From: Dietmar Maurer <dietmar@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH pve-access-control] openid: support scopes, prompt, ACRs and arbitrary username-claim values
Date: Fri, 6 Aug 2021 13:57:39 +0200 [thread overview]
Message-ID: <20210806115744.1959420-4-dietmar@proxmox.com> (raw)
In-Reply-To: <20210806115744.1959420-1-dietmar@proxmox.com>
Depend on libpve-rs-perl (>= 0.3.0)
---
debian/control | 4 ++--
src/PVE/API2/OpenId.pm | 30 ++++++++++++++++++---------
src/PVE/Auth/OpenId.pm | 47 +++++++++++++++++++++++++++++++++++++++---
3 files changed, 66 insertions(+), 15 deletions(-)
diff --git a/debian/control b/debian/control
index 3ef748b..3323d9b 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 12~),
lintian,
perl,
libpve-cluster-perl,
- libpve-rs-perl,
+ libpve-rs-perl (>= 0.3.0),
pve-cluster (>= 6.1-4),
pve-doc-generator (>= 5.3-3),
Standards-Version: 4.5.1
@@ -28,7 +28,7 @@ Depends: libauthen-pam-perl,
libnet-ssleay-perl,
libpve-common-perl (>= 6.0-18),
libpve-cluster-perl,
- libpve-rs-perl,
+ libpve-rs-perl (>= 0.3.0),
libpve-u2f-server-perl (>= 1.0-2),
libuuid-perl,
pve-cluster (>= 6.1-4),
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 22423ba..0357b65 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -35,8 +35,21 @@ my $lookup_openid_auth = sub {
issuer_url => $config->{'issuer-url'},
client_id => $config->{'client-id'},
client_key => $config->{'client-key'},
+ prompt => $config->{'prompt'},
};
+ if (defined(my $value = $config->{'scopes'})) {
+ my $scopes = [PVE::Tools::split_list($value)];
+ $openid_config->{'scopes'} = $scopes;
+ } else {
+ $openid_config->{'scopes'} = ['email', 'profile'];
+ }
+
+ if (defined(my $value = $config->{'acr-values'})) {
+ my $list = [PVE::Tools::split_list($value)];
+ $openid_config->{'acr_values'} = $list;
+ }
+
my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
return ($config, $openid);
};
@@ -163,18 +176,15 @@ __PACKAGE__->register_method ({
my $unique_name = $subject; # default
if (defined(my $user_attr = $config->{'username-claim'})) {
- if ($user_attr eq 'subject') {
+
+ if (defined(my $value = $info->{$user_attr})) {
+ $unique_name = $value;
+ } elsif ($user_attr == 'subject') {
$unique_name = $subject;
- } elsif ($user_attr eq 'username') {
- my $username = $info->{'preferred_username'};
- die "missing claim 'preferred_username'\n" if !defined($username);
- $unique_name = $username;
- } elsif ($user_attr eq 'email') {
- my $email = $info->{'email'};
- die "missing claim 'email'\n" if !defined($email);
- $unique_name = $email;
+ } elsif ($user_attr == 'username' && defined(my $name = $info->{'preferred_username'})) {
+ $unique_name = $name;
} else {
- die "got unexpected value for 'username-claim': '${user_attr}'\n";
+ die "mising claim '${user_attr}'\n";
}
}
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 515d2f4..0c82aeb 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -6,9 +6,30 @@ use warnings;
use PVE::Tools;
use PVE::Auth::Plugin;
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
use base qw(PVE::Auth::Plugin);
+PVE::JSONSchema::register_format('openid-simple-name', \&verify_openid_simple_name);
+sub verify_openid_simple_name {
+ my ($name, $noerr) = @_;
+
+ if ($name !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+ die "OpenId name '$name' contains invalid characters\n" if !$noerr;
+
+ return undef;
+ }
+
+ return $name;
+}
+
+register_standard_option('openid-scope', {
+ description => 'OpenID scope',
+ type => 'string',
+ format => 'openid-simple-name',
+});
+
sub type {
return 'openid';
}
@@ -30,8 +51,25 @@ sub properties {
type => 'string',
optional => 1,
maxLength => 256,
- },
- autocreate => {
+ },
+ scopes => {
+ description => 'List of OpenID scopes',
+ type => 'string', format => 'openid-simple-name-list',
+ optional => 1,
+ default => 'email, profile',
+ },
+ "acr-values" => {
+ description => 'List of OpenID ACRs.',
+ type => 'string', format => 'openid-simple-name-list',
+ optional => 1,
+ },
+ prompt => {
+ description => "OpenID Prompt settings.",
+ type => 'string',
+ format => 'openid-simple-name',
+ optional => 1,
+ },
+ autocreate => {
description => "Automatically create users if they do not exist.",
optional => 1,
type => 'boolean',
@@ -40,7 +78,7 @@ sub properties {
"username-claim" => {
description => "OpenID claim used to generate the unique username.",
type => 'string',
- enum => ['subject', 'username', 'email'],
+ format => 'openid-simple-name',
optional => 1,
},
};
@@ -53,6 +91,9 @@ sub options {
"client-key" => { optional => 1 },
autocreate => { optional => 1 },
"username-claim" => { optional => 1, fixed => 1 },
+ scopes => { optional => 1 },
+ prompt => { optional => 1 },
+ "acr-values" => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
};
--
2.30.2
next prev parent reply other threads:[~2021-08-06 11:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 11:57 [pbs-devel] [PATCH proxmox-openid-rs v2 1/6] allow to configure used scopes Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-backup v2] openid: allow to configure scopes, prompt, ACRs and arbitrary username-claim values Dietmar Maurer
2021-08-06 11:57 ` Dietmar Maurer [this message]
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 2/6] also return data from UserInfo endpoint Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 3/6] new helper verify_authorization_code_simple() Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 4/6] allow to configure prompt behaviour Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 5/6] allow to configure acr values Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 6/6] bump version to 0.7.0-1 Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210806115744.1959420-4-dietmar@proxmox.com \
--to=dietmar@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.