* [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences
@ 2026-04-20 15:33 Shannon Sterz
2026-04-20 15:33 ` [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences Shannon Sterz
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-04-20 15:33 UTC (permalink / raw)
To: pve-devel
this series adapts the original patch series by Alexander Abraham [1]. below is
the text of the original cover letter:
> fix #5076: Added Open ID audiences
>
> This series adds support for handling Open ID audiences as described in bug
> #5076. PVE's API schema was updated to accept an optional field, an array of
> strings and the Rust code was also updated to accordingly handle any incoming
> audiences and compare them to the realm config's audiences. In the realm
> dialogue for adding an Open ID realm, a new field titled "Audiences" was added
> so that users can save any audiences in their realm domains config file.
essentially, some open id providers such as zitadel [1] may provide additional
audiences that their id tokens are valid for instead of just the client id.
these patches allow setting such additional audiences. if an audience that is
not explicitly allowed is encountered, the id token is rejected as before.
[1]: https://zitadel.com/
Changelog
---------
changes since the last public version of these patches
* rebased on current master
* see the list of changes made by Shannon Sterz specified in each commit message
[1]: https://lore.proxmox.com/pve-devel/20250603091256.40923-1-a.abraham@proxmox.com/
proxmox:
Shannon Sterz (1):
fix #5076: openid: add logic to handle OIDC audiences
proxmox-openid/src/lib.rs | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
proxmox:
Shannon Sterz (1):
fix #5076: auth: open id: add an optional "audiences" field
src/PVE/API2/OpenId.pm | 4 ++++
src/PVE/Auth/OpenId.pm | 12 ++++++++++++
2 files changed, 16 insertions(+)
proxmox:
Shannon Sterz (1):
fix #5076: ui: dc: add an optional "audiences" field for open id
realms
www/manager6/dc/AuthEditOpenId.js | 13 +++++++++++++
1 file changed, 13 insertions(+)
Summary over all repositories:
4 files changed, 48 insertions(+), 2 deletions(-)
--
Generated by murpp 0.10.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences
2026-04-20 15:33 [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
@ 2026-04-20 15:33 ` Shannon Sterz
2026-04-20 15:33 ` [PATCH access-control v4 2/3] fix #5076: auth: open id: add an optional "audiences" field Shannon Sterz
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-04-20 15:33 UTC (permalink / raw)
To: pve-devel
allows specifying multiple additionally allowed audiences. an open id
provider may include multiple audiences in its ID token. this allows
specifying all valid audiences, rejecting the token only if an invalid
audience is also included.
Originally-by: Alexander Abraham <a.abraham@proxmox.com>
[SS:
* reformatted the code for clarity and to avoid unnecessary variables
and parentheses
* rephrased the commit message for style and clarity
]
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
proxmox-openid/src/lib.rs | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index 0388a8fa..a8cfd66f 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -95,6 +95,8 @@ pub struct OpenIdConfig {
pub prompt: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub acr_values: Option<Vec<String>>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub audiences: Option<Vec<String>>,
}
pub struct OpenIdAuthenticator {
@@ -258,12 +260,27 @@ impl OpenIdAuthenticator {
.request(&http_client)
.map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
- let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
+ let verifier = &self
+ .client
+ .id_token_verifier()
+ .require_audience_match(true)
+ .set_other_audience_verifier_fn(|aud| {
+ if self.config.client_id == **aud {
+ return true;
+ }
+
+ if let Some(allowed_audiences) = self.config.audiences.as_ref() {
+ return allowed_audiences.contains(aud);
+ }
+
+ false
+ });
+
let id_token_claims: &GenericIdTokenClaims = token_response
.extra_fields()
.id_token()
.expect("Server did not return an ID token")
- .claims(&id_token_verifier, &private_auth_state.nonce)
+ .claims(verifier, &private_auth_state.nonce)
.map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
if !query_userinfo {
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH access-control v4 2/3] fix #5076: auth: open id: add an optional "audiences" field
2026-04-20 15:33 [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
2026-04-20 15:33 ` [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences Shannon Sterz
@ 2026-04-20 15:33 ` Shannon Sterz
2026-04-20 15:33 ` [PATCH manager v4 3/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
2026-04-21 10:25 ` [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-04-20 15:33 UTC (permalink / raw)
To: pve-devel
adds an optional "audiences" field to the open id configuration
schema. "audiences" is a list of additionally accepted audiences that
an open id provider may include.
