Add signed JWT auto sign-in flow (LibreGraph.SignedLoginOK)

longsleep · longsleep · commit 27ba0ea61211 · 2026-03-27T16:33:55.000+01:00
When --allow-client-signed-logins is enabled, trusted apps can sign in
users without an interactive password challenge by sending an OIDC
authorization request that includes the LibreGraph.SignedLoginOK scope
together with a signed request object carrying a preferred_username claim.

The signed login path is built directly into IdentifierIdentityManager:

- checkAndRecordJTI: in-memory JTI replay prevention (10 min window)
- authenticateSignedLogin: validates the signed JWT, looks up the user
  by preferred_username, writes a logon cookie so subsequent silent-renew
  and re-auth requests succeed via the normal cookie path without needing
  a new signed JWT each time
- authorizeSignedLogin: verifies client identity against the signed
  request object and approves scopes via the client's trusted_scopes list

WriteLogonCookie is introduced on Identifier to write the cookie
mid-flow without firing onSetLogonCallbacks (which would produce a
spurious browser-state cookie header in the same response).
SetUserToLogonCookie is refactored to delegate to it.
diff --git a/bootstrap/backends/ldap/ldap.go b/bootstrap/backends/ldap/ldap.go
@@ -160,13 +160,18 @@ func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
 		return nil, fmt.Errorf("invalid --encryption-secret parameter value for identifier: %v", err)
 	}
 
+	// Expose the identifier in the managers registry so other managers (e.g.
+	// signedlogin) can access it without creating a second instance.
+	bs.Managers().Set("identifier", activeIdentifier)
+
 	identityManagerConfig := &identity.Config{
 		SignInFormURI: fullSignInFormURL,
 		SignedOutURI:  fullSignedOutEndpointURL,
 
 		Logger: logger,
 
-		ScopesSupported: config.Config.AllowedScopes,
+		ScopesSupported:  config.Config.AllowedScopes,
+		AllowSignedLogin: config.Config.AllowClientSignedLogins,
 	}
 
 	identifierIdentityManager := managers.NewIdentifierIdentityManager(identityManagerConfig, activeIdentifier)
diff --git a/bootstrap/backends/libregraph/libregraph.go b/bootstrap/backends/libregraph/libregraph.go
@@ -143,13 +143,18 @@ func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
 		return nil, fmt.Errorf("invalid --encryption-secret parameter value for identifier: %v", err)
 	}
 
+	// Expose the identifier in the managers registry so other managers (e.g.
+	// signedlogin) can access it without creating a second instance.
+	bs.Managers().Set("identifier", activeIdentifier)
+
 	identityManagerConfig := &identity.Config{
 		SignInFormURI: fullSignInFormURL,
 		SignedOutURI:  fullSignedOutEndpointURL,
 
 		Logger: logger,
 
-		ScopesSupported: config.Config.AllowedScopes,
+		ScopesSupported:  config.Config.AllowedScopes,
+		AllowSignedLogin: config.Config.AllowClientSignedLogins,
 	}
 
 	identifierIdentityManager := managers.NewIdentifierIdentityManager(identityManagerConfig, activeIdentifier)
diff --git a/bootstrap/bootstrap.go b/bootstrap/bootstrap.go
@@ -206,6 +206,11 @@ func (bs *bootstrap) initialize(settings *Settings) error {
 		logger.Infoln("client controlled guests are enabled")
 	}
 
+	bs.config.Config.AllowClientSignedLogins = settings.AllowClientSignedLogins
+	if bs.config.Config.AllowClientSignedLogins {
+		logger.Infoln("client controlled signed logins are enabled")
+	}
+
 	bs.config.Config.AllowDynamicClientRegistration = settings.AllowDynamicClientRegistration
 	if bs.config.Config.AllowDynamicClientRegistration {
 		logger.Infoln("dynamic client registration is enabled")
diff --git a/bootstrap/settings.go b/bootstrap/settings.go
@@ -35,6 +35,7 @@ type Settings struct {
 	TrustedProxy                      []string
 	AllowScope                        []string
 	AllowClientGuests                 bool
+	AllowClientSignedLogins           bool
 	AllowDynamicClientRegistration    bool
 	EncryptionSecretFile              string
 	Listen                            string
diff --git a/cmd/licod/serve.go b/cmd/licod/serve.go
@@ -98,6 +98,7 @@ func commandServe() *cobra.Command {
 	serveCmd.Flags().StringArrayVar(&cfg.TrustedProxy, "trusted-proxy", nil, "Trusted proxy IP or IP network (can be used multiple times)")
 	serveCmd.Flags().StringArrayVar(&cfg.AllowScope, "allow-scope", nil, "Allow OAuth 2 scope (can be used multiple times, if not set default scopes are allowed)")
 	serveCmd.Flags().BoolVar(&cfg.AllowClientGuests, "allow-client-guests", false, "Allow sign in of client controlled guest users")
+	serveCmd.Flags().BoolVar(&cfg.AllowClientSignedLogins, "allow-client-signed-logins", false, "Allow sign in of client controlled signed login users")
 	serveCmd.Flags().BoolVar(&cfg.AllowDynamicClientRegistration, "allow-dynamic-client-registration", false, "Allow dynamic OAuth2 client registration")
 	serveCmd.Flags().Uint64Var(&cfg.AccessTokenDurationSeconds, "access-token-expiration", 60*10, "Expiration time of access tokens in seconds since generated")                                             // 10 Minutes.
 	serveCmd.Flags().Uint64Var(&cfg.IDTokenDurationSeconds, "id-token-expiration", 60*60, "Expiration time of id tokens in seconds since generated")                                                         // 1 Hour.
diff --git a/config/config.go b/config/config.go
@@ -38,5 +38,6 @@ type Config struct {
 
