AADLoginForLinux pam_aad.so enhancements
Currently the aad pam module works by sending a code to the terminal output:
"To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXX to authenticate. Press ENTER when ready."
The user goes to the web page and enters the device code, and voilà! it works.
This "workflow" , however, does not work if the application using the pamaad.so (or in this case /etc/pam.d/common-auth routine) does not have valid output to send the code to (e.g. a web service that uses pam for authentication). An alternative mechanism for these kind of cases could be to send the code to the user email (as in https://github.com/CyberNinjas/pamaad, https://github.com/CyberNinjas/pam_aad/issues/24).
This behaviour should be modifiable in the pam modules with e.g. (file /etc/pam.d/common-auth):
sends code to output (original):
auth [success=2 userunknown=ignore default=die] pamaad.so
sends code to email (modified):
auth [success=2 userunknown=ignore default=die email=true] pamaad.so