From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 6AC631FF138
	for <inbox@lore.proxmox.com>; Wed, 04 Feb 2026 17:14:18 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 8F9791A188;
	Wed,  4 Feb 2026 17:14:32 +0100 (CET)
From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [RFC cluster/docs/manager/proxmox{,-perl-rs,-widget-toolkit} 00/15]
 fix #7238: Add XOAUTH2 authentication support for SMTP notification targets
Date: Wed,  4 Feb 2026 17:13:39 +0100
Message-ID: <20260204161354.458814-1-a.bied-charreton@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.155 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery
 methods
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RDNS_NONE               0.793 Delivered to internal network by a host with no
 rDNS
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Message-ID-Hash: RIFAFZELRSO36RK5WP5XPSFSAI6VGRZZ
X-Message-ID-Hash: RIFAFZELRSO36RK5WP5XPSFSAI6VGRZZ
X-MailFrom: abied-charreton@jett.proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

Sending this as an RFC to get early feedback on the overall direction.

This series adds OAuth2 support for SMTP notification targets, motivated by Microsoft's
upcoming deprecation of basic authentication for SMTP [1]. Google and Microsoft are supported as
OAuth2 providers.

The main architectural decisions are:

- OAuth2 refresh tokens are treated as state, not config. They are persisted in a separate JSON file and managed
  entirely from the Rust side via standard I/O.

- The oauth2 crate is used with a local ureq backend (newtype over ureq::Agent), since the upstream ureq feature
  is currently patched out in Debian due to a ureq 2/3 version mismatch [2].

- Token refresh is triggered both proactively via pveupdate and when sending a notification to handle idle periods
  and providers like Microsoft that rotate refresh tokens on every use.

Known issues:
- Microsoft is untested (no test tenant, somehow impossible to create a free test account)

[1] https://techcommunity.microsoft.com/blog/exchange/updated-exchange-online-smtp-auth-basic-authentication-deprecation-timeline/4489835
[2] https://git.proxmox.com/?p=debcargo-conf.git;a=blob;f=src/oauth2/debian/patches/disable-ureq.patch;h=828b883a83a86927c5cd32df055226a5e78e8bea;hb=refs/heads/proxmox/trixie


proxmox:

Arthur Bied-Charreton (5):
  notify: Introduce xoauth2 module
  notify: Add state file handling
  notify: Update Endpoint trait and Bus to use State
  notify: smtp: add OAuth2/XOAUTH2 authentication support
  notify: Add test for State

 proxmox-notify/Cargo.toml                |   5 +
 proxmox-notify/debian/control            |  12 +-
 proxmox-notify/src/api/common.rs         |  70 ++++++-
 proxmox-notify/src/api/smtp.rs           | 144 +++++++++++---
 proxmox-notify/src/context/mod.rs        |   2 +
 proxmox-notify/src/context/pbs.rs        |   4 +
 proxmox-notify/src/context/pve.rs        |   4 +
 proxmox-notify/src/context/test.rs       |   4 +
 proxmox-notify/src/endpoints/gotify.rs   |   4 +-
 proxmox-notify/src/endpoints/sendmail.rs |   4 +-
 proxmox-notify/src/endpoints/smtp.rs     | 227 +++++++++++++++++++++--
 proxmox-notify/src/endpoints/webhook.rs  |   4 +-
 proxmox-notify/src/lib.rs                | 157 ++++++++++++++--
 proxmox-notify/src/xoauth2.rs            | 146 +++++++++++++++
 14 files changed, 718 insertions(+), 69 deletions(-)
 create mode 100644 proxmox-notify/src/xoauth2.rs


proxmox-perl-rs:

Arthur Bied-Charreton (1):
  notify: update bindings with new OAuth2 parameters

 common/src/bindings/notify.rs | 44 +++++++++++++++++++++++++++++++----
 1 file changed, 40 insertions(+), 4 deletions(-)


proxmox-widget-toolkit:

Arthur Bied-Charreton (2):
  utils: Add OAuth2 flow handlers
  notifications: Add opt-in OAuth2 support for SMTP targets

 src/Utils.js                   |  84 +++++++++++++++
 src/panel/SmtpEditPanel.js     | 191 +++++++++++++++++++++++++++++++--
 src/window/EndpointEditBase.js |   1 +
 3 files changed, 265 insertions(+), 11 deletions(-)


pve-manager:

Arthur Bied-Charreton (5):
  notifications: Add OAuth2 parameters to schema and add/update
    endpoints
  notifications: Add refresh-targets endpoint
  notifications: Trigger notification target refresh in pveupdate
  notifications: Handle OAuth2 callback in login handler
  notifications: Opt into OAuth2 authentication

 PVE/API2/Cluster/Notifications.pm | 89 +++++++++++++++++++++++++++++++
 bin/pveupdate                     |  9 ++++
 www/manager6/Utils.js             | 10 ++++
 www/manager6/Workspace.js         | 20 +++++++
 4 files changed, 128 insertions(+)


pve-cluster:

Arthur Bied-Charreton (1):
  notifications: Add refresh_targets subroutine to PVE::Notify

 src/PVE/Notify.pm | 6 ++++++
 1 file changed, 6 insertions(+)


pve-docs:

Arthur Bied-Charreton (1):
  notifications: Add section about OAuth2 to SMTP targets docs

 notifications.adoc | 44 ++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 40 insertions(+), 4 deletions(-)


Summary over all repositories:
  24 files changed, 1197 insertions(+), 88 deletions(-)

-- 
Generated by murpp 0.9.0