OPNsense/Auth - add minimalistic interface for SSO support.

In order to support other authentication methods for the business edition in the future, we need some glue to offer room for a different authentication flow.
When using an SSO flow, the service binding is usually determined by the endpoint which acts as a trampoline.

This commits mildly refactors our AuthenticationFactory and adds some handles to be able to choose SSO providers when available (using our standard listServers() call)

ISSOContainer describes the minimal interface a container of providers should support, the Provider class is a "struct" type container offering relevant information for the provider in question.

Author: AdSchellevis

plist

@@ -503,6 +503,8 @@
 /usr/local/opnsense/mvc/app/library/OPNsense/Auth/Local.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Auth/LocalTOTP.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
+/usr/local/opnsense/mvc/app/library/OPNsense/Auth/SSOProviders/ISSOContainer.php
+/usr/local/opnsense/mvc/app/library/OPNsense/Auth/SSOProviders/Provider.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/IPsec.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Auth/Services/WebGui.php

src/etc/inc/auth.inc

@@ -538,8 +538,8 @@ function auth_get_authserver($name)
     return false;
 }
 
-function auth_get_authserver_list()
+function auth_get_authserver_list($service='')
 {
-    return (new \OPNsense\Auth\AuthenticationFactory())->listServers();
+    return (new \OPNsense\Auth\AuthenticationFactory())->listServers($service);
 }
 

src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php

@@ -48,32 +48,51 @@ class AuthenticationFactory
     private function listConnectors()
     {
         $connectors = [];
+        $interface = 'OPNsense\\Auth\\IAuthConnector';
         foreach (glob(__DIR__ . "/*.php") as $filename) {
-            $pathParts = explode('/', $filename);
-            $vendor = $pathParts[count($pathParts) - 3];
-            $module = $pathParts[count($pathParts) - 2];
-            $classname = explode('.php', $pathParts[count($pathParts) - 1])[0];
-            $reflClass = new \ReflectionClass("{$vendor}\\{$module}\\{$classname}");
-            if ($reflClass->implementsInterface('OPNsense\\Auth\\IAuthConnector')) {
-                if ($reflClass->hasMethod('getType')) {
-                    $connectorType = $reflClass->getMethod('getType')->invoke(null);
-                    $connector = [];
-                    $connector['class'] = "{$vendor}\\{$module}\\{$classname}";
-                    $connector['classHandle'] = $reflClass;
-                    $connector['type'] = $connectorType;
-                    $connectors[$connectorType] = $connector;
-                }
+            $classname = 'OPNsense\\Auth\\' . explode('.php', basename($filename))[0];
+            $reflClass = new \ReflectionClass($classname);
+            if (!$reflClass->isInterface() && $reflClass->implementsInterface($interface)) {
+                $connectorType = $reflClass->getMethod('getType')->invoke(null);
+                $connectors[$connectorType] = [
+                    'class' => $classname,
+                    'classHandle' => $reflClass,
+                    'type' => $connectorType
+                ];
             }
         }
         return $connectors;
     }
 
+    /**
+     * @param string $service filter on service when offered
+     * @return array list of SSO providers
+     */
+    public function listSSOproviders(string $service=''): array
+    {
+        $result = [];
+        $interface = 'OPNsense\Auth\SSOProviders\\ISSOContainer';
+        foreach (glob(__DIR__ . "/SSOProviders/*.php") as $filename) {
+            $classname = 'OPNsense\\Auth\\SSOProviders\\' . explode('.php', basename($filename))[0];
+            $reflClass = new \ReflectionClass($classname);
+            if (!$reflClass->isInterface() && $reflClass->implementsInterface($interface)) {
+                foreach (($reflClass->newInstance())->listProviders() as $provider) {
+                    if (empty($service) || $provider->service == $service) {
+                        $result[] = $provider;
+                    }
+                }
+            }
+        }
+        return $result;
+    }
+
     /**
      * request list of configured servers, the factory needs to be aware of its options and settings to
      * be able to instantiate useful connectors.
+     * @param string $service name of the service we request our authenticators for
      * @return array list of configured servers
      */
-    public function listServers()
+    public function listServers(string $service='')
     {
         $servers = [];
         $servers['Local Database'] = array("name" => "Local Database", "type" => "local");
@@ -88,6 +107,16 @@ public function listServers()
             }
         }
 
+        if (!empty($service)) {
+            /**
+             * Single sign on providers are bound to their service, which is different than our usual
+             * user/pass authentication flow in which case the authenticate() method passes the requested service
+             */
+            foreach ($this->listSSOproviders($service) as $provider) {
+                $servers[$provider->id] = $provider->asArray();
+            }
+        }
+
         return $servers;
     }
 
@@ -98,8 +127,8 @@ public function listServers()
      */
     public function get($authserver)
     {
-        $servers = $this->listServers();
-        $servers['Local API'] = array("name" => "Local API Database", "type" => "api");
+        $servers = $this->listServers(); /* only servers, no SSO providers */
+        $servers['Local API'] = ["name" => "Local API Database", "type" => "api"];
         // create a new auth connector
         if (isset($servers[$authserver]['type'])) {
             $connectors = $this->listConnectors();

src/opnsense/mvc/app/library/OPNsense/Auth/IAuthConnector.php

@@ -36,6 +36,11 @@
  */
 interface IAuthConnector
 {
+    /**
+     * @return string type of this authenticator
+     */
+    public static function getType();
+
     /**
      * set connector properties
      * @param array $config set configuration for this connector to use

