aleitner opened a new pull request, #633: URL: https://github.com/apache/guacamole-server/pull/633
- Adds Azure AD (Entra ID) authentication support for RDP connections using FreeRDP 3's `AadSecurity` mode - Implements the OAuth2 authorization code flow server-side using libcurl to automate the Microsoft login sequence - Adds `#include "config.h"` to source files that were missing it, fixing struct member offset mismatches. ## Authentication Flow When `security=aad` is set on an RDP connection: 1. FreeRDP initiates the AAD handshake and invokes the `GetAccessToken` callback with the required scope and Proof-of-Possession key 2. The callback prompts for username/password via `guac_argv` if not already configured 3. An OAuth2 authorization URL is built using the client ID from FreeRDP's `GatewayAvdClientID` setting and the `common` tenant endpoint 4. The Microsoft login page is fetched via HTTP GET and the `$Config` JavaScript object is parsed for session tokens (`sFT`, `sCtx`, `urlPost`, `canary`, `apiCanary`) 5. The `GetCredentialType` API is called to update server-side session state and obtain a fresh flow token 6. Credentials are POSTed to the login endpoint with the required CSRF tokens. On success, Microsoft redirects to the native client URI with an authorization code 7. The authorization code is exchanged for an access token at the token endpoint, including the Proof-of-Possession binding 8. The access token is returned to FreeRDP, which completes the AAD-authenticated RDP session Paired with https://github.com/apache/guacamole-client/pull/1168 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
