ziti-tunnel-sdk-c icon indicating copy to clipboard operation
ziti-tunnel-sdk-c copied to clipboard

Published 20 hours ago verified publisher icon openziti

jwt is burned if context already loaded

Open qrkourier opened this issue 2 years ago • 4 comments

The app doesn't allow loading an identity with the same name, but it will start enrollment and consume the JWT before it errors. It would be better if it checked for the colliding name first or just allowed two identities with the same name.

qrkourier avatar Mar 20 '23 15:03 qrkourier

Please provide steps to reproduce

dovholuknf avatar Mar 20 '23 17:03 dovholuknf

  1. In console, create identity "testid" and download "testid.jwt"
  2. In app, add identity "testid.jwt"
  3. In console, delete identity "testid"
  4. In console, create identity "testid" and download "testid.jwt"
  5. In app, add identity "testid.jwt"
  6. In app, observe error "context already loaded"
  7. In app, forget identity "testid"
  8. In app, add identity "testid.jwt"
  9. In app, observe error "enrollment failed" (because JWT was already burned)
  10. In console, re-create identity "testid" and download "testid.jwt"
  11. In app, add identitity "testid" SUCCESS

qrkourier avatar Mar 20 '23 17:03 qrkourier

This is a service thing, should be in the tunnel repo.

JeremyTellier avatar Mar 21 '23 22:03 JeremyTellier

@scareything I reproduced this with 0.22.19. ZET enrolls the new identity successfully before refusing to load the identity with a colliding context name. I think it should check for a collision before enrolling to avoid burning the token.

❯ ziti-edge-tunnel add --jwt "$(< /tmp/jwt)" --identity miniziti-client
received response <{"Success":false,"Error":"context already loaded","Code":500}
>

zet.log

qrkourier avatar Dec 21 '23 16:12 qrkourier