OIDC working but no secondary auth support.

go.mod

@@ -7,15 +7,14 @@ require (
 	github.com/gorilla/securecookie v1.1.1
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
 	github.com/natefinch/npipe v0.0.0-20160621034901-c1b8fa8bdcce
-	github.com/openziti/edge-api v0.25.15
-	github.com/openziti/sdk-golang v0.19.18
-	github.com/openziti/ziti v0.27.9
+	github.com/openziti/sdk-golang v0.0.0-fix.fetch.cert.nil.pointer
+	github.com/openziti/ziti v0.0.0-support-sdk-refactor
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/sftp v1.13.5
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.2
-	github.com/zitadel/oidc/v3 v3.0.0-next.5
+	github.com/zitadel/oidc/v2 v2.5.0
 	golang.org/x/crypto v0.8.0
 	golang.org/x/oauth2 v0.7.0
 )
@@ -42,6 +41,7 @@ require (
 	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/gorilla/schema v1.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kr/fs v0.1.0 // indirect
@@ -56,12 +56,13 @@ require (
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/openziti/channel/v2 v2.0.59 // indirect
+	github.com/openziti/channel/v2 v2.0.60 // indirect
+	github.com/openziti/edge-api v0.25.16 // indirect
 	github.com/openziti/foundation/v2 v2.0.21 // indirect
-	github.com/openziti/identity v1.0.46 // indirect
+	github.com/openziti/identity v1.0.47 // indirect
 	github.com/openziti/metrics v1.2.19 // indirect
 	github.com/openziti/secretstream v0.1.6 // indirect
-	github.com/openziti/transport/v2 v2.0.73 // indirect
+	github.com/openziti/transport/v2 v2.0.74 // indirect
 	github.com/orcaman/concurrent-map/v2 v2.0.1 // indirect
 	github.com/parallaxsecond/parsec-client-go v0.0.0-20221025095442-f0a77d263cf9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -74,7 +75,6 @@ require (
 	github.com/tklauser/go-sysconf v0.3.11 // indirect
 	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	github.com/zitadel/schema v1.3.0 // indirect
 	go.mongodb.org/mongo-driver v1.11.4 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
@@ -91,3 +91,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace github.com/openziti/sdk-golang => ../sdk-golang
+
+replace github.com/openziti/ziti => ../ziti

