A while back, I was playing around with adding OpenID Connect authentication to Web Access and built a prototype implementation in the form of an additional web service that sits in front of Web Access, taking care of the OpenID Connect authentication flow, extracting the username from the token and using the token itself as the password sent to the ThinLinc server. On the server side, this “password”/token is verified by the PAM module pam_oidc developed by Salesforce.
The code, along with the documentation, is available on GitHub: GitHub - williamsjoblom/tl-oidc-gateway: OpenID Connect gateway for single sign-on in ThinLinc Web Access
As per the README, this currently requires you to bump the size of the buffer where the password ends up on the server side (as OIDC tokens are way longer than your typical password). As of now, this can be done by applying the supplied patch to the obfuscated ThinLinc code provided in the GitHub repository. Note that this patch will be part of an official ThinLinc release in the near-term future.
I’m curious what the community thinks of this little hack? What are your initial thoughts?
As always, contributions in the form of issues, pull requests and general feedback are always welcome!