Minor broker refactoring and cleanup

[adombeck]

Remove an unused field and move a function that's not provider-specific from the provider interface to the broker. See commit messages for details.

[didrocks]

Makes sense on moving the provider specific to non provider for now.

One question about firstSelectedMode. The idea was IIRC:

• you have an authentication, you select one auth method
• then, broker decides it’s MFA (which is not the current QR code method), and either ask for another auth method or is password definition/change (which on the local password definition is supported)

-> The goal was that next time you select the same user, the first auth method (if available) is auto-selected. Does this still work or does it work because by chance, we don’t set in the last local password reset the second time you log in?

[adombeck]

The goal was that next time you select the same user, the first auth method (if available) is auto-selected. Does this still work or does it work because by chance, we don’t set in the last local password reset the second time you log in?

AFAICT there is no functionality implemented for that. The PAM module currently autoselects the first element in the list of authentication modes returned by the broker in the GetAuthenticationModes call. That list has password as the first element if a token exists on disk, else it starts with device_auth_qr.

[denisonbarbosa]

IIRC, the purpose of this being considered provider-specific was to allow them more control over what is or isn't supported (i.e. EntraID can have modes that Google doesn't and so on...). It also makes sense to have it work as:
"general broker API: ok, this is what I have and what I can do, how will we do this?
provider API: Ok, so let's go like this..."

I know this is not something we interact with currently (and it results in a horrific function signature), but is it worth refactoring this now to maybe have to redo this later? We know that authd can handle TOTPs, codes and so on, so it could be something that we allow in the future...

[adombeck]

IMO yes, it is worth simplifying the interface until we actually need it to be more complex. If I understand correcelty, Didier also agreed with that above.

[3v1n0]

I had handled this a bit differently some weeks ago in 789c0b0

We can consider still that so that we don't have code duplication but providers can easily re-implement it if required.

[adombeck]

I would still prefer the simpler interface, but using struct embedding to have implementations for the general case, which can be overridden by the provider implementations makes sense to me once we do have implementations which override those - and I could live with already using that now, even though it's unused. WDYT, @didrocks?

[adombeck]

using struct embedding to have implementations for the general case, which can be overridden by the provider implementations makes sense to me

I propose we rename NoProvider to GenericProvider or something similar if we do that.

[didrocks]

I propose we rename NoProvider to GenericProvider or something similar if we do that.

I’m more in favour of this yes, and that’s on my mind for quite a while!

[adombeck]

I’m more in favour of this yes

Does that refer only to renaming the NoProvider to GenericProvider or also to "use an embedded struct which implements the CurrentAuthenticationModesOffered now, instead of simplifying the interface"?

[didrocks]

Does that refer only to renaming the NoProvider to GenericProvider or also to "use an embedded struct which implements the CurrentAuthenticationModesOffered now, instead of simplifying the interface"?

To both IMHO, we rename + embed it. I’m not close enough to the code to know about the CurrentAuthenticationModesOffered, but I’m happy to jump on a call if you want to explain this to me.