Announcing Authd: OIDC authentication for Ubuntu Desktop and Server

Today we are announcing the general availability of Authd, a new authentication daemon for Ubuntu that allows direct integration with cloud-based identity providers for both Ubuntu Desktop and Server. Authd is available free of charge on Ubuntu 24.04 LTS.

At launch, Authd supports Microsoft Entra ID (formerly Azure Active Directory) identity provider, with additional providers, including a whiteOIDC provider, to be introduced in the future. 

Bringing Ubuntu authentication to the cloud

Identity management is one of the most important control areas for any organisation and cloud based identity providers have seen a meteoric rise in popularity due to the ability to improve the strength and confidence of authentication events, while simultaneously decreasing the operational complexity, especially in remote working and hybrid cloud scenarios.

Linux workstations and servers have notoriously been one of the primary reasons why organisations hold back from completing a full transition to cloud based identity providers, and support for Entra ID, Okta and Google has constantly been one of the most requested enterprise features on both Ubuntu Desktop and Server.

Our first attempt at solving this issue was the AAD Auth package, which we released as part of Ubuntu Desktop 23.04. While the package allowed us to meet some of the intended use cases for Azure AD, we realised that its design was not compatible with Ubuntu Server, hampered the ability to use stronger authentication mechanisms and required significant effort to be extended to additional identity providers like Okta and Google.

When designing Authd it was very important for us to address the aforementioned shortcomings, while simultaneously providing a way for identity providers to extend our solution by supporting their platform-specific features. We achieved these goals by creating a modular solution, consisting of a daemon plus a series of brokers, which relies on the Oauth Device Authorisation Grant to obtain access tokens from the clouds.

Oauth Device Authorisation Grant

The Oauth Device Authorization Grant (formerly known as the Device Flow) is an Oauth extension that was initially conceived to enable devices with no browser or limited input capability to obtain an access token. The Device Authorization Grant is commonly seen on TV streaming apps or smart appliances where the device instructs the user to open a URL on a secondary device such as a smartphone or computer in order to complete the authorization.

We decided to base our solution on the Oauth Device Authorization Grant because:

• It is an open standard (RFC 8628) that is supported by the vast majority of enterprise and consumer identity providers
• No direct communication channel is required between the Ubuntu machine and the user secondary device. When the authentication process is initiated the Ubuntu device begins polling the identity provider Authorization Server for an Access Token
• It allows for a consistent user experience across Ubuntu Desktop (on GDM) and Server (on the CLI)

You can read more about the Oauth Device Authorization Grant on the Oauth website.

How does Authd work

The Authd architecture is described below and represented in the following diagram:

• The identity broker: a trusted component running on the host and serving as an interface with the identity provider. The broker is able to understand and evaluate the host capabilities and state (i.e. if there is a GUI, if the device is online, etc.) to select the appropriate authentication workflow. Brokers are identity provider specific and they are delivered as snaps.
• The authentication daemon (Authd): mediates the communication between the broker and the low level system components, like the PAM and NSS modules.

It is important to note that systems can be configured to have multiple identity brokers, enabling support for multiple identity providers.

Get the new feature

The new feature is free and available today for all Ubuntu Desktop and Server 24.04 users. We encourage everyone to try out the new features and provide feedback or suggestions through Github.

You can find more information on how to install, configure and deploy Authd at scale in the Project Wiki. 

If you are an organisation that is interested in creating a broker for your service / identity provider please open an issue on the project and we will be in touch.

If you want to learn more about Ubuntu Desktop, Ubuntu Server, Ubuntu Pro or our other advanced Active Directory integration features please do not hesitate to contact us to discuss your needs with one of our advisers.