go.sum

@@ -86,7 +86,6 @@ github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbS
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -234,6 +233,9 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc=
+github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
@@ -352,24 +354,20 @@ github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7
 github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/openziti/channel/v2 v2.0.59 h1:hSe8/cEU9FVwI6ok5+7TFyCHMzA6DAi5LhDfxfIK82E=
-github.com/openziti/channel/v2 v2.0.59/go.mod h1:rxZ5YdcBMxfrE6crDjnY/4DlxCRRWcLwBMyPdOKZfpE=
-github.com/openziti/edge-api v0.25.15 h1:c0gS/LoiwVHtYvwQXUDAIhO8TVHAxz5iVX4/8ljpW8k=
-github.com/openziti/edge-api v0.25.15/go.mod h1:Eu82g+Gb/cfJXh8ZT8aYc4KaY/CrTV0FO2fUx2jPUPk=
+github.com/openziti/channel/v2 v2.0.60 h1:TytQ0fyBH2zHJUzYsAjHrbVCR/e9tOSAroEhZKOBusg=
+github.com/openziti/channel/v2 v2.0.60/go.mod h1:Iz/TYnJ3h1AWIpkYTD7vQBhfDJp+G7z7zmgWB7grEvc=
+github.com/openziti/edge-api v0.25.16 h1:ZMScfFFk/aeVOoN6uYh9F2R5s2GdCa0IkCDu9+HFxqk=
+github.com/openziti/edge-api v0.25.16/go.mod h1:Eu82g+Gb/cfJXh8ZT8aYc4KaY/CrTV0FO2fUx2jPUPk=
 github.com/openziti/foundation/v2 v2.0.21 h1:3EDDmSunsbd2DlULuY/vqj12LHRZOknH/m3lf6Ws5Nw=
 github.com/openziti/foundation/v2 v2.0.21/go.mod h1:02GW3jFSSlfLwYwuTIldP/S4w7eCKqlzL6ajFSGHNPA=
-github.com/openziti/identity v1.0.46 h1:IwW7I1l/V7szENfXMcC8noanEDIhjca+TSjXwxO8WrE=
-github.com/openziti/identity v1.0.46/go.mod h1:fQ5bjNu4L1Yqk011xNB1QXvsmBRHnm5d498fi1bhl24=
+github.com/openziti/identity v1.0.47 h1:Zc1wL4yMq6hcmbgNR6d3gSkGCiK3IJYd9i4obBNBMPw=
+github.com/openziti/identity v1.0.47/go.mod h1:fQ5bjNu4L1Yqk011xNB1QXvsmBRHnm5d498fi1bhl24=
 github.com/openziti/metrics v1.2.19 h1:gQO3e2lUotRHBdGUXYBPWMIErIyyF5hw0EakwQbJzuM=
 github.com/openziti/metrics v1.2.19/go.mod h1:ovvxTpDBxGLcVLHgPTFFvwT4ur8p4Z76BPUhIE5iwqc=
-github.com/openziti/sdk-golang v0.19.18 h1:hqVVIitybPQhnAOGHSq1Ssd7RNzrRt+5rkkmeYwJb4s=
-github.com/openziti/sdk-golang v0.19.18/go.mod h1:qmew8X88o9uFrY5Ru9PEGvEowppTZvyYpqYfBQkC3XA=
 github.com/openziti/secretstream v0.1.6 h1:TbpTwW/lc/0kuvaoRNjpiyebxh2Hyx8XSTB269QtHN4=
 github.com/openziti/secretstream v0.1.6/go.mod h1:Gc6fhaDC46UUvwJD4ogbYji22YSdz3fe8bno+BFIpcE=
-github.com/openziti/transport/v2 v2.0.73 h1:kJiI0Dv2p3826RzqC0su+KL+0m0O+vEZmsrriRqE4Ls=
-github.com/openziti/transport/v2 v2.0.73/go.mod h1:rD5o7hRQ94bU06NFXll9rTZWtu7NtL0EAUQA+6532eY=
-github.com/openziti/ziti v0.27.9 h1:GsPqGFpHLLrvx4G+nXs7gKDyeSwl46D4GOLNFBmNI9c=
-github.com/openziti/ziti v0.27.9/go.mod h1:tSF7cciowQXna3O++xyUSq2S7hPZwYnH+WUwSr2NNsA=
+github.com/openziti/transport/v2 v2.0.74 h1:sFy395WPYWedArh4mBXtNb+FGR3gymk8cR/b6rCUltQ=
+github.com/openziti/transport/v2 v2.0.74/go.mod h1:xMoDhxk9FFQoVyh4YL2h1hOshE5Aqlabd4mctmK1TWU=
 github.com/orcaman/concurrent-map/v2 v2.0.1 h1:jOJ5Pg2w1oeB6PeDurIYf6k9PQ+aTITr/6lP/L/zp6c=
 github.com/orcaman/concurrent-map/v2 v2.0.1/go.mod h1:9Eq3TG2oBe5FirmYWQfYO5iH1q0Jv47PLaNK++uCdOM=
 github.com/parallaxsecond/parsec-client-go v0.0.0-20221025095442-f0a77d263cf9 h1:mOvehYivJ4Aqu2CPe3D3lv8jhqOI9/1o0THxJHBE0qw=
@@ -467,10 +465,8 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
 github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zitadel/oidc/v3 v3.0.0-next.5 h1:l72V2xN9S5AK8/m/VGjL8ZvKVvZlyLnTmsAUn/2g6bU=
-github.com/zitadel/oidc/v3 v3.0.0-next.5/go.mod h1:G8WRpSx/VzmP+8iogknSIpqsleotQ6yICziKLNye80Y=
-github.com/zitadel/schema v1.3.0 h1:kQ9W9tvIwZICCKWcMvCEweXET1OcOyGEuFbHs4o5kg0=
-github.com/zitadel/schema v1.3.0/go.mod h1:NptN6mkBDFvERUCvZHlvWmmME+gmZ44xzwRXwhzsbtc=
+github.com/zitadel/oidc/v2 v2.5.0 h1:W6djnl8GY2MjPbItWOUnkB+vndmyF105DF0+oxBrqr0=
+github.com/zitadel/oidc/v2 v2.5.0/go.mod h1:wBOrfB0m/tGXo6isym1F5k3VeXSUinGsAt2H8V/+Uks=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=

zssh/zscp/main.go

@@ -45,6 +45,9 @@ var rootCmd = &cobra.Command{
 		var isCopyToRemote bool
 		var err error
 
