If client-common is build with WITH_SSO_MIB inject a callback that first
tries to retrieve a token from sso-mib library and only if that fails
falls back to a client provided callback.
This change enables an alternative way of acquiring the necessary
access tokens through a local identity broker. In the current
implementation, we need to visit URLs twice and paste back the
URLs we are redirected to in order to extract authorization codes
and ultimately fetch the correct access tokens for RDP (described
here: <0>).
As an alternative, MS also provides the Microsoft Authentication
Library (MSAL) through which authentication can be handled more
or less in the background when we're using a trusted device. In
particular, we can request access tokens with the same
parameters as we're currently doing through the URL-based scheme.
As the MSAL bindings are not available for C, we implemented a
small wrapper library called sso-mib which is available at
https://github.com/siemens/sso-mib. This library translates the
high-level requests (such as acquire_token_interactive) to
respective messages on the D-Bus messaging bus which is used to
communicate with the identity broker service on Linux. The
library can be built as a .deb package and subsequently be
found through PkgConfig mechanisms in CMake.
When sso-mib is not available through pkg-config, it can also
be placed in external/, with the directory structure looking
like the following. include/ is copied from the root of the
sso-mib directory and lib/ populated with the built shared
library files and symlinks.
external/
├── README
└── sso-mib
├── include
│ └── sso-mib
│ ├── mib-account.h
│ ├── mib-client-app.h
│ ├── mib-exports.h
│ ├── mib-pop-params.h
│ ├── mib-prt.h
│ ├── mib-prt-sso-cookie.h
│ └── sso-mib.h
└── lib
├── libsso-mib.so -> libsso-mib.so.0
├── libsso-mib.so.0 -> libsso-mib.so.0.4.0
└── libsso-mib.so.0.4.0
This feature is currently hidden behind a configuration switch
and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection
to the broker fails (for example, if no identity broker is
installed or running on the system), we automatically fall back
to the current scheme of copy-pasting URLs.
<0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2
To allow client-common library to override the GetAccessToken callback
introduce a new GetCommonAccessToken callback.
This callback defaults to call the existing GetAccessToken callback, but
client-common library can override if desired, so that a common token
retrieval method is executed before a client UI is invoked.
