Client & Central Controller updates to support additonal OIDC features (#1848)

Client side: * Fix compatibility with OneLogin * Requested scopes vary by OIDC provider. Different providers have different Controller side: *Update Postgres queries to latest Central schema * Added Central Controller support for the different providers * Base OIDC provider details are still attached to an org. Client ID & group/email lists are now associated with individual networks.
2023-01-19 15:39:15 -08:00 · 2023-01-19 15:39:15 -08:00 · 0ae09577f6
commit 0ae09577f6
parent a59f82093a
11 changed files with 175 additions and 68 deletions
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@ -217,6 +217,7 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 							char ssoNonce[64] = { 0 };
 							char ssoState[128] = {0};
 							char ssoClientID[256] = { 0 };
+							char ssoProvider[64] = { 0 };

 							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
 								issuerURL[sizeof(issuerURL) - 1] = 0;
@ -233,8 +234,13 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, ssoClientID, sizeof(ssoClientID)) > 0) {
 								ssoClientID[sizeof(ssoClientID) - 1] = 0;
 							}
+							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_SSO_PROVIDER, ssoProvider, sizeof(ssoProvider)) > 0 ) {
+								ssoProvider[sizeof(ssoProvider) - 1] = 0;
+							} else {
+								strncpy(ssoProvider, "default", sizeof(ssoProvider));
+							}

-							network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
+							network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoProvider, ssoNonce, ssoState);
 						}
 					}
 				} else {
--- a/node/Network.cpp
+++ b/node/Network.cpp
@ -1450,6 +1450,7 @@ void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const
 	Utils::scopy(ec->ssoNonce, sizeof(ec->ssoNonce), _config.ssoNonce);
 	Utils::scopy(ec->ssoState, sizeof(ec->ssoState), _config.ssoState);
 	Utils::scopy(ec->ssoClientID, sizeof(ec->ssoClientID), _config.ssoClientID);
+	Utils::scopy(ec->ssoProvider, sizeof(ec->ssoProvider), _config.ssoProvider);
 }

 void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup)
@ -1556,7 +1557,7 @@ Membership &Network::_membership(const Address &a)
 	return _memberships[a];
 }

-void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state)
+void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char *ssoProvider, const char* nonce, const char* state)
 {
 	Mutex::Lock _l(_lock);
 	_netconfFailure = NETCONF_FAILURE_AUTHENTICATION_REQUIRED;
@ -1568,6 +1569,7 @@ void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const
 	Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);
 	Utils::scopy(_config.ssoNonce, sizeof(_config.ssoNonce), nonce);
 	Utils::scopy(_config.ssoState, sizeof(_config.ssoState), state);
+	Utils::scopy(_config.ssoProvider, sizeof(_config.ssoProvider), ssoProvider);
 	_sendUpdateEvent(tPtr);
 }

--- a/node/Network.hpp
+++ b/node/Network.hpp
@ -241,7 +241,7 @@ public:
 	 * set netconf failure to 'authentication required' along with info needed
 	 * for sso full flow authentication.
 	 */
-	void setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state);
+	void setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char *ssoProvider, const char* nonce, const char* state);

 	/**
 	 * Causes this network to request an updated configuration from its master node now
--- a/node/NetworkConfig.cpp
+++ b/node/NetworkConfig.cpp
@ -201,6 +201,7 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NONCE, this->ssoNonce)) return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_STATE, this->ssoState)) return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID)) return false;
+			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_PROVIDER, this->ssoProvider)) return false;
 		}

 		delete tmp;
@ -424,6 +425,12 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
 					if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID, (unsigned int)sizeof(this->ssoClientID)) > 0) {
 						this->ssoClientID[sizeof(this->ssoClientID) - 1] = 0;
 					}
+					if (d.get(ZT_NETWORKCONFIG_DICT_KEY_SSO_PROVIDER, this->ssoProvider, (unsigned int)(sizeof(this->ssoProvider))) > 0) {
+						this->ssoProvider[sizeof(this->ssoProvider) - 1] = 0;
+					} else {
+						strncpy(this->ssoProvider, "default", sizeof(this->ssoProvider));
+						this->ssoProvider[sizeof(this->ssoProvider) - 1] = 0;
+					}
 				} else {
 					this->authenticationURL[0] = 0;
 					this->authenticationExpiryTime = 0;
@ -432,6 +439,7 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
 					this->ssoState[0] = 0;
 					this->ssoClientID[0] = 0;
 					this->issuerURL[0] = 0;
+					this->ssoProvider[0] = 0;
 				}
 			}
 		}
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@ -195,6 +195,8 @@ namespace ZeroTier {
 #define ZT_NETWORKCONFIG_DICT_KEY_STATE "ssos"
 // client ID
 #define ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID "ssocid"
+// SSO Provider
+#define ZT_NETWORKCONFIG_DICT_KEY_SSO_PROVIDER "ssop"

 // AuthInfo fields -- used by ncSendError for sso

@ -212,6 +214,8 @@ namespace ZeroTier {
 #define ZT_AUTHINFO_DICT_KEY_STATE "aS"
 // Client ID
 #define ZT_AUTHINFO_DICT_KEY_CLIENT_ID "aCID"
+// SSO Provider
+#define ZT_AUTHINFO_DICT_KEY_SSO_PROVIDER "aSSOp"

 // Legacy fields -- these are obsoleted but are included when older clients query

@ -289,6 +293,7 @@ public:
 		memset(ssoNonce, 0, sizeof(ssoNonce));
 		memset(ssoState, 0, sizeof(ssoState));
 		memset(ssoClientID, 0, sizeof(ssoClientID));
+		strncpy(ssoProvider, "default", sizeof(ssoProvider));
 	}

 	/**
@ -699,6 +704,15 @@ public:
 	 * oidc client id
 	 */
 	char ssoClientID[256];
+
+	/**
+	 * oidc provider
+	 *
+	 * because certain providers require specific scopes to be requested
+	 * and others to be not requested in order to make everything work
+	 * correctly
+	 **/
+	char ssoProvider[64];
 };

 } // namespace ZeroTier