+		// token is the ID token from the OIDC flow
+		token := "" // TODO: implement OIDC flow
+
 		if strings.ContainsAny(args[0], ":") {
 			remoteFilePath = args[0]
 			localFilePaths = args[1:]
@@ -75,7 +78,7 @@ var rootCmd = &cobra.Command{
 		username, targetIdentity := flags.GetUserAndIdentity(remoteFilePath)
 		remoteFilePath = zsshlib.ParseFilePath(remoteFilePath)
 
-		sshConn := zsshlib.EstablishClient(flags.SshFlags, username, targetIdentity)
+		sshConn := zsshlib.EstablishClient(flags.SshFlags, username, targetIdentity, token)
 		defer func() { _ = sshConn.Close() }()
 
 		client, err := sftp.NewClient(sshConn)

zssh/zssh/main.go

@@ -62,6 +62,7 @@ var rootCmd = &cobra.Command{
 
 func init() {
 	flags.InitFlags(rootCmd, ExpectedServiceAndExeName)
+	flags.OIDCFlags(rootCmd, ExpectedServiceAndExeName)
 }
 
 // AuthCmd holds the required data for the init cmd
@@ -79,7 +80,7 @@ func NewAuthCmd(p common.OptionsProvider) *cobra.Command {
 		Args:  cobra.NoArgs,
 		RunE:  cmd.Run,
 	}
-
+	flags.OIDCFlags(authCmd, ExpectedServiceAndExeName)
 	return authCmd
 }
 

zsshlib/flags.go

@@ -77,15 +77,18 @@ func ParseFilePath(input string) string {
 	return input
 }
 
-func (f *SshFlags) InitFlags(cmd *cobra.Command, exeName string) {
-	cmd.Flags().StringVarP(&f.ServiceName, "service", "s", exeName, fmt.Sprintf("service name. default: %s", exeName))
-	cmd.Flags().StringVarP(&f.ZConfig, "ZConfig", "c", "", fmt.Sprintf("Path to ziti config file. default: $HOME/.ziti/%s.json", f.ServiceName))
-	cmd.Flags().StringVarP(&f.SshKeyPath, "SshKeyPath", "i", "", "Path to ssh key. default: $HOME/.ssh/id_rsa")
+func (f *SshFlags) OIDCFlags(cmd *cobra.Command, exeName string) {
 	cmd.Flags().StringVarP(&f.CallbackPort, "CallbackPort", "p", "63275", "Port for Callback. default: 63275")
 	cmd.Flags().StringVarP(&f.ClientID, "ClientID", "n", "0oa8wkmtfcyySlZQa5d7", "IdP ClientID. default: 0oa8wkmtfcyySlZQa5d7")
 	cmd.Flags().StringVarP(&f.ClientSecret, "ClientSecret", "e", "", "IdP ClientSecret. default: (empty string - use PKCE)")
 	cmd.Flags().StringVarP(&f.OIDCIssuer, "OIDCIssuer", "a", "https://dev-82868739.okta.com", "URL of the OpenID Connect provider. default: https://dev-82868739.okta.com")
 	cmd.Flags().BoolVarP(&f.OIDCMode, "oidc", "o", false, "toggle OIDC mode. default: false")
+}
+
+func (f *SshFlags) InitFlags(cmd *cobra.Command, exeName string) {
+	cmd.Flags().StringVarP(&f.ServiceName, "service", "s", exeName, fmt.Sprintf("service name. default: %s", exeName))
+	cmd.Flags().StringVarP(&f.ZConfig, "ZConfig", "c", "", fmt.Sprintf("Path to ziti config file. default: $HOME/.ziti/%s.json", f.ServiceName))
+	cmd.Flags().StringVarP(&f.SshKeyPath, "SshKeyPath", "i", "", "Path to ssh key. default: $HOME/.ssh/id_rsa")
 	cmd.Flags().BoolVarP(&f.Debug, "debug", "d", false, "pass to enable additional debug information")
 
