query with a domain in your search list.
User inputs "fileshare" but system then queries "fileshare.company.local". Unfortunately this is a "requirement" in some Windows/SMB environments. Easily worked around by adding manually but would be nice if the client could automatically add this at the same time as the NRPT rule
