feat: add login through MS identity broker via sso-mib interface

This change enables an alternative way of acquiring the necessary
access tokens through a local identity broker. In the current
implementation, we need to visit URLs twice and paste back the
URLs we are redirected to in order to extract authorization codes
and ultimately fetch the correct access tokens for RDP (described
here: <0>).

As an alternative, MS also provides the Microsoft Authentication
Library (MSAL) through which authentication can be handled more
or less in the background when we're using a trusted device. In
particular, we can request access tokens with the same
parameters as we're currently doing through the URL-based scheme.

As the MSAL bindings are not available for C, we implemented a
small wrapper library called sso-mib which is available at
https://github.com/siemens/sso-mib. This library translates the
high-level requests (such as acquire_token_interactive) to
respective messages on the D-Bus messaging bus which is used to
communicate with the identity broker service on Linux. The
library can be built as a .deb package and subsequently be
found through PkgConfig mechanisms in CMake.

When sso-mib is not available through pkg-config, it can also
be placed in external/, with the directory structure looking
like the following. include/ is copied from the root of the
sso-mib directory and lib/ populated with the built shared
library files and symlinks.

    external/
    ├── README
    └── sso-mib
        ├── include
        │   └── sso-mib
        │       ├── mib-account.h
        │       ├── mib-client-app.h
        │       ├── mib-exports.h
        │       ├── mib-pop-params.h
        │       ├── mib-prt.h
        │       ├── mib-prt-sso-cookie.h
        │       └── sso-mib.h
        └── lib
            ├── libsso-mib.so -> libsso-mib.so.0
            ├── libsso-mib.so.0 -> libsso-mib.so.0.4.0
            └── libsso-mib.so.0.4.0

This feature is currently hidden behind a configuration switch
and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection
to the broker fails (for example, if no identity broker is
installed or running on the system), we automatically fall back
to the current scheme of copy-pasting URLs.

<0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2

client/common/CMakeLists.txt

@@ -2,6 +2,7 @@
 # FreeRDP Client Common
 #
 # Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+# Copyright 2025 Siemens
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -54,6 +55,16 @@ endif()
 
 include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR})
 
+option(WITH_SSO_MIB "Build with sso-mib support" OFF)
+if(UNIX AND WITH_SSO_MIB)
+  set(SSO_MIB_EXTERNAL_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../../external/sso-mib")
+  find_package(SSO_MIB REQUIRED)
+
+  include_directories(${SSO_MIB_INCLUDE_DIRS})
+  add_compile_definitions(WITH_SSO_MIB)
+  list(APPEND LIBS ${SSO_MIB_LIBRARIES})
+endif()
+
 addtargetwithresourcefile(${MODULE_NAME} FALSE "${FREERDP_VERSION}" SRCS)
 
 list(APPEND LIBS freerdp winpr)

client/common/client.c

@@ -3,6 +3,7 @@
  * FreeRDP Client Common
  *
  * Copyright 2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ * Copyright 2025 Siemens
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -68,6 +69,23 @@
 #include <freerdp/utils/aad.h>
 #endif
 
+#ifdef WITH_SSO_MIB
+#include <sso-mib/sso-mib.h>
+#include <freerdp/crypto/crypto.h>
+#include <winpr/json.h>
+
+static MIBClientApp* sso_mib_client_app = NULL;
+
+enum sso_mib_state
+{
+	SSO_MIB_STATE_INIT = 0,
+	SSO_MIB_STATE_FAILED = 1,
+	SSO_MIB_STATE_SUCCESS = 2,
+};
+
+static enum sso_mib_state sso_mib_state = SSO_MIB_STATE_INIT;
+#endif
+
 #include <freerdp/log.h>
 #define TAG CLIENT_TAG("common")
 
@@ -164,6 +182,11 @@ void freerdp_client_context_free(rdpContext* context)
 	if (!context)
 		return;
 
+#ifdef WITH_SSO_MIB
+	if (sso_mib_client_app)
+		g_object_unref(sso_mib_client_app);
+#endif // WITH_SSO_MIB
+
 	instance = context->instance;
 
 	if (instance)
@@ -1078,6 +1101,135 @@ cleanup:
 	return rc && (*token != NULL);
 }
 
