diff options
| -rw-r--r-- | controller/DB.hpp | 2 | ||||
| -rw-r--r-- | controller/EmbeddedNetworkController.cpp | 2 | ||||
| -rw-r--r-- | controller/PostgreSQL.cpp | 2 | ||||
| -rw-r--r-- | include/ZeroTierOne.h | 5 | ||||
| -rw-r--r-- | node/IncomingPacket.cpp | 14 | ||||
| -rw-r--r-- | node/Network.cpp | 4 | ||||
| -rw-r--r-- | node/Network.hpp | 2 | ||||
| -rw-r--r-- | node/NetworkConfig.cpp | 7 | ||||
| -rw-r--r-- | node/NetworkConfig.hpp | 11 |
9 files changed, 36 insertions, 13 deletions
diff --git a/controller/DB.hpp b/controller/DB.hpp index 24f388b8..d0641d72 100644 --- a/controller/DB.hpp +++ b/controller/DB.hpp @@ -48,6 +48,7 @@ public: , version(0) , authenticationURL() , authenticationExpiryTime(0) + , issuerURL() , centralAuthURL() , ssoNonce() , ssoState() @@ -58,6 +59,7 @@ public: uint64_t version; std::string authenticationURL; uint64_t authenticationExpiryTime; + std::string issuerURL; std::string centralAuthURL; std::string ssoNonce; std::string ssoState; diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 6351fb4a..4ce48fa2 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -1393,7 +1393,7 @@ void EmbeddedNetworkController::_request( Dictionary<8192> authInfo; authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version); - authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str()); + authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str()); authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str()); authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str()); authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str()); diff --git a/controller/PostgreSQL.cpp b/controller/PostgreSQL.cpp index d94602e5..f79c8725 100644 --- a/controller/PostgreSQL.cpp +++ b/controller/PostgreSQL.cpp @@ -432,7 +432,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str info.authenticationURL = std::string(url); } else if (info.version == 1) { info.ssoClientID = client_id; - info.authenticationURL = authorization_endpoint; + info.issuerURL = authorization_endpoint; info.ssoNonce = nonce; info.ssoState = std::string(state_hex); info.centralAuthURL = redirectURL; diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h index 0a8ec85f..6d61c6ea 100644 --- a/include/ZeroTierOne.h +++ b/include/ZeroTierOne.h @@ -1217,6 +1217,11 @@ typedef struct uint64_t authenticationExpiryTime; /** + * OIDC issuer URL. + */ + char issuerURL[2048]; + + /** * central base URL. */ char centralAuthURL[2048]; diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index df2626e8..15003b4e 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -212,8 +212,8 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar noUrl = false; } } else if (authVer == 1) { - bool haveAuthURL = false; - char authenticationURL[2048] = { 0 }; + bool haveIssuerURL = false; + char issuerURL[2048] = { 0 }; bool haveCentralURL = false; char centralAuthURL[2048] = { 0 }; bool haveNonce = false; @@ -223,9 +223,9 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar bool haveClientID = false; char ssoClientID[256] = { 0 }; - if (authInfo.get(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, authenticationURL, sizeof(authenticationURL)) > 0) { - authenticationURL[sizeof(authenticationURL) - 1] = 0; - haveAuthURL = true; + if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) { + issuerURL[sizeof(issuerURL) - 1] = 0; + haveIssuerURL = true; } if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) { centralAuthURL[sizeof(centralAuthURL) - 1] = 0; @@ -244,10 +244,10 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar haveClientID = true; } - noUrl = ! (haveAuthURL && haveCentralURL && haveNonce && haveState && haveClientID); + noUrl = ! (haveIssuerURL && haveCentralURL && haveNonce && haveState && haveClientID); if (!noUrl) { - network->setAuthenticationRequired(authenticationURL, centralAuthURL, ssoClientID, ssoNonce, ssoState); + network->setAuthenticationRequired(issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState); } } } diff --git a/node/Network.cpp b/node/Network.cpp index 0d9261e3..b5033779 100644 --- a/node/Network.cpp +++ b/node/Network.cpp @@ -1561,14 +1561,14 @@ Membership &Network::_membership(const Address &a) return _memberships[a]; } -void Network::setAuthenticationRequired(const char* authEndpoint, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state) +void Network::setAuthenticationRequired(const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state) { Mutex::Lock _l(_lock); _netconfFailure = NETCONF_FAILURE_AUTHENTICATION_REQUIRED; _config.ssoEnabled = true; _config.ssoVersion = 1; - Utils::scopy(_config.authenticationURL, sizeof(_config.authenticationURL), authEndpoint); + Utils::scopy(_config.issuerURL, sizeof(_config.issuerURL), issuerURL); Utils::scopy(_config.centralAuthURL, sizeof(_config.centralAuthURL), centralEndpoint); Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID); Utils::scopy(_config.ssoNonce, sizeof(_config.ssoNonce), nonce); diff --git a/node/Network.hpp b/node/Network.hpp index 1aa64cf4..680b5447 100644 --- a/node/Network.hpp +++ b/node/Network.hpp @@ -240,7 +240,7 @@ public: * set netconf failure to 'authentication required' along with info needed * for sso full flow authentication. */ - void setAuthenticationRequired(const char* authEndpoint, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state); + void setAuthenticationRequired(const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state); /** * Causes this network to request an updated configuration from its master node now diff --git a/node/NetworkConfig.cpp b/node/NetworkConfig.cpp index ca1cf5d1..2b76b673 100644 --- a/node/NetworkConfig.cpp +++ b/node/NetworkConfig.cpp @@ -196,7 +196,9 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_VERSION, this->ssoVersion)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, this->ssoEnabled)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false; - if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL)) return false; + if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUER_URL, this->issuerURL)) return false; + if (! d.add(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL)) + return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NONCE, this->ssoNonce)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_STATE, this->ssoState)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID)) return false; @@ -408,6 +410,9 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) { this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; } + if (d.get(ZT_NETWORKCONFIG_DICT_KEY_ISSUER_URL, this->issuerURL, (unsigned int)sizeof(this->issuerURL)) > 0) { + this->issuerURL[sizeof(this->issuerURL) - 1] = 0; + } if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL, (unsigned int)sizeof(this->centralAuthURL)) > 0) { this->centralAuthURL[sizeof(this->centralAuthURL) - 1] = 0; } diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp index 8b18e150..8c08838c 100644 --- a/node/NetworkConfig.hpp +++ b/node/NetworkConfig.hpp @@ -186,6 +186,8 @@ namespace ZeroTier { #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl" // authentication expiry #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME "aexpt" +// oidc issuer URL +#define ZT_NETWORKCONFIG_DICT_KEY_ISSUER_URL "iurl" // central endpoint #define ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL "ssoce" // nonce @@ -201,6 +203,8 @@ namespace ZeroTier { #define ZT_AUTHINFO_DICT_KEY_VERSION "aV" // authenticaiton URL #define ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL "aU" +// issuer URL +#define ZT_AUTHINFO_DICT_KEY_ISSUER_URL "iU" // Central endpoint URL #define ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL "aCU" // Nonce @@ -268,6 +272,7 @@ public: ssoEnabled(false), authenticationURL(), authenticationExpiryTime(0), + issuerURL(), centralAuthURL(), ssoNonce(), ssoState(), @@ -280,6 +285,7 @@ public: memset(rules, 0, sizeof(ZT_VirtualNetworkRule)*ZT_MAX_NETWORK_RULES); memset(&dns, 0, sizeof(ZT_VirtualNetworkDNS)); memset(authenticationURL, 0, sizeof(authenticationURL)); + memset(issuerURL, 0, sizeof(issuerURL)); memset(centralAuthURL, 0, sizeof(centralAuthURL)); memset(ssoNonce, 0, sizeof(ssoNonce)); memset(ssoState, 0, sizeof(ssoState)); @@ -671,6 +677,11 @@ public: uint64_t authenticationExpiryTime; /** + * OIDC issuer URL + */ + char issuerURL[2048]; + + /** * central base URL. */ char centralAuthURL[2048]; |