From fa21fdc1cc45623e7eaf1696e3eb0a268a2dea7e Mon Sep 17 00:00:00 2001
From: Grant Limberg <grant.limberg@zerotier.com>
Date: Thu, 11 Nov 2021 16:19:26 -0800
Subject: [PATCH] rename stuff for clarity

authenticationURL will still be used by the client for v1 and v2 of sso
---
 controller/DB.hpp                        |  2 ++
 controller/EmbeddedNetworkController.cpp |  2 +-
 controller/PostgreSQL.cpp                |  2 +-
 include/ZeroTierOne.h                    |  5 +++++
 node/IncomingPacket.cpp                  | 14 +++++++-------
 node/Network.cpp                         |  4 ++--
 node/Network.hpp                         |  2 +-
 node/NetworkConfig.cpp                   |  7 ++++++-
 node/NetworkConfig.hpp                   | 11 +++++++++++
 9 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/controller/DB.hpp b/controller/DB.hpp
index 24f388b8f..d0641d72e 100644
--- a/controller/DB.hpp
+++ b/controller/DB.hpp
@@ -48,6 +48,7 @@ public:
 	, version(0)
 	, authenticationURL()
 	, authenticationExpiryTime(0)
+	, issuerURL()
 	, centralAuthURL()
 	, ssoNonce()
 	, ssoState()
@@ -58,6 +59,7 @@ public:
 	uint64_t version;
 	std::string authenticationURL;
 	uint64_t authenticationExpiryTime;
+	std::string issuerURL;
 	std::string centralAuthURL;
 	std::string ssoNonce;
 	std::string ssoState;
diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 6351fb4a8..4ce48fa26 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1393,7 +1393,7 @@ void EmbeddedNetworkController::_request(
 
 					Dictionary<8192> authInfo;
 					authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version);
-					authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str());
+					authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str());
 					authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str());
 					authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str());
 					authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str());
diff --git a/controller/PostgreSQL.cpp b/controller/PostgreSQL.cpp
index d94602e51..f79c8725d 100644
--- a/controller/PostgreSQL.cpp
+++ b/controller/PostgreSQL.cpp
@@ -432,7 +432,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
 					info.authenticationURL = std::string(url);
 				} else if (info.version == 1) {
 					info.ssoClientID = client_id;
-					info.authenticationURL = authorization_endpoint;
+					info.issuerURL = authorization_endpoint;
 					info.ssoNonce = nonce;
 					info.ssoState = std::string(state_hex);
 					info.centralAuthURL = redirectURL;
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index 0a8ec85fd..6d61c6ea8 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -1216,6 +1216,11 @@ typedef struct
 	 */
 	uint64_t authenticationExpiryTime;
 
+	/**
+	 * OIDC issuer URL.
+	 */
+	char issuerURL[2048];
+
 	/**
 	 * central base URL.
 	 */
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index df2626e89..15003b4eb 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -212,8 +212,8 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 								noUrl = false;
 							}
 						} else if (authVer == 1) {
-							bool haveAuthURL = false;
-							char authenticationURL[2048] = { 0 };
+							bool haveIssuerURL = false;
+							char issuerURL[2048] = { 0 };
 							bool haveCentralURL = false;
 							char centralAuthURL[2048] = { 0 };
 							bool haveNonce = false;
@@ -223,9 +223,9 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 							bool haveClientID = false;
 							char ssoClientID[256] = { 0 };
 
-							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, authenticationURL, sizeof(authenticationURL)) > 0) {
-								authenticationURL[sizeof(authenticationURL) - 1] = 0;
-								haveAuthURL = true;
+							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
+								issuerURL[sizeof(issuerURL) - 1] = 0;
+								haveIssuerURL = true;
 							}
 							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) {
 								centralAuthURL[sizeof(centralAuthURL) - 1] = 0;
@@ -244,10 +244,10 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 								haveClientID = true;
 							}
 
-							noUrl = ! (haveAuthURL && haveCentralURL && haveNonce && haveState && haveClientID);
+							noUrl = ! (haveIssuerURL && haveCentralURL && haveNonce && haveState && haveClientID);
 
 							if (!noUrl) {
-								network->setAuthenticationRequired(authenticationURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
+								network->setAuthenticationRequired(issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
 							}
 						}
 					}
diff --git a/node/Network.cpp b/node/Network.cpp
index 0d9261e3b..b50337794 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -1561,14 +1561,14 @@ Membership &Network::_membership(const Address &a)
 	return _memberships[a];
 }
 