+#ifdef WITH_SSO_MIB
+static MIBClientApp* get_or_create_mib_client_app(freerdp* instance)
+{
+	if (!sso_mib_client_app)
+	{
+		const char* client_id =
+		    freerdp_settings_get_string(instance->context->settings, FreeRDP_GatewayAvdClientID);
+		sso_mib_client_app = mib_public_client_app_new(client_id, MIB_AUTHORITY_COMMON, NULL, NULL);
+	}
+	return sso_mib_client_app;
+}
+
+static BOOL client_cli_get_avd_access_token_from_sso_mib(freerdp* instance, char** token)
+{
+	WINPR_ASSERT(instance);
+	WINPR_ASSERT(instance->context);
+	WINPR_ASSERT(token);
+
+	MIBAccount* account = NULL;
+	GSList* scopes = NULL;
+
+	BOOL rc = FALSE;
+	*token = NULL;
+
+	MIBClientApp* app = get_or_create_mib_client_app(instance);
+	if (!app)
+	{
+		goto cleanup;
+	}
+
+	account = mib_client_app_get_account_by_upn(app, NULL);
+	if (!account)
+	{
+		goto cleanup;
+	}
+
+	scopes = g_slist_append(scopes, g_strdup("https://www.wvd.microsoft.com/.default"));
+
+	MIBPrt* prt = mib_client_app_acquire_token_silent(app, account, scopes, NULL, NULL, NULL);
+	if (prt)
+	{
+		const char* access_token = mib_prt_get_access_token(prt);
+		if (access_token)
+		{
+			*token = strdup(access_token);
+		}
+		g_object_unref(prt);
+	}
+
+	rc = TRUE && *token != NULL;
+cleanup:
+	if (account)
+		g_object_unref(account);
+	g_slist_free_full(scopes, g_free);
+	return rc;
+}
+
+static BOOL client_cli_get_rdsaad_access_token_from_sso_mib(freerdp* instance, const char* scope,
+                                                            const char* req_cnf, char** token)
+{
+	WINPR_ASSERT(instance);
+	WINPR_ASSERT(instance->context);
+	WINPR_ASSERT(scope);
+	WINPR_ASSERT(token);
+	WINPR_ASSERT(req_cnf);
+
+	GSList* scopes = NULL;
+	WINPR_JSON* json = NULL;
+	MIBPopParams* params = NULL;
+
+	BOOL rc = FALSE;
+	*token = NULL;
+	BYTE* req_cnf_dec = NULL;
+	size_t req_cnf_dec_len;
+
+	MIBClientApp* app = get_or_create_mib_client_app(instance);
+	if (!app)
+	{
+		goto cleanup;
+	}
+
+	scopes = g_slist_append(scopes, g_strdup(scope));
+
+	// Parse the "kid" element from req_cnf
+	crypto_base64_decode(req_cnf, strlen(req_cnf) + 1, &req_cnf_dec, &req_cnf_dec_len);
+	if (!req_cnf_dec)
+	{
+		goto cleanup;
+	}
+
+	json = WINPR_JSON_Parse((const char*)req_cnf_dec);
+	if (!json)
+	{
+		goto cleanup;
+	}
+	WINPR_JSON* prop = WINPR_JSON_GetObjectItem(json, "kid");
+	if (!prop)
+	{
+		goto cleanup;
+	}
+	const char* kid = WINPR_JSON_GetStringValue(prop);
+	if (!kid)
+	{
+		goto cleanup;
+	}
+
+	params = mib_pop_params_new(MIB_AUTH_SCHEME_POP, MIB_REQUEST_METHOD_GET, "");
+	mib_pop_params_set_kid(params, kid);
+	MIBPrt* prt = mib_client_app_acquire_token_interactive(app, scopes, MIB_PROMPT_NONE, NULL, NULL,
+	                                                       NULL, params);
+	if (prt)
+	{
+		*token = strdup(mib_prt_get_access_token(prt));
+		rc = TRUE;
+		g_object_unref(prt);
+	}
+
+cleanup:
+	if (params)
+		g_object_unref(params);
+	if (json)
+		WINPR_JSON_Delete(json);
+	if (req_cnf_dec)
+		free(req_cnf_dec);
+	g_slist_free_full(scopes, g_free);
+	return rc;
+}
+#endif //  WITH_SSO_MIB
+
 static BOOL client_cli_get_avd_access_token(freerdp* instance, char** token)
 {
 	WINPR_ASSERT(instance);
@@ -1096,6 +1248,25 @@ static BOOL client_cli_get_avd_access_token(freerdp* instance, char** token)
 
 	*token = NULL;
 
