Skip to main content
Star us on GitHub Star

Generic IdP

Google logo

Required Fields

The following fields are necessary in order to configure an external JWT signer with OpenZiti. This configuration will enable authentication via JWTs obtained through an Authorization Code Flow with PKCE or PKCE flow. OpenID Connect providers will provide a discovery endpoint that is useful for discovering the Issuer and the JWKS Endpoint needed to complete the external jwt signer setup.


FieldDescriptionExample
IssuerThe issuer field is a unique HTTPS URL that identifies the OpenID Provider. It must match the iss claim provided in the JWThttps://my.identity.provider:2345
Client IDThe unique value provided by the OIDC provider used to identify the application within the provider to useopenziti_client_id
AudienceThe audience, specified as the aud field in the JWT, used to verify the JWT is intended for the OpenZiti Controlleropenziti_client_id
External Auth URLFor OIDC, this is the same value as the issuer and should be the base url of the OIDC discovery endpoint (.well-known/openid-configuration)https://my.identity.provider:2345
JWKS EndpointA url the OpenZiti Controller can use to retrieve a JSON Web Key Set, used to verify JWTshttps://my.identity.provider:2345/.well-known/openid-configuration
Claims PropertyThe property within the JWT returned from the OIDC provider that will map to the external ID field of an identityemail
ScopesThe set of scopes to request when generating the authentication request to the OIDC providerprofile offline_access

Callback URLs

The Authorization Code Flow with PKCE or PKCE flow requires configuring callback URLs the Identity Provider (IdP) will allow redirecting to. If the URL for a specific client is not specifically listed, the IdP will deny the authentication request. Depending on the technology used to authenticate to the OpenZiti Network, different URLs need to be specified. More than one URL is allowed to be configured. Decide if you are configuring the IdP for use with tunnelers, with BrowZer or with both and add the appropriate callback urls.

In the Auth0 dashboard, with the application selected, choose the "Settings" tab and scroll down to the "Application URIs" section and add the URLs.

For Tunnelers

Tunnelers require an allowed callback URL of: http://localhost:20314/auth/callback.

For BrowZer

The URL to configure for BrowZer will vary depending on the BrowZer configuration. BrowZer requires a wildcard certificate in order to be deployed and all services are delivered from this wildcard domain. You will need to add the configured wildcard domain as the callback url.

For Ziti Admin Console (ZAC)

The URL to configure an IdP for so that ZAC will be able to authenticate will depend on how you deploy your ZAC. The current method recommended to deploy ZAC will deploy it on the same URL as the controller. For example: https://controller.example.com/zac/callback