[pdm-devel] [PATCH datacenter-manager/yew-comp 0/8] openid support for PDM

[Shannon Sterz <s.sterz@proxmox.com>]

this series adds openid support to PDM. the implementation is based on
PBS' implementation with a some adaptions:

- smaller refactorings to use more data types instead of simply putting
  them together with serde_json::json!
- move variables into format strings where possible
- only support the HttpOnly variant of the authentication flow

when going through this i at first wanted to put most of the api
endpoints' logic into a proxmox-rs crate. however, i decided against
that as that would have created a couple of other problems. i'll outline
different options below and why i decided against them:

- access-control: the login endpoint needs to be able to sign a ticket.
  currently access-control does not have access to the keyring that
  would be necessary for that. the keyring is available in auth-api, but
  making it public there has possible other downsides. such as suddenly
  making it very hard to audit which parts of our code have access to
  the keyring through auth-api.
- auth-api: the login endpoint would need access to the domains and user
  configs. the first to setup the openid login against the correct host.
  the latter for the auto-create feature when logging in users that have
  no user information in the config yet.
  the user config could be obtained by depending on access-control.
  albeit, that would have required untangling some circular dependencies
  between auth-api and access-control. the domain config, however, is
  currently not in a proxmox-rs crate. so we would have needed to factor
  that out first, which would create quite a bit of churn.
- a new crate/openid crate: this mostly combines the drawbacks of the
  previous two options. so i discarded that as an option too.

if we still want to move the code to a shared proxmox-rs crate, i can
revise this series. however, i think this is a sensible approach for
now.

the series also includes adaptions for proxmox-yew-comp to adapt to
openid login flow and add some missing ui around default realms.

Changelog
---------

the first two patches where taken from a different series [1] and slightly
adapted:

- remove a useless log statement
- instead of referring to "openid authentication" correctly call it
  "openid authorization"
- remove a useless sort() call

[1]: https://lore.proxmox.com/all/20251008151936.386950-1-s.sterz@proxmox.com/

proxmox-yew-comp:

Shannon Sterz (5):
  login_panel/realm_selector: use default realm provided by api
  login_panel/realm_selector: add support for openid realm logins
  auth view: add openid icon to openid menu option
  auth edit openid: add a default realm checkbox
  utils/login panel: move openid redirection authorization helper to
    utils

 src/auth_edit_openid.rs |  11 +-
 src/auth_view.rs        |   2 +-
 src/login_panel.rs      | 312 +++++++++++++++++++++++++++++++---------
 src/realm_selector.rs   |  83 ++++++++++-
 src/utils.rs            |  32 +++++
 5 files changed, 357 insertions(+), 83 deletions(-)


proxmox-datacenter-manager:

Shannon Sterz (3):
  api-types: add default field to openid realm config
  server: api: add support for adding openid realms and openid logins
  ui: enable openid realms in realm panel

 Cargo.toml                             |   2 +-
 lib/pdm-api-types/src/openid.rs        |   3 +
 server/Cargo.toml                      |   1 +
 server/src/api/access/mod.rs           |   2 +
 server/src/api/access/openid.rs        | 311 +++++++++++++++++++++++++
 server/src/api/config/access/mod.rs    |   2 +
 server/src/api/config/access/openid.rs | 290 +++++++++++++++++++++++
 server/src/auth/mod.rs                 |   6 +-
 ui/src/configuration/mod.rs            |   1 +
 9 files changed, 616 insertions(+), 2 deletions(-)
 create mode 100644 server/src/api/access/openid.rs
 create mode 100644 server/src/api/config/access/openid.rs


Summary over all repositories:
  14 files changed, 973 insertions(+), 85 deletions(-)

--
Generated by git-murpp 0.8.1


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel