GUACAMOLE-2210: Add support for AAD authentication to RDP protocol.

[aleitner]

• Adds Azure AD (Entra ID) authentication support for RDP connections using FreeRDP 3's AadSecurity mode
• Implements the OAuth2 authorization code flow server-side using libcurl to automate the Microsoft login sequence
• Adds #include "config.h" to source files that were missing it, fixing struct member offset mismatches.

Authentication Flow

When security=aad is set on an RDP connection:

1. FreeRDP initiates the AAD handshake and invokes the GetAccessToken callback with the required scope and Proof-of-Possession key
2. The callback prompts for username/password via guac_argv if not already configured
3. An OAuth2 authorization URL is built using the client ID from FreeRDP's GatewayAvdClientID setting and the common tenant endpoint
4. The Microsoft login page is fetched via HTTP GET and the $Config JavaScript object is parsed for session tokens (sFT, sCtx, urlPost, canary, apiCanary)
5. The GetCredentialType API is called to update server-side session state and obtain a fresh flow token
6. Credentials are POSTed to the login endpoint with the required CSRF tokens. On success, Microsoft redirects to the native client URI with an authorization code
7. The authorization code is exchanged for an access token at the token endpoint, including the Proof-of-Possession binding
8. The access token is returned to FreeRDP, which completes the AAD-authenticated RDP session

Paired with apache/guacamole-client#1168

[aleitner]

Didn't realize we don't have curl. This would require adding curl as a dependency

[necouchman]

Looks like the build is failing with an error about the switch() statement and one of the enums.

[aleitner]

Looks like the build is failing with an error about the switch() statement and one of the enums.

Ahh whoops! I was testing with only freerdp3 as that's when AAD support was implemented. Just added a case to the switch for freerdp2 so that it errors if AAD is selected

[mike-jumper]

Are we going to need to continually update this value to avoid being re-flagged as unsupported due to the claimed version being old?

[mike-jumper]

Not sure if this is an insane idea ... but we could calculate the expected current Chrome release from the current date based on their published major release cadence ...

[aleitner]

Microsoft's endpoints don't appear to validate browser version freshness currently. On the other hand we could fetch the latest stable major version from Google's VersionHistory API:
https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/stable/versions

[aleitner]

Made the changes to get the latest chrome version!

[mike-jumper]

Unfortunately, phoning Google from within guacd is going to be a privacy issue. I don't think we can go this route.