Fix LoginExternal passing hostname instead of full OIDC URL, surface auth error codes

Author: smilindave26

lib/Ziti.swift

@@ -656,10 +656,13 @@ import CZitiPrivate
 
                 case .CannotContinue:
                     completed = true
-                    let detail = authEvent.detail.isEmpty ? "authentication cannot continue" : authEvent.detail
-                    log.error("queryProviders: \(detail)", function:"runQueryProviders()")
+                    let msg = !authEvent.error.isEmpty ? authEvent.error
+                            : !authEvent.detail.isEmpty ? authEvent.detail
+                            : "authentication cannot continue"
+                    let code = !authEvent.errorCode.isEmpty ? authEvent.errorCode : nil
+                    log.error("queryProviders: \(msg) (errorCode=\(code ?? "nil"))", function:"runQueryProviders()")
                     ziti.shutdown()
-                    cb(nil, ZitiError(detail))
+                    cb(nil, ZitiError(msg, errorCodeString: code))
 
                 default:
                     break
@@ -786,13 +789,24 @@ import CZitiPrivate
                     }
 
                 case .LoginExternal:
-                    onAuth(authEvent.detail)
+                    // detail is just the hostname or signer name, not the full OIDC URL.
+                    // Kick off the OIDC flow to get the real auth URL via the launch callback.
+                    ziti.extAuthStatusCallback = { _, url, _ in
+                        log.info("\(modeLabel) extAuth URL: \(url)", function:"runEnrollTo()")
+                        onAuth(url)
+                    }
+                    ziti.perform {
+                        ziti_ext_auth(ziti.ztx, Ziti.onExtAuthStatus, ziti.toVoidPtr())
+                    }
 
                 case .CannotContinue:
-                    let detail = authEvent.detail.isEmpty ? "authentication cannot continue" : authEvent.detail
-                    log.error("\(modeLabel): \(detail)", function:"runEnrollTo()")
+                    let msg = !authEvent.error.isEmpty ? authEvent.error
+                            : !authEvent.detail.isEmpty ? authEvent.detail
+                            : "authentication cannot continue"
+                    let code = !authEvent.errorCode.isEmpty ? authEvent.errorCode : nil
+                    log.error("\(modeLabel): \(msg) (errorCode=\(code ?? "nil"))", function:"runEnrollTo()")
                     ziti.shutdown()
-                    enrollCallback(nil, ZitiError(detail))
+                    enrollCallback(nil, ZitiError(msg, errorCodeString: code))
 
                 default:
                     break

lib/ZitiError.swift

@@ -17,16 +17,22 @@ import Foundation
 
 /// Class used for passing information about error conditions encountered while using Ziti
 public class ZitiError : NSError, @unchecked Sendable {
+
+    /// Machine-parseable error code string from the controller (e.g. "ENROLLMENT_IDENTITY_ALREADY_ENROLLED")
+    @objc public let errorCodeString:String?
+
     /// Initialize a ZitiError instance
     /// - Parameters:
     ///     - desc: error description
-    ///     - errorCode: error code
-    ///     - userInfo: user info dictionary
-    init(_ desc:String, errorCode:Int=Int(-1)) {
+    ///     - errorCode: numeric error code
+    ///     - errorCodeString: machine-parseable error code string from the controller
+    init(_ desc:String, errorCode:Int=Int(-1), errorCodeString:String?=nil) {
+        self.errorCodeString = errorCodeString
         super.init(domain: "ZitiError", code: errorCode,
                    userInfo: [NSLocalizedDescriptionKey:NSLocalizedString(desc, comment: "")])
     }
     required init?(coder: NSCoder) {
+        self.errorCodeString = nil
         fatalError("init(coder:) has not been implemented")
     }
 }

lib/ZitiEvent.swift

@@ -271,6 +271,9 @@ import CZitiPrivate
         /// The authentication detail
         @objc public var detail:String
 
+        /// Error message (set when action is CannotContinue)
+        @objc public var error:String
+
         /// Machine-parseable error code from the controller (e.g. "ENROLLMENT_IDENTITY_ALREADY_ENROLLED")
         @objc public var errorCode:String
 
@@ -281,6 +284,7 @@ import CZitiPrivate
             action = AuthAction(cEvent.action)
             type = cEvent.type != nil ? String(cString: cEvent.type) : ""
             detail = cEvent.detail != nil ? String(cString: cEvent.detail) : ""
+            error = cEvent.error != nil ? String(cString: cEvent.error) : ""
             errorCode = cEvent.error_code != nil ? String(cString: cEvent.error_code) : ""
             providers = []
             if var ptr = cEvent.providers {