Hi team,
Been trying to implement Ziti Controller Clusters , progressed to OIDC setup for client but got some error that i am puzzled and unable to identify if this is a bug or what.
- Got everything authenticated , obtained token / claims from keycloak
- however windows client got this error trying to reach . I confirmed the actual path does return well known configurations from the controller. Any pointers here?
[2025-05-20T20:39:41.234Z] ERROR ziti-sdk:oidc.c:198 parse_cb() unexpected content-type[.well-known/openid-configuration]: text/plain; charset=utf-8
[2025-05-20T20:39:41.234Z] ERROR ziti-sdk:ha_auth.c:145 config_cb() failed to configure OIDC[https://ctrl1.myziti.com:8441/oidc] client: -4071/(null)
Hi @Crystech, what does your external auth URL look like? It needs to be the root URL to the openid discovery endpoint. Looking at your error that's what i think might be incorrect?
1 Like
first of all, thanks for replying here.
Finally I got it sorted out. Here's my settings (masking actual domains since it is public facing)
My External Auth URL seem ok : pointing to https://sso.ssoserver.com/realms/myrealm.
My error was setting the wrong jkws endpoint.
I keep thinking it should point to well known as shown but it should be jwks_uri":" https://sso.ssoserver.com/realms/myrealm/protocol/openid-connect/certs of the [.well-known/openid-configuration] - for keycloak (https://keycloak.example.com/realms/zitirealm/.well-known/openid-configuration)
And then it was my problem as well. The guide did said Found using .well-known/openid-configuration
It would be better to put example as jkws_uri:/xxxxxxxxxxxxxxxxxx/
finally got it working! Thanks for this awesome solution. Continue to further test the setup.
Oh no. I'll get that doc fixed! Thanks for letting us know. Glad to hear you're sorted! Fix is in the pipeline. Thanks again update jwks entries by dovholuknf · Pull Request #1139 · openziti/ziti-doc · GitHub
Doc updated - Keycloak | OpenZiti thanks again for the report
1 Like