src/opnsense/mvc/app/library/OPNsense/Auth/SSOProviders/ISSOContainer.php

@@ -0,0 +1,45 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Auth\SSOProviders;
+
+/**
+ * Interface ISSOContainer defines required methods to support SSO types, a container may yield multiple providers
+ * which are usually defined in models.
+ * @package OPNsense\Auth\SSOProviders
+ */
+interface ISSOContainer
+{
+
+    /**
+     * yield provider objects (servers) offered by this container
+     */
+    public function listProviders(): \Generator;
+}

src/opnsense/mvc/app/library/OPNsense/Auth/SSOProviders/Provider.php

@@ -0,0 +1,83 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Auth\SSOProviders;
+
+class Provider
+{
+    public readonly string $id;             /* unique id for this provider */
+    public readonly string $appcode;        /* short app code */
+    public readonly string $name;           /* the name of this provider */
+    public readonly string $login_uri;      /* (default) link to start SSO procedure */
+    public readonly string $service;        /* service this provider belongs to */
+    public readonly string $html_content;   /* optional html content to render for "login using" phrase*/
+
+    /**
+     * load properties of this object on construct
+     */
+    public function __construct(array $props)
+    {
+        foreach (get_class_vars(get_class($this)) as $key => $value) {
+            if (isset($props[$key])) {
+                $this->$key = $props[$key];
+            } else {
+                $this->$key = '';
+            }
+        }
+    }
+
+    /**
+     *  @return array this providers settings as array
+     */
+    public function asArray(): array
+    {
+        $result = ['type' => 'sso'];
+        foreach (get_class_vars(get_class($this)) as $key => $value) {
+            $result[$key] = $this->$key;
+        }
+        return $result;
+    }
+
+    /**
+     * @return string html content to use to render login link
+     */
+    public function renderLink()
+    {
+        if (!empty($this->html_content)) {
+            return $this->html_content;
+        } else {
+            return sprintf(
+                gettext("Login using <a href='%s'>%s</a>"),
+                $this->login_uri,
+                $this->name
+            );
+        }
+    }
+}

src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/AuthenticationServerField.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2019 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,12 +39,17 @@ class AuthenticationServerField extends BaseListField
     /**
      * @var array collected options
      */
-    private static $internalStaticOptionList = array();
+    private static $internalStaticOptionList = [];
 
     /**
      * @var array filters to use on the authservers list
      */
-    private $internalFilters = array();
+    private array $internalFilters = [];
+
+    /**
+     * @var string optionally pass service we're requesting our servers for
+     */
+    private string $internalService = '';
 
     /**
      * @var string key to use for option selections, to prevent excessive reloading
@@ -57,10 +62,10 @@ class AuthenticationServerField extends BaseListField
     protected function actionPostLoadingEvent()
     {
         if (!isset(self::$internalStaticOptionList[$this->internalCacheKey])) {
-            self::$internalStaticOptionList[$this->internalCacheKey] = array();
+            self::$internalStaticOptionList[$this->internalCacheKey] = [];
 
             $authFactory = new \OPNsense\Auth\AuthenticationFactory();
-            $allAuthServers = $authFactory->listServers();
+            $allAuthServers = $authFactory->listServers($this->internalService);
 
             foreach ($allAuthServers as $key => $value) {
                 // use filters to determine relevance
@@ -78,7 +83,7 @@ protected function actionPostLoadingEvent()
                     }
                 }
                 if ($isMatched) {
-                    self::$internalStaticOptionList[$this->internalCacheKey][$key] = $key;
+                    self::$internalStaticOptionList[$this->internalCacheKey][$key] = $value['name'];
                 }
             }
             natcasesort(self::$internalStaticOptionList[$this->internalCacheKey]);
@@ -89,13 +94,25 @@ protected function actionPostLoadingEvent()
     /**
      * set filters to use (in regex) per field, all tags are combined
      * and cached for the next object using the same filters
-     * @param $filters filters to use
+     * @param array $filters filters to use
      */
     public function setFilters($filters)
     {
         if (is_array($filters)) {
             $this->internalFilters = $filters;
-            $this->internalCacheKey = md5(serialize($this->internalFilters));
+            $this->internalCacheKey = md5(serialize($this->internalFilters) . $this->internalService);
+        }
+    }
+
+    /**
+     * set service type to limit results too
+     * @param string $service service name
+     */
+    public function setService($service)
+    {
+        if (is_string($service)) {
+            $this->internalService = $service;
+            $this->internalCacheKey = md5(serialize($this->internalFilters) . $this->internalService);
         }
     }
 }

src/www/authgui.inc

@@ -414,6 +414,13 @@ function display_login_form($Login_Error)
 
       </form>
 
+
+<?php    foreach ((new \OPNsense\Auth\AuthenticationFactory())->listSSOproviders('WebGui') as $provider):?>
+<div class="login-sso-link-container">
+    <?=$provider->renderLink();?>
+</div>
+<?php    endforeach;?>
+
       <?php if (!$have_cookies && isset($_POST['login'])) : ?>
         <br /><br />
         <span class="text-danger">

src/www/system_advanced_admin.php

@@ -36,7 +36,8 @@
 require_once("system.inc");
 
 $a_group = &config_read_array('system', 'group');
-$a_authmode = auth_get_authserver_list();
+/* XXX: both webgui and console(ssh) use the same config reference, but may not support the same options */
+$a_authmode = auth_get_authserver_list('WebGui');
 $ssh_rekeylimit_choices = [
   '' => gettext('System defaults'),
   'default 60s' => gettext('60 seconds'),