legacy auth: decouple from ziti_ctrl

CMakeLists.txt

@@ -15,7 +15,7 @@ include(cmake/variables.cmake)
 set(tlsuv_DIR "" CACHE FILEPATH "developer option: use local tlsuv checkout")
 # developer setting: tlsuv branch or tag to use (if tlsuv_DIR is unset)
 if (NOT tlsuv_VERSION)
-    set(tlsuv_VERSION "v0.40.12")
+    set(tlsuv_VERSION "v0.40.13")
 endif (NOT tlsuv_VERSION)
 
 message("project version: ${PROJECT_VERSION}")

inc_internal/auth_method.h

@@ -1,16 +1,16 @@
-// Copyright (c) 2023-2024. NetFoundry Inc.
+// Copyright (c) 2023-2026.  NetFoundry Inc
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
+// 	Licensed under the Apache License, Version 2.0 (the "License");
+// 	you may not use this file except in compliance with the License.
+// 	You may obtain a copy of the License at
 //
-// You may obtain a copy of the License at
-// https://www.apache.org/licenses/LICENSE-2.0
+// 	https://www.apache.org/licenses/LICENSE-2.0
 //
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// 	Unless required by applicable law or agreed to in writing, software
+// 	distributed under the License is distributed on an "AS IS" BASIS,
+// 	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// 	See the License for the specific language governing permissions and
+// 	limitations under the License.
 
 #ifndef ZITI_SDK_AUTH_METHOD_H
 #define ZITI_SDK_AUTH_METHOD_H
@@ -58,7 +58,7 @@ struct ziti_auth_method_s {
     void (*free)(ziti_auth_method_t *self);
 };
 
-ziti_auth_method_t *new_legacy_auth(ziti_controller *ctrl);
+ziti_auth_method_t *new_legacy_auth(uv_loop_t *l, const char *url, tls_context *tls, bool x509);
 ziti_auth_method_t *new_oidc_auth(uv_loop_t *l, const api_path *api, tls_context *tls);
 
 #ifdef __cplusplus

inc_internal/credentials.h

@@ -0,0 +1,69 @@
+// Copyright (c) 2026.  NetFoundry Inc
+//
+// 	Licensed under the Apache License, Version 2.0 (the "License");
+// 	you may not use this file except in compliance with the License.
+// 	You may obtain a copy of the License at
+//
+// 	https://www.apache.org/licenses/LICENSE-2.0
+//
+// 	Unless required by applicable law or agreed to in writing, software
+// 	distributed under the License is distributed on an "AS IS" BASIS,
+// 	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// 	See the License for the specific language governing permissions and
+// 	limitations under the License.
+
+//
+//
+
+#pragma once
+
+#ifndef ZITI_SDK_CREDENTIALS_H
+#define ZITI_SDK_CREDENTIALS_H
+
+#include <tlsuv/tls_engine.h>
+#include <stc/cstr.h>
+
+#include <ziti/errors.h>
+#include "internal_model.h"
+#include "utils.h"
+#include "jwt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    ZITI_CRED_TYPE_INVALID = 0,
+    ZITI_CRED_TYPE_X509 = 1,
+    ZITI_CRED_TYPE_JWT = 2,
+    ZITI_CRED_LEGACY_SESSION = 3,
+} ziti_credential_type;
+
+struct tls_credentials {
+    tlsuv_private_key_t key;
+    tlsuv_certificate_t cert;
+};
+
+typedef struct ziti_credential_s {
+    ziti_credential_type type;
+    uint64_t expiration;
+    bool persistent;
+    union {
+        // identity key/cert
+        struct tls_credentials x509;
+        // external JWT
+        zt_jwt jwt;
+        // legacy session
+        ziti_session session;
+    };
+} ziti_credential_t;
+
+extern void ziti_credential_drop(ziti_credential_t *cred);
+
+extern int ziti_credential_from_jwt(const char *jwt, ziti_credential_t **cred);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // ZITI_SDK_CREDENTIALS_H

