FreeRDP
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Modules Pages
sso_mib_tokens.c
1/*
2 * SPDX-License-Identifier: Apache-2.0
3 * SPDX-FileCopyrightText: Copyright 2025 Siemens
4 */
5
6#include <sso-mib/sso-mib.h>
7#include <freerdp/crypto/crypto.h>
8#include <winpr/json.h>
9
10#include <sso-mib/sso-mib.h>
11#include "sso_mib_tokens.h"
12
13#include <freerdp/log.h>
14#define TAG CLIENT_TAG("common.sso")
15
16enum sso_mib_state
17{
18 SSO_MIB_STATE_INIT = 0,
19 SSO_MIB_STATE_FAILED = 1,
20 SSO_MIB_STATE_SUCCESS = 2,
21};
22
23struct MIBClientWrapper
24{
25 MIBClientApp* app;
26 enum sso_mib_state state;
27 pGetCommonAccessToken GetCommonAccessToken;
28};
29
30static BOOL sso_mib_get_avd_access_token(rdpClientContext* client_context, char** token)
31{
32 WINPR_ASSERT(client_context);
33 WINPR_ASSERT(client_context->mibClientWrapper);
34 WINPR_ASSERT(client_context->mibClientWrapper->app);
35 WINPR_ASSERT(token);
36
37 MIBAccount* account = NULL;
38 GSList* scopes = NULL;
39
40 BOOL rc = FALSE;
41 *token = NULL;
42
43 account = mib_client_app_get_account_by_upn(client_context->mibClientWrapper->app, NULL);
44 if (!account)
45 {
46 goto cleanup;
47 }
48
49 scopes = g_slist_append(scopes, g_strdup("https://www.wvd.microsoft.com/.default"));
50
51 MIBPrt* prt = mib_client_app_acquire_token_silent(client_context->mibClientWrapper->app,
52 account, scopes, NULL, NULL, NULL);
53 if (prt)
54 {
55 const char* access_token = mib_prt_get_access_token(prt);
56 if (access_token)
57 {
58 *token = strdup(access_token);
59 }
60 g_object_unref(prt);
61 }
62
63 rc = TRUE && *token != NULL;
64cleanup:
65 if (account)
66 g_object_unref(account);
67 g_slist_free_full(scopes, g_free);
68 return rc;
69}
70
71static BOOL sso_mib_get_rdsaad_access_token(rdpClientContext* client_context, const char* scope,
72 const char* req_cnf, char** token)
73{
74 WINPR_ASSERT(client_context);
75 WINPR_ASSERT(client_context->mibClientWrapper);
76 WINPR_ASSERT(client_context->mibClientWrapper->app);
77 WINPR_ASSERT(scope);
78 WINPR_ASSERT(token);
79 WINPR_ASSERT(req_cnf);
80
81 GSList* scopes = NULL;
82 WINPR_JSON* json = NULL;
83 MIBPopParams* params = NULL;
84
85 BOOL rc = FALSE;
86 *token = NULL;
87 BYTE* req_cnf_dec = NULL;
88 size_t req_cnf_dec_len = 0;
89
90 scopes = g_slist_append(scopes, g_strdup(scope));
91
92 // Parse the "kid" element from req_cnf
93 crypto_base64_decode(req_cnf, strlen(req_cnf) + 1, &req_cnf_dec, &req_cnf_dec_len);
94 if (!req_cnf_dec)
95 {
96 goto cleanup;
97 }
98
99 json = WINPR_JSON_Parse((const char*)req_cnf_dec);
100 if (!json)
101 {
102 goto cleanup;
103 }
104 WINPR_JSON* prop = WINPR_JSON_GetObjectItem(json, "kid");
105 if (!prop)
106 {
107 goto cleanup;
108 }
109 const char* kid = WINPR_JSON_GetStringValue(prop);
110 if (!kid)
111 {
112 goto cleanup;
113 }
114
115 params = mib_pop_params_new(MIB_AUTH_SCHEME_POP, MIB_REQUEST_METHOD_GET, "");
116 mib_pop_params_set_kid(params, kid);
117 MIBPrt* prt = mib_client_app_acquire_token_interactive(
118 client_context->mibClientWrapper->app, scopes, MIB_PROMPT_NONE, NULL, NULL, NULL, params);
119 if (prt)
120 {
121 *token = strdup(mib_prt_get_access_token(prt));
122 rc = TRUE;
123 g_object_unref(prt);
124 }
125
126cleanup:
127 if (params)
128 g_object_unref(params);
129 WINPR_JSON_Delete(json);
130 free(req_cnf_dec);
131 g_slist_free_full(scopes, g_free);
132 return rc;
133}
134
135static BOOL sso_mib_get_access_token(rdpContext* context, AccessTokenType tokenType, char** token,
136 size_t count, ...)
