Logging into a desktop session with SAML or OIDC

This is just an idea, not a working implementation

I have this half thought out idea of being able to log into a Desktop session using your cloud credentials. Like how you can log into a Chromebook with your Google credentials.

There doesn't seem to be anything currently that allows this.

There is pam_oidc which seems to let you log in with an OIDC token but doens't provide a mechanism for getting the token.

It's possible to get a browser window to show up on the SDDM (KDE) login screen as follows (manual process):

SHELL=bash sudo -u sddm -i

# AppArmor prevents firefox starting up in the sddm user's real home directory
export HOME=$(mktemp -d)
export DISPLAY=:0
export XAUTHORITY="${HOME}/.Xauthority"
cd ${HOME}
# The name of this file seems dynamic and we don't have permission to list that
#  directory.
cat /run/sddm/xauth_YfCiLT >"${XAUTHORITY}"
# Too permissive...
xhost +
# Try instead
xhost si:localuser:sddm
firefox --no-remote
# then remove the permission again
xhost -si:localuser:sddm

Now what?

Can we send the browser off to the login page of an identity provider and when it returns read the token from the firefox on disk profile (e.g. cookies.sqlite)? Then close the browser, delete the temp directory and trigger a pam login?

Logging into a desktop session with SAML or OIDC

Getting a browser on the login screen: SDDM​

Now what?​

Getting a browser on the login screen: SDDM

Now what?