On this Ziti TV, we'll look at the new OIDC support being added to Windows specifically. How to configure an IdP for OpenZiti and how to use it in the ZDEW.
Live on YouTube at 11 AM ET. Watch live, ask questions or check out the replay:
On this Ziti TV, we'll look at the new OIDC support being added to Windows specifically. How to configure an IdP for OpenZiti and how to use it in the ZDEW.
Live on YouTube at 11 AM ET. Watch live, ask questions or check out the replay:
This was very helpful. Thanks! Getting much further in the process now vs the attempt I gave before the video. Currently getting caught up many errors depending on the config combinations I try (finicky like you say) but currently w/ error=[jwt failed to parse: token signature is invalid: crypto/rsa: verification error]} per the controller. Trying with Entra as the IDP. Switching between v1 and v2 access tokens is also another interesting setting on the Entra side which the Browzer docs brought my attention to. Going to keep trying and will report back..
this makes me think the controller couldn't verify the JWT given the JWKS endpoint provided, or the audience is incorrect. If you can obtain the token that is being used, you can put it into something like jwt.io and inspect your jwt.
My guess is either:
Unfortunately, debugging this can be quite difficult, particularly if this isn't something you do "every day". Some IdPs like Keycloak will allow you to generate a JWT so you can inspect it and compare fields and such. If Entra allows you to do that, that is often a good first step to make sure the JWT seems ok. You can always post the JWT contents here as well but not the whole base64 jwt!!! Just the contents in json form if you want somone (me) to have a peek.
Also I should have clarified that all other indications are that I am successfully authenticating. The Ziti localhost success page loads up, and sign in logs at my IDP show a successful auth attempt..
Yeah good. That at least means you have the configuration correct in the controller for the ZDEW to begin/complete the PKCE flow. That also means a JWT is being sent through to the controller, the controller just isn't able to verify the JWT. In the past, I think the only time I've had this happen was when my JWKS uri was self-signed. If your jwks endpoint is not self-signed, is there possibly some sort of DPI going on with TLS? Is something trying to terminate the connection to the IdP and inspect the packets?
Can you share the controller logs (DM if you wish) when you try to auth?
Not sure if I need to bump up a logging level but this is all I'm seeing right now:
[330709.505] ERROR ziti/controller/model.(*AuthModuleExtJwt).process: {authMethod=[ext-jwt]} encountered 1 candidate JWTs and all failed to validate for primary authentication, see the following log messages
[330709.505] ERROR ziti/controller/model.(*candidateResult).LogResult: {authMethod=[ext-jwt] issuer= audience= error=[jwt failed to parse: token signature is invalid: crypto/rsa: verification error]} failed to validate candidate JWT at index 0