137{
138 BOOL rc = FALSE;
139 rdpClientContext* client_context = (rdpClientContext*)context;
140 WINPR_ASSERT(client_context);
141 WINPR_ASSERT(client_context->mibClientWrapper);
142
143 if (!client_context->mibClientWrapper->app)
144 {
145 const char* client_id =
146 freerdp_settings_get_string(context->settings, FreeRDP_GatewayAvdClientID);
147 client_context->mibClientWrapper->app =
148 mib_public_client_app_new(client_id, MIB_AUTHORITY_COMMON, NULL, NULL);
149 }
150
151 if (!client_context->mibClientWrapper->app)
152 return ERROR_INTERNAL_ERROR;
153
154 const char* scope = NULL;
155 const char* req_cnf = NULL;
156
157 va_list ap;
158 va_start(ap, count);
159
160 if (tokenType == ACCESS_TOKEN_TYPE_AAD)
161 {
162 scope = va_arg(ap, const char*);
163 req_cnf = va_arg(ap, const char*);
164 }
165
166 if ((client_context->mibClientWrapper->state == SSO_MIB_STATE_INIT) ||
167 (client_context->mibClientWrapper->state == SSO_MIB_STATE_SUCCESS))
168 {
169 switch (tokenType)
170 {
171 case ACCESS_TOKEN_TYPE_AVD:
172 {
173 rc = sso_mib_get_avd_access_token(client_context, token);
174 if (rc)
175 client_context->mibClientWrapper->state = SSO_MIB_STATE_SUCCESS;
176 else
177 {
178 WLog_WARN(TAG, "Getting AVD token from identity broker failed, falling back to "
179 "browser-based authentication.");
180 client_context->mibClientWrapper->state = SSO_MIB_STATE_FAILED;
181 }
182 }
183 break;
184 case ACCESS_TOKEN_TYPE_AAD:
185 {
186 // Setup scope without URL encoding for sso-mib
187 char* scope_copy = winpr_str_url_decode(scope, strlen(scope));
188 if (!scope_copy)
189 WLog_ERR(TAG, "Failed to decode scope");
190 else
191 {
192 rc =
193 sso_mib_get_rdsaad_access_token(client_context, scope_copy, req_cnf, token);
194 free(scope_copy);
195 if (rc)
196 client_context->mibClientWrapper->state = SSO_MIB_STATE_SUCCESS;
197 else
198 {
199 WLog_WARN(TAG,
200 "Getting RDS token from identity broker failed, falling back to "
201 "browser-based authentication.");
202 client_context->mibClientWrapper->state = SSO_MIB_STATE_FAILED;
203 }
204 }
205 }
206 break;
207 default:
208 break;
209 }
210 }
211 if (!rc && client_context->mibClientWrapper->GetCommonAccessToken)
212 rc = client_context->mibClientWrapper->GetCommonAccessToken(context, tokenType, token,
213 count, scope, req_cnf);
214 va_end(ap);
215
216 return rc;
217}
218
219MIBClientWrapper* sso_mib_new(rdpContext* context)
220{
221
222 MIBClientWrapper* mibClientWrapper = (MIBClientWrapper*)calloc(1, sizeof(MIBClientWrapper));
223 if (!mibClientWrapper)
224 return NULL;
225
226 mibClientWrapper->GetCommonAccessToken = freerdp_get_common_access_token(context);
227 if (!freerdp_set_common_access_token(context, sso_mib_get_access_token))
228 {
229 sso_mib_free(mibClientWrapper);
230 return NULL;
231 }
232 mibClientWrapper->state = SSO_MIB_STATE_INIT;
233 return mibClientWrapper;
234}
235
236void sso_mib_free(MIBClientWrapper* sso)
237{
238 if (!sso)
239 return;
240
241 if (sso->app)
242 g_object_unref(sso->app);
243
244 free(sso);
245}
WINPR_JSON_GetObjectItem
WINPR_API WINPR_JSON * WINPR_JSON_GetObjectItem(const WINPR_JSON *object, const char *string)
Return a pointer to an JSON object item.
Definition json.c:184
WINPR_JSON_GetStringValue
WINPR_API const char * WINPR_JSON_GetStringValue(WINPR_JSON *item)
Return the String value of a JSON item.
Definition json.c:234
WINPR_JSON_Delete
WINPR_API void WINPR_JSON_Delete(WINPR_JSON *item)
Delete a WinPR JSON wrapper object.
Definition json.c:144
WINPR_JSON_Parse
WINPR_API WINPR_JSON * WINPR_JSON_Parse(const char *value)
Parse a '\0' terminated JSON string.
Definition json.c:113
freerdp_settings_get_string
FREERDP_API const char * freerdp_settings_get_string(const rdpSettings *settings, FreeRDP_Settings_Keys_String id)
Returns a immutable string settings value.