openziti · rentallect · Nov 1, 2024 · Nov 1, 2024
diff --git a/src/constants.js b/src/constants.js
@@ -110,6 +110,7 @@ const ZITI_CONSTANTS =
     'ZITI_EVENT_NO_CONFIG_PROTOCOL_FOR_SERVICE':  'noConfigProtocolForServiceEvent',
     'ZITI_EVENT_WSS_ROUTER_CONNECTION_ERROR':  'WSSEnabledEdgeRouterConnectionErrorEvent',
     'ZITI_EVENT_CONTROLLER_CONNECTION_ERROR':  'ControllerConnectionErrorEvent',
+    'ZITI_EVENT_DEPRECATION_ID_TOKEN':       'isTokenDeprecationEvent',
 
     /**
      * Name of event indicating encrypted data for a nestedTLS connection has arrived and needs decryption

diff --git a/src/context/context.js b/src/context/context.js
@@ -85,6 +85,7 @@ class ZitiContext extends EventEmitter {
     this.updbUser = _options.updbUser;
     this.updbPswd = _options.updbPswd;
     this.token_type = _options.token_type;
+    this.id_token = _options.id_token;
     this.access_token = _options.access_token;
 
     this.sdkType = _options.sdkType;
@@ -286,6 +287,7 @@ class ZitiContext extends EventEmitter {
       controllerApi: this.controllerApi,
       domain: this.controllerApi,
       token_type: this.token_type,
+      id_token: this.id_token,
       access_token: this.access_token,
     });
 
@@ -798,10 +800,18 @@ class ZitiContext extends EventEmitter {
   /**
    * 
    */
-  async doAuthenticate() {
+  async doAuthenticate(token) {
 
     let self = this;
 
+    this._zitiBrowzerEdgeClient = this.createZitiBrowzerEdgeClient ({
+      logger: this.logger,
+      controllerApi: this.controllerApi,
+      domain: this.controllerApi,
+      token_type: this.token_type,
+      access_token: token,
+    });
+
     // the 'auth' body is common between the legacy and HA auth endpoints
     let auth = { 
 
@@ -838,8 +848,11 @@ class ZitiContext extends EventEmitter {
     } 
     // ...otherwise, utilize Controller's "legacy"" endpoint to authenticate
     else {
-      let method = (isNull(self.access_token)) ? 'password' : 'ext-jwt';
-      let res = await self._zitiBrowzerEdgeClient.authenticate({ method: method, auth: auth }).catch((error) => {
+      let res = await self._zitiBrowzerEdgeClient.authenticate({ 
+        method: 'ext-jwt', 
+        auth: auth,
+        token: token
+      }).catch((error) => {
         self.logger.error( error );
       });
       return res;
@@ -861,16 +874,14 @@ class ZitiContext extends EventEmitter {
   /**
    * 
    */
-  async getFreshAPISession() {
-
-    this.logger.trace('ZitiContext.getFreshAPISession() entered');
+  async getFreshAPISessionWithToken(token) {
 
     let authenticated = false;
-    let retry = 5;
+    let retry = 2;
 
     do {
 
-      let res = await this.doAuthenticate();
+      let res = await this.doAuthenticate(token);
 
       if (isUndefined(res)) {
 
@@ -883,16 +894,6 @@ class ZitiContext extends EventEmitter {
 
         retry = 0;
 
-        var decoded_access_token = jwt_decode(this.access_token);
-
-        this.logger.error(`ZitiContext.getFreshAPISession(): user [${decoded_access_token.email}] authentication request failed`);
-
-        // Let any listeners know the given JWT is not authorized to access the network,
-        // which is most likely a condition where the Identity was not provisioned
-        this.emit(ZITI_CONSTANTS.ZITI_EVENT_INVALID_AUTH, {
-          email: decoded_access_token.email
-        });
-
       } else {
 
         this._apiSession = res.data;
@@ -927,8 +928,56 @@ class ZitiContext extends EventEmitter {
 
     } while (!authenticated && retry > 0);
 
+    return authenticated;
+  }
+
+  /**
+   * 
+   */
+  async getFreshAPISession() {
+
+    this.logger.trace('ZitiContext.getFreshAPISession() entered');
+
+    /**
+     * Try to authenticate with the access_token first
+     */
+    let authenticated = await this.getFreshAPISessionWithToken(this.access_token);
+
+    if (!authenticated) {
+
+      /**
+       * If we failed to auth with the access_token, then try to auth with the id_token
+       */
+      authenticated = await this.getFreshAPISessionWithToken(this.id_token);
+
+      if (authenticated) {  
+
+        /**
+         * If we successfully authenticated with the id_token, emit an event to warn the
+         * user that id_token auth is deprecated.
+         */
+         var decoded_access_token = jwt_decode(this.id_token);
+         this.emit(ZITI_CONSTANTS.ZITI_EVENT_DEPRECATION_ID_TOKEN, {
+          email: decoded_access_token.email
+        });  
+      }
+    }
+
     if (!authenticated) {
       this.logger.error(`cannot authenticate`);
+
+        var decoded_access_token = jwt_decode(this.id_token);
+
+        this.logger.error(`ZitiContext.getFreshAPISession(): user [${decoded_access_token.email}] authentication request failed`);
+
+        // Let any listeners know the given JWT is not authorized to access the network,
+        // which is most likely a condition where the Identity was not provisioned
+        this.emit(ZITI_CONSTANTS.ZITI_EVENT_INVALID_AUTH, {
+          email: decoded_access_token.email
+        });
+
+        this.delay(1000);
+
     }
 
     this.logger.trace('ZitiContext.getFreshAPISession() exiting; zt-session token is: ', this._apiSession.token);

diff --git a/src/context/options.js b/src/context/options.js
@@ -60,13 +60,19 @@ const defaultOptions = {
      * See {@link Options.token_type}
      *
      */
-     token_type: null,
+    token_type: null,
+
+    /**
+     * See {@link Options.id_token}
+     *
+     */
+    id_token: null,
 
     /**
      * See {@link Options.access_token}
      *
      */
-     access_token: null,
+    access_token: null,
 
     /**
      * See {@link Options.sdkType}