+#ifdef WITH_SSO_MIB
+	if (sso_mib_state == SSO_MIB_STATE_INIT || sso_mib_state == SSO_MIB_STATE_SUCCESS)
+	{
+		rc = client_cli_get_avd_access_token_from_sso_mib(instance, token);
+		if (rc)
+		{
+			sso_mib_state = SSO_MIB_STATE_SUCCESS;
+			return rc;
+		}
+		else
+		{
+			WLog_WARN(TAG, "Getting AVD token from identity broker failed, falling back to "
+			               "browser-based authentication.");
+			sso_mib_state = SSO_MIB_STATE_FAILED;
+			// Fall through to regular avd access token retrieval
+		}
+	}
+#endif
+
 	const char* client_id =
 	    freerdp_settings_get_string(instance->context->settings, FreeRDP_GatewayAvdClientID);
 	const char* base = freerdp_settings_get_string(instance->context->settings,
@@ -1176,7 +1347,41 @@ BOOL client_cli_get_access_token(freerdp* instance, AccessTokenType tokenType, c
 			va_start(ap, count);
 			const char* scope = va_arg(ap, const char*);
 			const char* req_cnf = va_arg(ap, const char*);
-			const BOOL rc = client_cli_get_rdsaad_access_token(instance, scope, req_cnf, token);
+			BOOL rc = FALSE;
+
+#ifdef WITH_SSO_MIB
+			if (sso_mib_state == SSO_MIB_STATE_INIT || sso_mib_state == SSO_MIB_STATE_SUCCESS)
+			{
+				// Setup scope without URL encoding for sso-mib
+				char* scope_copy = winpr_str_url_decode(scope, strlen(scope));
+				if (!scope_copy)
+				{
+					WLog_ERR(TAG, "Failed to decode scope");
+					va_end(ap);
+					return FALSE;
+				}
+
+				rc = client_cli_get_rdsaad_access_token_from_sso_mib(instance, scope_copy, req_cnf,
+				                                                     token);
+				free(scope_copy);
+				if (rc)
+				{
+					sso_mib_state = SSO_MIB_STATE_SUCCESS;
+					va_end(ap);
+					return rc;
+				}
+				else
+				{
+					WLog_WARN(TAG, "Getting RDS token from identity broker failed, falling back to "
+					               "browser-based authentication.");
+					sso_mib_state = SSO_MIB_STATE_FAILED;
+					// Fall through to regular rdsaad access token retrieval
+				}
+			}
+#endif // WITH_SSO_MIB
+
+			rc = client_cli_get_rdsaad_access_token(instance, scope, req_cnf, token);
+
 			va_end(ap);
 			return rc;
 		}

cmake/FindSSO_MIB.cmake

@@ -0,0 +1,37 @@
+# - Find sso-mib
+# Find the sso-mib library
+
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: Copyright 2025 Siemens
+
+find_package(PkgConfig REQUIRED)
+pkg_check_modules(PC_SSO_MIB sso-mib>=0.4.0)
+
+if(PC_SSO_MIB_FOUND)
+  find_path(SSO_MIB_INCLUDE_DIR NAMES sso-mib/sso-mib.h HINTS ${PC_SSO_MIB_INCLUDEDIR})
+  find_library(SSO_MIB_LIBRARY NAMES sso-mib HINTS ${PC_SSO_MIB_LIBRARYDIR})
+else()
+  set(SSO_MIB_ROOT_DIR ${SSO_MIB_EXTERNAL_DIR})
+  message(STATUS "SSO_MIB not found through PkgConfig, trying external ${SSO_MIB_ROOT_DIR}")
+  find_path(SSO_MIB_INCLUDE_DIR NAMES sso-mib/sso-mib.h HINTS ${SSO_MIB_ROOT_DIR}/include)
+  find_library(SSO_MIB_LIBRARY NAMES sso-mib HINTS ${SSO_MIB_ROOT_DIR}/lib)
+
+  # Dependencies
+  pkg_check_modules(GLIB REQUIRED glib-2.0)
+  pkg_check_modules(GIO REQUIRED gio-2.0)
+  pkg_check_modules(JSON_GLIB REQUIRED json-glib-1.0)
+  pkg_check_modules(UUID REQUIRED uuid)
+  if(GLIB_FOUND AND GIO_FOUND AND JSON_GLIB_FOUND AND UUID_FOUND)
+    set(PC_SSO_MIB_INCLUDE_DIRS ${GLIB_INCLUDE_DIRS} ${GIO_INCLUDE_DIRS} ${JSON_GLIB_INCLUDE_DIRS} ${UUID_INCLUDE_DIRS})
+    set(PC_SSO_MIB_LIBRARIES ${GLIB_LIBRARIES} ${GIO_LIBRARIES} ${JSON_GLIB_LIBRARIES} ${UUID_LIBRARIES})
+  endif()
+endif()
+
+find_package_handle_standard_args(SSO_MIB DEFAULT_MSG SSO_MIB_LIBRARY SSO_MIB_INCLUDE_DIR)
+
+if(SSO_MIB_FOUND)
+  set(SSO_MIB_LIBRARIES ${SSO_MIB_LIBRARY} ${PC_SSO_MIB_LIBRARIES})
+  set(SSO_MIB_INCLUDE_DIRS ${SSO_MIB_INCLUDE_DIR} ${PC_SSO_MIB_INCLUDE_DIRS})
+endif()
+
+mark_as_advanced(SSO_MIB_INCLUDE_DIR SSO_MIB_LIBRARY)