WebIDAMd – OpenID Connect and OAuth for Linux system clients
For many decades, LDAP and Kerberos based setups have been the default for providing enterprise-grade, network-wide authentication and authorisation in Linux environments after they slowly replaced NIS / yellow pages from the dark Unix eras.
Today, the Web, however, has become the default platform for many applications, and it has well established identity and authorisation protocols – the most prominent being OpenID Connect, which is based on OAuth2.
In 2023 at MiniDebConf Hamburg, I talked about bringing Linux enterprise authentication to the cloud by leveraging OIDC authentication in NSS/PAM. Starting from there, WebIDAMd is now available as a prototype for logging in to Linux machines using OAuth and OIDC.
While there are other approaches (sssd, Himmelblau, and others), WebIDAMd is designed to be the most flexible: It is not limited to Keycloak or Microsoft Entra, but can use any ODIC provider and any JSON-based API. Plus, it wants to integrate other softwar with this login, so we get single sign-on for desktop applications running in the user session as well. This means that we can now use Salsa as an account provider for a Debian machine!
In this talk, I want to demonstrate what WebIDAMd can already do, and what is still on the roadmap (and maybe looking for contributors). While at it, we will cast a glance at the modern mechanisms systemd provides for managing and listing users, i.e. userdbd and homed.