inc_internal/jwt.h

@@ -0,0 +1,45 @@
+// Copyright (c) 2026.  NetFoundry Inc
+//
+// 	Licensed under the Apache License, Version 2.0 (the "License");
+// 	you may not use this file except in compliance with the License.
+// 	You may obtain a copy of the License at
+//
+// 	https://www.apache.org/licenses/LICENSE-2.0
+//
+// 	Unless required by applicable law or agreed to in writing, software
+// 	distributed under the License is distributed on an "AS IS" BASIS,
+// 	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// 	See the License for the specific language governing permissions and
+// 	limitations under the License.
+
+//
+//
+#pragma once
+#ifndef ZITI_SDK_JWT_H
+#define ZITI_SDK_JWT_H
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stc/cstr.h>
+#include <json-c/json.h>
+#include <sodium/utils.h>
+
+typedef struct zt_jwt_s {
+    cstr issuer;
+    uint64_t expiration;
+    json_object *claims;
+    json_object *header;
+    cstr encoded;
+} zt_jwt;
+
+extern void zt_jwt_drop(zt_jwt *jwt);
+extern void zt_jwt_free(zt_jwt *jwt);
+extern int zt_jwt_parse(const char *jwt_str, zt_jwt *jwt);
+
+#ifdef __cplusplus
+}
+#endif
+#endif // ZITI_SDK_JWT_H

inc_internal/utils.h

@@ -21,6 +21,7 @@
 #include <stdlib.h>
 #include <tlsuv/http.h>
 #include <ziti/ziti_log.h>
+#include <stc/cstr.h>
 
 #include "ziti/model_collections.h"
 #include "ziti/model_support.h"
@@ -65,6 +66,7 @@ extern const char *ziti_git_commit();
 
 extern void hexDump(char *desc, void *addr, int len);
 
+extern cstr jwt_issuer(const char *jwt);
 extern const char *jwt_payload(const char *jwt);
 
 void ziti_fmt_time(char *time_str, size_t time_str_len, uv_timeval64_t *tv);

inc_internal/ziti_ctrl.h

@@ -1,16 +1,16 @@
-// Copyright (c) 2019-2024. NetFoundry Inc.
+// Copyright (c) 2019-2026.  NetFoundry Inc
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
+// 	Licensed under the Apache License, Version 2.0 (the "License");
+// 	you may not use this file except in compliance with the License.
+// 	You may obtain a copy of the License at
 //
-// You may obtain a copy of the License at
-// https://www.apache.org/licenses/LICENSE-2.0
+// 	https://www.apache.org/licenses/LICENSE-2.0
 //
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// 	Unless required by applicable law or agreed to in writing, software
+// 	distributed under the License is distributed on an "AS IS" BASIS,
+// 	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// 	See the License for the specific language governing permissions and
+// 	limitations under the License.
 
 
 #ifndef ZITI_SDK_CONTROLLER_H
@@ -62,6 +62,7 @@ typedef struct ziti_controller_s {
 int ziti_ctrl_init(uv_loop_t *loop, ziti_controller *ctrl, model_list *urls, tls_context *tls);
 
 int ziti_ctrl_set_token(ziti_controller *ctrl, const char *access_token);
+int ziti_ctrl_set_ext_token(ziti_controller *ctrl, const char *jwt);
 
 void ziti_ctrl_set_legacy(ziti_controller *ctrl, bool legacy);
 
@@ -79,13 +80,6 @@ void ziti_ctrl_clear_auth(ziti_controller *ctrl);
 
 void ziti_ctrl_get_version(ziti_controller *ctrl, ctrl_version_cb cb, void *ctx);
 