 	if f.SshKeyPath == "" {

zsshlib/ssh.go

@@ -21,9 +21,9 @@ import (
 	"fmt"
 	"github.com/google/uuid"
 	"github.com/gorilla/securecookie"
-	"github.com/openziti/edge-api/rest_util"
-	"github.com/zitadel/oidc/v3/pkg/client/rp/cli"
-	"github.com/zitadel/oidc/v3/pkg/oidc"
+	edge_apis "github.com/openziti/sdk-golang/edge-apis"
+	"github.com/zitadel/oidc/v2/pkg/client/rp/cli"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
 	"io"
 	"io/ioutil"
 	"log"
@@ -36,11 +36,10 @@ import (
 	"time"
 
 	"github.com/openziti/sdk-golang/ziti"
-	"github.com/openziti/sdk-golang/ziti/config"
 	"github.com/pkg/errors"
 	"github.com/pkg/sftp"
-	"github.com/zitadel/oidc/v3/pkg/client/rp"
-	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v2/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v2/pkg/http"
 	"golang.org/x/oauth2"
 
 	"github.com/sirupsen/logrus"
@@ -154,7 +153,7 @@ func GetToken(ctx context.Context, config *Config) (string, error) {
 		options = append(options, rp.WithPKCE(cookieHandler))
 	}
 
-	relyingParty, err := rp.NewRelyingPartyOIDC(ctx, config.Issuer, config.ClientID, config.ClientSecret, config.RedirectURL, config.Scopes, options...)
+	relyingParty, err := rp.NewRelyingPartyOIDC(config.Issuer, config.ClientID, config.ClientSecret, config.RedirectURL, config.Scopes, options...)
 	if err != nil {
 		logrus.Fatalf("error creating relyingParty %s", err.Error())
 	}
@@ -164,12 +163,10 @@ func GetToken(ctx context.Context, config *Config) (string, error) {
 		return uuid.New().String()
 	}
 
-	tokens := cli.CodeFlow[oidc.IDClaims](ctx, relyingParty, config.CallbackPath, config.CallbackPort, state)
+	tokens := cli.CodeFlow[*oidc.IDTokenClaims](ctx, relyingParty, config.CallbackPath, config.CallbackPort, state)
 
-	print("tokens: %v", tokens)
-
-	//return tokens.IDToken, nil
-	return "", nil
+	return tokens.IDToken, nil
+	//return "", nil
 }
 
 // validateAndSetDefaults validates the config and sets default values.
@@ -328,10 +325,14 @@ func RetrieveRemoteFiles(client *sftp.Client, localPath string, remotePath strin
 }
 
 func EstablishClient(f SshFlags, userName, targetIdentity, token string) *ssh.Client {
-	auth := rest_util.NewAuthenticatorAuthHeader("Bearer " + token)
+	caPool, err := ziti.GetControllerWellKnownCaPool("https://ec2-54-186-104-181.us-west-2.compute.amazonaws.com:8441")
+	if err != nil {
+		panic(err)
+	}
+	auth := edge_apis.NewJwtCredentials(token, caPool)
 	conf := getConfig(f.ZConfig)
-	conf.Authenticator = auth
-	ctx, err := ziti.NewContextWithConfig(conf)
+	conf.Credentials = auth
+	ctx, err := ziti.NewContext(conf)
 	if err != nil {
 		logrus.Fatalf("error creating ziti context: %v", err)
 	}
@@ -367,8 +368,8 @@ func (f *SshFlags) DebugLog(msg string, args ...interface{}) {
 	}
 }
 
-func getConfig(cfgFile string) (zitiCfg *config.Config) {
-	zitiCfg, err := config.NewFromFile(cfgFile)
+func getConfig(cfgFile string) (zitiCfg *ziti.Config) {
+	zitiCfg, err := ziti.NewConfigFromFile(cfgFile)
 	if err != nil {
 		log.Fatalf("failed to load ziti configuration file: %v", err)
 	}