all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Markus Frank <m.frank@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api v4 5/10] config: add openid type realm
Date: Tue, 14 Jan 2025 10:30:05 +0100	[thread overview]
Message-ID: <20250114093010.4560-6-m.frank@proxmox.com> (raw)
In-Reply-To: <20250114093010.4560-1-m.frank@proxmox.com>

If the autocreate option is enabled, the user is automatically created
with the Audit role. To change the role for automatically created users,
set the autocreate-role option to the preferred role.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 src/Makefile             |  1 +
 src/PMG/AccessControl.pm |  2 +
 src/PMG/Auth/OpenId.pm   | 95 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100755 src/PMG/Auth/OpenId.pm

diff --git a/src/Makefile b/src/Makefile
index 659a666..3ed0ea1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -169,6 +169,7 @@ LIBSOURCES =				\
 	PMG/Auth/Plugin.pm		\
 	PMG/Auth/PAM.pm			\
 	PMG/Auth/PMG.pm			\
+	PMG/Auth/OpenId.pm		\
 
 SOURCES = ${LIBSOURCES} ${CLI_BINARIES} ${TEMPLATES_FILES} ${CONF_MANS} ${CLI_MANS} ${SERVICE_MANS} ${SERVICE_UNITS} ${TIMER_UNITS} pmg-sources.list pmg-initramfs.conf
 
diff --git a/src/PMG/AccessControl.pm b/src/PMG/AccessControl.pm
index ced5f9a..534385e 100644
--- a/src/PMG/AccessControl.pm
+++ b/src/PMG/AccessControl.pm
@@ -14,9 +14,11 @@ use PMG::LDAPSet;
 use PMG::TFAConfig;
 
 use PMG::Auth::Plugin;
+use PMG::Auth::OpenId;
 use PMG::Auth::PAM;
 use PMG::Auth::PMG;
 
+PMG::Auth::OpenId->register();
 PMG::Auth::PAM->register();
 PMG::Auth::PMG->register();
 PMG::Auth::Plugin->init();
diff --git a/src/PMG/Auth/OpenId.pm b/src/PMG/Auth/OpenId.pm
new file mode 100755
index 0000000..bbc4e38
--- /dev/null
+++ b/src/PMG/Auth/OpenId.pm
@@ -0,0 +1,95 @@
+package PMG::Auth::OpenId;
+
+use strict;
+use warnings;
+
+use PVE::Tools;
+use PMG::Auth::Plugin;
+
+use base qw(PMG::Auth::Plugin);
+
+sub type {
+    return 'oidc';
+}
+
+sub properties {
+    return {
+	'issuer-url' => {
+	    description => "OpenID Connect Issuer Url",
+	    type => 'string',
+	    maxLength => 256,
+	},
+	'client-id' => {
+	    description => "OpenID Connect Client ID",
+	    type => 'string',
+	    maxLength => 256,
+	},
+	'client-key' => {
+	    description => "OpenID Connect Client Key",
+	    type => 'string',
+	    optional => 1,
+	    maxLength => 256,
+	},
+	autocreate => {
+	    description => "Automatically create users if they do not exist.",
+	    optional => 1,
+	    type => 'boolean',
+	    default => 0,
+	},
+	'autocreate-role' => {
+	    description => "Automatically create users with a specific role.",
+	    type => 'string',
+	    enum => ['admin', 'qmanager', 'audit', 'helpdesk'],
+	    optional => 1,
+	},
+	'username-claim' => {
+	    description => "OpenID Connect claim used to generate the unique username.",
+	    type => 'string',
+	    optional => 1,
+	},
+	prompt => {
+	    description => "Specifies whether the Authorization Server prompts the End-User for"
+	        ." reauthentication and consent.",
+	    type => 'string',
+	    pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant
+	    optional => 1,
+	},
+	scopes => {
+	    description => "Specifies the scopes (user details) that should be authorized and"
+	        ." returned, for example 'email' or 'profile'.",
+	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+	    default => "email profile",
+	    optional => 1,
+	},
+	'acr-values' => {
+	    description => "Specifies the Authentication Context Class Reference values that the"
+		."Authorization Server is being requested to use for the Auth Request.",
+	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+	    optional => 1,
+	},
+   };
+}
+
+sub options {
+    return {
+	'issuer-url' => {},
+	'client-id' => {},
+	'client-key' => { optional => 1 },
+	autocreate => { optional => 1 },
+	'autocreate-role' => { optional => 1 },
+	'username-claim' => { optional => 1, fixed => 1 },
+	prompt => { optional => 1 },
+	scopes => { optional => 1 },
+	'acr-values' => { optional => 1 },
+	default => { optional => 1 },
+	comment => { optional => 1 },
+    };
+}
+
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $password) = @_;
+
+    die "OpenID Connect realm does not allow password verification.\n";
+}
+
+1;
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


  parent reply	other threads:[~2025-01-14  9:31 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-14  9:30 [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v4 0/10] fix #3892: OpenID Connect Markus Frank
2025-01-14  9:30 ` [pmg-devel] [PATCH pve-common v4 1/10] add Schema package with auth module that contains realm sync options Markus Frank
2025-01-14  9:30 ` [pmg-devel] [PATCH proxmox-perl-rs v4 2/10] move openid code from pve-rs to common Markus Frank
2025-02-17 11:50   ` Stoiko Ivanov
2025-01-14  9:30 ` [pmg-devel] [PATCH proxmox-perl-rs v4 3/10] remove empty PMG::RS::OpenId package to avoid confusion Markus Frank
2025-01-14  9:30 ` [pmg-devel] [PATCH pmg-api v4 4/10] config: add plugin system for realms Markus Frank
2025-01-14  9:30 ` Markus Frank [this message]
2025-01-14  9:30 ` [pmg-devel] [PATCH pmg-api v4 6/10] api: add/update/remove realms like in PVE Markus Frank
2025-02-17 11:56   ` Stoiko Ivanov
2025-01-14  9:30 ` [pmg-devel] [PATCH pmg-api v4 7/10] api: openid login similar to PVE Markus Frank
2025-02-17 12:02   ` Stoiko Ivanov
2025-01-14  9:30 ` [pmg-devel] [PATCH widget-toolkit v4 8/10] fix: window: AuthEditBase: rename variable 'realm' to 'type' Markus Frank
2025-01-14  9:30 ` [pmg-devel] [PATCH pmg-gui v4 09/10] login: add OpenID realms Markus Frank
2025-01-14  9:30 ` [pmg-devel] [PATCH pmg-gui v4 10/10] add panel for realms to User Management Markus Frank
2025-02-14 17:49 ` [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v4 0/10] fix #3892: OpenID Connect Stoiko Ivanov
2025-02-17 11:47 ` Stoiko Ivanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250114093010.4560-6-m.frank@proxmox.com \
    --to=m.frank@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal