Use device authorization login to get past SSO
For some accounts (most notably, mine) using 2FA with new single sign on has become mandatory. This means that the previous way of getting past the single sign on using kerberos no longer works and it's not impossible to login without any user interaction.
The proposed solution is to use the device authorization flow which results in a URL being printed to the terminal which the user must then use to authenticate the session:
$ lb-ap login
CERN SINGLE SIGN-ON
On your tablet, phone or computer, go to:
https://auth.cern.ch/auth/realms/cern/device
and enter the following code:
JBXX-SMEW
You may also open the following link directly and follow the instructions:
https://auth.cern.ch/auth/realms/cern/device?user_code=JBXX-SMEW
Waiting for login...
Logged in successfully as cburrThis MR implements this flow and removes the new_cern_sso module.
To avoid needing to login too often I'm making use of the linux kernel keyring. This allows the tokens to be reused for up to 12 hours. If it works okay a similar mechanism could be used on macOS (I'm not sure about Windows). It should also be duplicated into apd (though perhaps read-only, else we should look at personal access tokens like in LbAPI!16 (closed)).
I'll follow up with a merge request to LbAPLocal which adds a lb-ap login command.