broker: Use authd utilities to generate auth modes maps

internal/broker/broker.go

@@ -214,7 +214,7 @@ func (b *Broker) connectToOIDCServer(ctx context.Context) (*oidc.Provider, error
 }
 
 // GetAuthenticationModes returns the authentication modes available for the user.
-func (b *Broker) GetAuthenticationModes(sessionID string, supportedUILayouts []map[string]string) (authModes []map[string]string, err error) {
+func (b *Broker) GetAuthenticationModes(sessionID string, supportedUILayouts []map[string]string) ([]map[string]string, error) {
 	session, err := b.getSession(sessionID)
 	if err != nil {
 		return nil, err
@@ -265,11 +265,9 @@ func (b *Broker) GetAuthenticationModes(sessionID string, supportedUILayouts []m
 		return nil, err
 	}
 
+	var authModes []auth.Mode
 	for _, id := range availableModes {
-		authModes = append(authModes, map[string]string{
-			layouts.ID:    id,
-			layouts.Label: supportedAuthModes[id],
-		})
+		authModes = append(authModes, auth.NewMode(id, supportedAuthModes[id]))
 	}
 
 	if len(authModes) == 0 {
@@ -281,7 +279,7 @@ func (b *Broker) GetAuthenticationModes(sessionID string, supportedUILayouts []m
 		return nil, err
 	}
 
-	return authModes, nil
+	return auth.NewModeMaps(authModes)
 }
 
 func (b *Broker) supportedAuthModesFromLayout(supportedUILayouts []layouts.UILayout) (supportedModes map[string]string) {

internal/providers/msentraid/msentraid.go

@@ -16,12 +16,10 @@ import (
 	msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
 	msgraphauth "github.com/microsoftgraph/msgraph-sdk-go-core/authentication"
 	msgraphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
-	"github.com/ubuntu/authd-oidc-brokers/internal/broker/authmodes"
-	"github.com/ubuntu/authd-oidc-brokers/internal/broker/sessionmode"
 	"github.com/ubuntu/authd-oidc-brokers/internal/consts"
 	providerErrors "github.com/ubuntu/authd-oidc-brokers/internal/providers/errors"
 	"github.com/ubuntu/authd-oidc-brokers/internal/providers/info"
-	"github.com/ubuntu/authd/brokers/auth"
+	"github.com/ubuntu/authd-oidc-brokers/internal/providers/noprovider"
 	"github.com/ubuntu/authd/log"
 	"golang.org/x/oauth2"
 )
@@ -38,6 +36,7 @@ const (
 
 // Provider is the Microsoft Entra ID provider implementation.
 type Provider struct {
+	noprovider.NoProvider
 	expectedScopes []string
 }
 
@@ -53,11 +52,6 @@ func (p Provider) AdditionalScopes() []string {
 	return []string{oidc.ScopeOfflineAccess, "GroupMember.Read.All", "User.Read"}
 }
 
-// AuthOptions returns the generic auth options required by the EntraID provider.
-func (p Provider) AuthOptions() []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
-}
-
 // CheckTokenScopes checks if the token has the required scopes.
 func (p Provider) CheckTokenScopes(token *oauth2.Token) error {
 	scopes, err := p.getTokenScopes(token)
@@ -283,54 +277,6 @@ func isSecurityGroup(group msgraphmodels.Groupable) bool {
 	return !slices.Contains(group.GetGroupTypes(), "Unified")
 }
 
-// CurrentAuthenticationModesOffered returns the generic authentication modes supported by the provider.
-//
-// Token validity is not considered, only the presence of a token.
-func (p Provider) CurrentAuthenticationModesOffered(
-	sessionMode string,
-	supportedAuthModes map[string]string,
-	tokenExists bool,
-	providerReachable bool,
-	endpoints map[string]struct{},
-	currentAuthStep int,
-) ([]string, error) {
-	log.Debugf(context.Background(), "In CurrentAuthenticationModesOffered: sessionMode=%q, supportedAuthModes=%q, tokenExists=%t, providerReachable=%t, endpoints=%q, currentAuthStep=%d\n",
-		sessionMode, supportedAuthModes, tokenExists, providerReachable, endpoints, currentAuthStep)
-	var offeredModes []string
-	switch sessionMode {
-	case auth.SessionModeChangePassword, sessionmode.ChangePasswordNew:
-		if !tokenExists {
-			return nil, errors.New("user has no cached token")
-		}
-		offeredModes = []string{authmodes.Password}
-		if currentAuthStep > 0 {
-			offeredModes = []string{authmodes.NewPassword}
-		}
-
-	default: // auth mode
-		if _, ok := endpoints[authmodes.DeviceQr]; ok && providerReachable {
-			offeredModes = []string{authmodes.DeviceQr}
-		} else if _, ok := endpoints[authmodes.Device]; ok && providerReachable {
-			offeredModes = []string{authmodes.Device}
-		}
-		if tokenExists {
-			offeredModes = append([]string{authmodes.Password}, offeredModes...)
-		}
-		if currentAuthStep > 0 {
-			offeredModes = []string{authmodes.NewPassword}
-		}
-	}
-	log.Debugf(context.Background(), "Offered modes: %q", offeredModes)
-
-	for _, mode := range offeredModes {
-		if _, ok := supportedAuthModes[mode]; !ok {
-			return nil, fmt.Errorf("auth mode %q required by the provider, but is not supported locally", mode)
-		}
-	}
-
-	return offeredModes, nil
-}
-
 // NormalizeUsername parses a username into a normalized version.
 func (p Provider) NormalizeUsername(username string) string {
 	// Microsoft Entra usernames are case-insensitive. We can safely use strings.ToLower here without worrying about

internal/providers/noprovider/noprovider.go

@@ -11,6 +11,7 @@ import (
 	"github.com/ubuntu/authd-oidc-brokers/internal/broker/sessionmode"
 	"github.com/ubuntu/authd-oidc-brokers/internal/providers/info"
 	"github.com/ubuntu/authd/brokers/auth"
+	"github.com/ubuntu/authd/log"
 	"golang.org/x/oauth2"
 )
 
@@ -47,6 +48,8 @@ func (p NoProvider) CurrentAuthenticationModesOffered(
 	endpoints map[string]struct{},
 	currentAuthStep int,
 ) ([]string, error) {
+	log.Debugf(context.Background(), "In CurrentAuthenticationModesOffered: sessionMode=%q, supportedAuthModes=%q, tokenExists=%t, providerReachable=%t, endpoints=%q, currentAuthStep=%d\n",
+		sessionMode, supportedAuthModes, tokenExists, providerReachable, endpoints, currentAuthStep)
 	var offeredModes []string
 	switch sessionMode {
 	case auth.SessionModeChangePassword, sessionmode.ChangePasswordNew:
@@ -71,6 +74,7 @@ func (p NoProvider) CurrentAuthenticationModesOffered(
 			offeredModes = []string{authmodes.NewPassword}
 		}
 	}
+	log.Debugf(context.Background(), "Offered modes: %q", offeredModes)
 
 	for _, mode := range offeredModes {
 		if _, ok := supportedAuthModes[mode]; !ok {