Skip to content

fixes openziti/ziti#2324 add token based enrollment #3342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 5, 2025
Merged

fixes openziti/ziti#2324 add token based enrollment #3342

merged 7 commits into from
Nov 5, 2025

Conversation

@andrewpmartinez
Copy link
Member

@andrewpmartinez andrewpmartinez commented Oct 27, 2025

  • allows enrollment to certificate auth
  • allows enrollment to ext jwt token auth
  • alters ext jwt claimsProperty (maps identity id) to support JSON pointers, defaults to /sub
  • adds ext jwt enrollToCert, enrollToToken to controller valid enrollment end-authenticator state
  • adds ext jwt enrollAuthPolicyId to map end identity auth policy to, defaults to default
  • adds ext jwt enrollAttributeSelector, supports single field name or JSON pointer to point to a single string or array of string attributes to give the identity, defaults to no selector
  • adds ext jwt enrollNameSelector, supports single field name or JSON pointer to a string field to use as the name, defaults to /sub
  • add enrollment errors to determine if enrollment has occurred
  • adds CLI support for ext jwt signer enroll flags

@andrewpmartinez
fixes #2324 add token based enrollment
928c5ec 
- allows enrollment to certificate auth
- allows enrollment to ext jwt token auth
- alters ext jwt claimsProperty (maps identity id) to support JSON
  pointers, defaults to `/sub`
- adds ext jwt enrollToCert, enrollToToken to controller  valid
  enrollment end-authenticator state
- adds ext jwt enrollAuthPolicyId to map end identity auth policy to,
  defaults to `default`
- adds ext jwt enrollAttributeSelector, supports single field name or
  JSON pointer to point to a single string or array of string attributes
  to give the identity, defaults to no selector
- adds ext jwt enrollNameSelector, supports single field name or JSON
  pointer to a string field to use as the name, defaults to `/sub`
- add enrollment errors to determine if enrollment has occurred
- adds CLI support for ext jwt signer enroll flags
@andrewpmartinez andrewpmartinez requested review from a team as code owners October 27, 2025 20:34
dovholuknf
dovholuknf reviewed Oct 27, 2025
View reviewed changes
dovholuknf
dovholuknf reviewed Oct 27, 2025
View reviewed changes
dovholuknf
dovholuknf reviewed Oct 27, 2025
View reviewed changes
dovholuknf
dovholuknf reviewed Oct 27, 2025
View reviewed changes
dovholuknf
dovholuknf reviewed Oct 27, 2025
View reviewed changes
dovholuknf
dovholuknf reviewed Oct 27, 2025
View reviewed changes
dovholuknf
dovholuknf approved these changes Oct 28, 2025
View reviewed changes
Copy link
Member

@dovholuknf dovholuknf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

negative tests would be swell but looks fine to me

@ekoby
Copy link
Member

ekoby commented Oct 28, 2025

any chance to add support in ziti edge enroll?

@andrewpmartinez andrewpmartinez merged commit ce83c0f into main Nov 5, 2025
36 checks passed
@andrewpmartinez andrewpmartinez deleted the fix.2324.add.extjwt.oidc.enrollment branch November 5, 2025 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dovholuknf dovholuknf dovholuknf approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andrewpmartinez @ekoby @dovholuknf