This change enables an alternative way of acquiring the necessary
access tokens through a local identity broker. In the current
implementation, we need to visit URLs twice and paste back the
URLs we are redirected to in order to extract authorization codes
and ultimately fetch the correct access tokens for RDP (described
here: <0>).
As an alternative, MS also provides the Microsoft Authentication
Library (MSAL) through which authentication can be handled more
or less in the background when we're using a trusted device. In
particular, we can request access tokens with the same
parameters as we're currently doing through the URL-based scheme.
As the MSAL bindings are not available for C, we implemented a
small wrapper library called sso-mib which is available at
https://github.com/siemens/sso-mib. This library translates the
high-level requests (such as acquire_token_interactive) to
respective messages on the D-Bus messaging bus which is used to
communicate with the identity broker service on Linux. The
library can be built as a .deb package and subsequently be
found through PkgConfig mechanisms in CMake.
When sso-mib is not available through pkg-config, it can also
be placed in external/, with the directory structure looking
like the following. include/ is copied from the root of the
sso-mib directory and lib/ populated with the built shared
library files and symlinks.
external/
├── README
└── sso-mib
├── include
│ └── sso-mib
│ ├── mib-account.h
│ ├── mib-client-app.h
│ ├── mib-exports.h
│ ├── mib-pop-params.h
│ ├── mib-prt.h
│ ├── mib-prt-sso-cookie.h
│ └── sso-mib.h
└── lib
├── libsso-mib.so -> libsso-mib.so.0
├── libsso-mib.so.0 -> libsso-mib.so.0.4.0
└── libsso-mib.so.0.4.0
This feature is currently hidden behind a configuration switch
and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection
to the broker fails (for example, if no identity broker is
installed or running on the system), we automatically fall back
to the current scheme of copy-pasting URLs.
<0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2
The prefix given to pkg_check_modules is PC_${_component}, not
PC_LIB${_component}, so those variables were always read as empty, thus
no HINTS were passed to the find_* functions and ffmpeg could not be
found if it was not in a default path.
Some cmake_policy settings have long been active by default (3.13 is our
current baseline) or simply unused. Due to issues with CMake 4.0 lets
drop them
__attribute__((unused)) does emit that warning if a variable is used.
The C23/C++17 version [[maybe_unused]] does not, so drop the warning to
have consistency
