Logging into a desktop session with SAML or OIDC
This is just an idea, not a working implementation
I have this half thought out idea of being able to log into a Desktop session using your cloud credentials. Like how you can log into a Chromebook with your Google credentials.
There doesn't seem to be anything currently that allows this.
There is pam_oidc which seems to let you log in with an OIDC token but doens't provide a mechanism for getting the token.
Getting a browser on the login screen: SDDM
It's possible to get a browser window to show up on the SDDM (KDE) login screen as follows (manual process):
SHELL=bash sudo -u sddm -i
# AppArmor prevents firefox starting up in the sddm user's real home directory
export HOME=$(mktemp -d)
export DISPLAY=:0
export XAUTHORITY="${HOME}/.Xauthority"
cd ${HOME}
# The name of this file seems dynamic and we don't have permission to list that
# directory.
cat /run/sddm/xauth_YfCiLT >"${XAUTHORITY}"
# Too permissive...
xhost +
# Try instead
xhost si:localuser:sddm
firefox --no-remote
# then remove the permission again
xhost -si:localuser:sddm
Now what?
Can we send the browser off to the login page of an identity provider and when
it returns read the token from the firefox on disk profile
(e.g. cookies.sqlite
)? Then close the browser, delete the temp directory
and trigger a pam login?