-void Network::setAuthenticationRequired(const char* authEndpoint, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state)
+void Network::setAuthenticationRequired(const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state)
 {
 	Mutex::Lock _l(_lock);
 	_netconfFailure = NETCONF_FAILURE_AUTHENTICATION_REQUIRED;
 	_config.ssoEnabled = true;
 	_config.ssoVersion = 1;
 
-	Utils::scopy(_config.authenticationURL, sizeof(_config.authenticationURL), authEndpoint);
+	Utils::scopy(_config.issuerURL, sizeof(_config.issuerURL), issuerURL);
 	Utils::scopy(_config.centralAuthURL, sizeof(_config.centralAuthURL), centralEndpoint);
 	Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);
 	Utils::scopy(_config.ssoNonce, sizeof(_config.ssoNonce), nonce);
diff --git a/node/Network.hpp b/node/Network.hpp
index 1aa64cf43..680b54473 100644
--- a/node/Network.hpp
+++ b/node/Network.hpp
@@ -240,7 +240,7 @@ public:
 	 * set netconf failure to 'authentication required' along with info needed
 	 * for sso full flow authentication.
 	 */
-	void setAuthenticationRequired(const char* authEndpoint, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state);
+	void setAuthenticationRequired(const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state);
 
 	/**
 	 * Causes this network to request an updated configuration from its master node now
diff --git a/node/NetworkConfig.cpp b/node/NetworkConfig.cpp
index ca1cf5d12..2b76b6730 100644
--- a/node/NetworkConfig.cpp
+++ b/node/NetworkConfig.cpp
@@ -196,7 +196,9 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_VERSION, this->ssoVersion)) return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, this->ssoEnabled)) return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
-			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL)) return false;
+			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_ISSUER_URL, this->issuerURL)) return false;
+			if (! d.add(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL))
+				return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NONCE, this->ssoNonce)) return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_STATE, this->ssoState)) return false;
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID)) return false;
@@ -408,6 +410,9 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
 					if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
 						this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0;
 					}
+					if (d.get(ZT_NETWORKCONFIG_DICT_KEY_ISSUER_URL, this->issuerURL, (unsigned int)sizeof(this->issuerURL)) > 0) {
+						this->issuerURL[sizeof(this->issuerURL) - 1] = 0;
+					}
 					if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL, (unsigned int)sizeof(this->centralAuthURL)) > 0) {
 						this->centralAuthURL[sizeof(this->centralAuthURL) - 1] = 0;
 					}
diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp
index 8b18e150d..8c08838c5 100644
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@@ -186,6 +186,8 @@ namespace ZeroTier {
 #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl"
 // authentication expiry
 #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME "aexpt"
+// oidc issuer URL
+#define ZT_NETWORKCONFIG_DICT_KEY_ISSUER_URL "iurl"
 // central endpoint
 #define ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL "ssoce"
 // nonce
@@ -201,6 +203,8 @@ namespace ZeroTier {
 #define ZT_AUTHINFO_DICT_KEY_VERSION "aV"
 // authenticaiton URL
 #define ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL "aU"
+// issuer URL
+#define ZT_AUTHINFO_DICT_KEY_ISSUER_URL "iU"
 // Central endpoint URL
 #define ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL "aCU"
 // Nonce
@@ -268,6 +272,7 @@ public:
 		ssoEnabled(false),
 		authenticationURL(),
 		authenticationExpiryTime(0),
+		issuerURL(),
 		centralAuthURL(),
 		ssoNonce(),
 		ssoState(),
@@ -280,6 +285,7 @@ public:
 		memset(rules, 0, sizeof(ZT_VirtualNetworkRule)*ZT_MAX_NETWORK_RULES);
 		memset(&dns, 0, sizeof(ZT_VirtualNetworkDNS));
 		memset(authenticationURL, 0, sizeof(authenticationURL));
+		memset(issuerURL, 0, sizeof(issuerURL));
 		memset(centralAuthURL, 0, sizeof(centralAuthURL));
 		memset(ssoNonce, 0, sizeof(ssoNonce));
 		memset(ssoState, 0, sizeof(ssoState));
@@ -670,6 +676,11 @@ public:
 	 */
 	uint64_t authenticationExpiryTime;
 
+	/**
+	 * OIDC issuer URL
+	 */
+	char issuerURL[2048];
+
 	/**
 	 * central base URL.
 	 */