-void ziti_ctrl_login(ziti_controller *ctrl, model_list *cfg_types,
-                     void (*cb)(ziti_api_session *, const ziti_error *, void *),
-                     void *ctx);
-
-void ziti_ctrl_login_ext_jwt(ziti_controller *ctrl, const char *jwt,
-                             void (*cb)(ziti_api_session *, const ziti_error *, void *), void *ctx);
-
 void ziti_ctrl_list_ext_jwt_signers(ziti_controller *ctrl,
                                     void (*cb)(ziti_jwt_signer_array, const ziti_error*, void*),
                                     void *ctx);
@@ -99,8 +93,6 @@ void ziti_ctrl_list_controllers(ziti_controller *ctrl,
 
 void ziti_ctrl_current_api_session(ziti_controller *ctrl, void(*cb)(ziti_api_session *, const ziti_error *, void *), void *ctx);
 
-void ziti_ctrl_mfa_jwt(ziti_controller *ctrl, const char *token, void(*cb)(ziti_api_session *, const ziti_error *, void *), void *ctx);
-
 void ziti_ctrl_create_api_certificate(ziti_controller *ctrl, const char *csr_pem, void(*cb)(ziti_create_api_cert_resp *, const ziti_error *, void *), void *ctx);
 
 void ziti_ctrl_current_identity(ziti_controller *ctrl, void(*cb)(ziti_identity_data *, const ziti_error *, void *), void *ctx);
@@ -132,9 +124,6 @@ void ziti_ctrl_get_session(
         ziti_controller *ctrl, const char *session_id,
         void (*cb)(ziti_session *, const ziti_error *, void *), void *ctx);
 
-void ziti_ctrl_get_sessions(
-        ziti_controller *ctrl, void (*cb)(ziti_session **, const ziti_error *, void *), void *ctx);
-
 void ziti_ctrl_get_well_known_certs(ziti_controller *ctrl, void (*cb)(char *, const ziti_error *, void *), void *ctx);
 
 void ziti_ctrl_enroll(ziti_controller *ctrl, ziti_enrollment_method method, const char *token, const char *csr,
@@ -149,10 +138,6 @@ void ziti_pr_post_bulk(ziti_controller *ctrl, char *body, size_t body_len, void(
 
 void ziti_pr_post(ziti_controller *ctrl, char *body, size_t body_len, void(*cb)(ziti_pr_response *, const ziti_error *, void *), void *ctx);
 
-
-//MFA
-void ziti_ctrl_login_mfa(ziti_controller *ctrl, char *body, size_t body_len, void(*cb)(void *, const ziti_error *, void *), void *ctx);
-
 void ziti_ctrl_post_mfa(ziti_controller *ctrl, void(*cb)(void *, const ziti_error *, void *), void *ctx);
 
 void ziti_ctrl_get_mfa(ziti_controller *ctrl, void(*cb)(ziti_mfa_enrollment *, const ziti_error *, void *), void *ctx);

inc_internal/zt_internal.h

@@ -24,6 +24,7 @@
 
 #include "auth_method.h"
 #include "buffer.h"
+#include "credentials.h"
 #include "deadline.h"
 #include "metrics.h"
 #include "pool.h"
@@ -151,10 +152,6 @@ struct ztx_work_s {
 
 typedef STAILQ_HEAD(work_q, ztx_work_s) ztx_work_q;
 
-struct tls_credentials {
-    tlsuv_private_key_t key;
-    tlsuv_certificate_t cert;
-};
 
 struct ziti_ctx {
     ziti_config config;
@@ -177,6 +174,7 @@ struct ziti_ctx {
     ziti_auth_state auth_state;
     ziti_mfa_cb mfa_cb;
     void *mfa_ctx;
+    model_map ext_jwt_tokens; // map<issuer, zt_jwt>
 
     model_map ext_signers;
     struct ext_oidc_client_s *ext_auth;
@@ -185,7 +183,6 @@ struct ziti_ctx {
 
     // HA access_token(JWT) or legacy ziti_api_session.token
     char *session_token;
-    timestamp session_expiration;
 
     ziti_identity_data *identity_data;
 

library/CMakeLists.txt

@@ -79,6 +79,7 @@ set(ZITI_HEADER_FILES
 SET(ZITI_SRC_FILES
         sdk_info.c
         utils.c
+        credentials.c
         ziti.c
         config.c
         errors.c