 	AllowedScopes                  []string
 	AllowClientGuests              bool
+	AllowClientSignedLogins        bool
 	AllowDynamicClientRegistration bool
 }
diff --git a/identifier/identifier.go b/identifier/identifier.go
@@ -269,27 +269,26 @@ func (i *Identifier) ErrorPage(rw http.ResponseWriter, code int, title string, m
 	utils.WriteErrorPage(rw, code, title, message)
 }
 
-// SetUserToLogonCookie serializes the provided user into an encrypted string
-// and sets it as cookie on the provided http.ResponseWriter.
-func (i *Identifier) SetUserToLogonCookie(ctx context.Context, rw http.ResponseWriter, user *IdentifiedUser) error {
+// WriteLogonCookie serializes the provided user into an encrypted string and
+// sets it as a logon cookie without firing any callbacks. Use this when the
+// cookie must be written mid-flow (e.g. inside an authorize handler) where
+// the caller is responsible for updating browser state separately.
+func (i *Identifier) WriteLogonCookie(rw http.ResponseWriter, user *IdentifiedUser) error {
 	loggedOn, logonAt := user.LoggedOn()
 	if !loggedOn {
 		return fmt.Errorf("refused to set cookie for not logged on user")
 	}
 
-	// Add standard claims.
 	claims := jwt.Claims{
 		Issuer:   user.BackendName(),
 		Audience: audienceMarker,
 		Subject:  user.Subject(),
 		IssuedAt: jwt.NewNumericDate(logonAt),
 	}
-	// Add expiration, if set.
 	if user.expiresAfter != nil {
 		claims.Expiry = jwt.NewNumericDate(*user.expiresAfter)
 	}
 
-	// Additional claims.
 	userClaims := map[string]interface{}(user.Claims())
 	if sessionRef := user.SessionRef(); sessionRef != nil {
 		userClaims[SessionIDClaim] = *sessionRef
@@ -304,25 +303,27 @@ func (i *Identifier) SetUserToLogonCookie(ctx context.Context, rw http.ResponseW
 		userClaims[LockedScopesClaim] = strings.Join(lockedScopes, " ")
 	}
 
-	// Serialize and encrypt cookie value.
 	serialized, err := jwt.Encrypted(i.encrypter).Claims(claims).Claims(userClaims).CompactSerialize()
 	if err != nil {
 		return err
 	}
 
-	// Set cookie.
-	err = i.setLogonCookie(rw, serialized)
-	if err != nil {
+	return i.setLogonCookie(rw, serialized)
+}
+
+// SetUserToLogonCookie serializes the provided user into an encrypted string,
+// sets it as cookie on the provided http.ResponseWriter, and fires the
+// onSetLogon callbacks.
+func (i *Identifier) SetUserToLogonCookie(ctx context.Context, rw http.ResponseWriter, user *IdentifiedUser) error {
+	if err := i.WriteLogonCookie(rw, user); err != nil {
 		return err
 	}
 	// Trigger callbacks.
 	for _, f := range i.onSetLogonCallbacks {
-		err = f(ctx, rw, user)
-		if err != nil {
+		if err := f(ctx, rw, user); err != nil {
 			return err
 		}
 	}
-
 	return nil
 }
 
diff --git a/identifier/user.go b/identifier/user.go
@@ -146,6 +146,12 @@ func (u *IdentifiedUser) LoggedOn() (bool, time.Time) {
 	return !u.logonAt.IsZero(), u.logonAt
 }
 
+// SetLogonAt sets the logon timestamp, marking the user as logged on. Used by
+// flows that authenticate without a password challenge (e.g. signed login).
+func (u *IdentifiedUser) SetLogonAt(t time.Time) {
+	u.logonAt = t
+}
+
 // SessionRef returns the accociated users underlaying session reference.
 func (u *IdentifiedUser) SessionRef() *string {
 	return u.sessionRef
diff --git a/identity/config.go b/identity/config.go
@@ -30,5 +30,8 @@ type Config struct {
 
 	ScopesSupported []string
 
+	// AllowSignedLogin enables the signed JWT auto sign-in flow.
+	AllowSignedLogin bool
+
 	Logger logrus.FieldLogger
 }
diff --git a/identity/managers/identifier.go b/identity/managers/identifier.go
diff --git a/oidc/provider/handlers.go b/oidc/provider/handlers.go
diff --git a/oidc/provider/provider.go b/oidc/provider/provider.go
diff --git a/scopes.go b/scopes.go

Original file line number	Diff line number	Diff line change
`@@ -38,5 +38,6 @@ type Config struct {`
`38`	`38`
`39`	`39`	`AllowedScopes []string`
`40`	`40`	`AllowClientGuests bool`
	`41`	`+ AllowClientSignedLogins bool`
`41`	`42`	`AllowDynamicClientRegistration bool`
`42`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,5 +30,8 @@ type Config struct {`
`30`	`30`
`31`	`31`	`ScopesSupported []string`
`32`	`32`
	`33`	`+ // AllowSignedLogin enables the signed JWT auto sign-in flow.`
	`34`	`+ AllowSignedLogin bool`
	`35`	`+`
`33`	`36`	`Logger logrus.FieldLogger`
`34`	`37`	`}`