Originally-by: Alexander Abraham <a.abraham@proxmox.com>
[SS:
* rephrased the commit message for style and clarity
* adjusted the parameter description to be clearer
* removed a validation pattern that was incorrect and set a
maxLength for members of the "audiences" array
* removed changes that only reformatted unrelated code
]
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/PVE/API2/OpenId.pm | 4 ++++
src/PVE/Auth/OpenId.pm | 12 ++++++++++++
2 files changed, 16 insertions(+)
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index cccd615..58ffd81 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -46,6 +46,10 @@ my $lookup_openid_auth = sub {
$openid_config->{acr_values} = [PVE::Tools::split_list($acr)];
}
+ if (defined(my $audiences = $config->{'audiences'})) {
+ $openid_config->{audiences} = $config->{'audiences'};
+ }
+
my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
return ($config, $openid);
};
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 2209040..2467263 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -92,6 +92,17 @@ sub properties {
default => 1,
optional => 1,
},
+ 'audiences' => {
+ description =>
+ "A list of audiences that the OpenID Issuer may include that are accepted in "
+ . "addition to 'client-id'.",
+ type => 'array',
+ 'items' => {
+ type => 'string',
+ optional => 1,
+ maxLength => 256,
+ },
+ },
};
}
@@ -108,6 +119,7 @@ sub options {
prompt => { optional => 1 },
scopes => { optional => 1 },
"acr-values" => { optional => 1 },
+ audiences => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
"query-userinfo" => { optional => 1 },
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH manager v4 3/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms
2026-04-20 15:33 [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
2026-04-20 15:33 ` [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences Shannon Sterz
2026-04-20 15:33 ` [PATCH access-control v4 2/3] fix #5076: auth: open id: add an optional "audiences" field Shannon Sterz
@ 2026-04-20 15:33 ` Shannon Sterz
2026-04-21 10:25 ` [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-04-20 15:33 UTC (permalink / raw)
To: pve-devel
allows users to configure additional open id audiences that may be
provided by the open id realm.
Originally-by: Alexander Abraham <a.abraham@proxmox.com>
[SS:
* removed unnecessary helper functions
* moved code for formatting audiences to AuthEditOpenId from
AuthEditBase, as only open id realms set this property
* rephrased commit message for clarity
]
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
www/manager6/dc/AuthEditOpenId.js | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/www/manager6/dc/AuthEditOpenId.js b/www/manager6/dc/AuthEditOpenId.js
index dc6c22e61..878fb267d 100644
--- a/www/manager6/dc/AuthEditOpenId.js
+++ b/www/manager6/dc/AuthEditOpenId.js
@@ -13,6 +13,10 @@ Ext.define('PVE.panel.OpenIDInputPanel', {
delete values.verify;
}
+ if (values.audiences) {
+ values.audiences = values.audiences.split(" ");
+ }
+
return me.callParent([values]);
},
@@ -149,6 +153,15 @@ Ext.define('PVE.panel.OpenIDInputPanel', {
deleteEmpty: '{!isCreate}',
},
},
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'audiences',
+ fieldLabel: gettext('Audiences'),
+ submitEmpty: false,
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
],
initComponent: function () {
--
2.47.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences
2026-04-20 15:33 [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
` (2 preceding siblings ...)
2026-04-20 15:33 ` [PATCH manager v4 3/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
@ 2026-04-21 10:25 ` Shannon Sterz
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-04-21 10:25 UTC (permalink / raw)
To: Shannon Sterz, pve-devel
just noticed that pbs/pdm will need adaption too to properly support
this. sorry for missing that, will send an updated version.
On Mon Apr 20, 2026 at 5:33 PM CEST, Shannon Sterz wrote:
> this series adapts the original patch series by Alexander Abraham [1]. below is
> the text of the original cover letter:
>
>> fix #5076: Added Open ID audiences
>>
>> This series adds support for handling Open ID audiences as described in bug
>> #5076. PVE's API schema was updated to accept an optional field, an array of
>> strings and the Rust code was also updated to accordingly handle any incoming
>> audiences and compare them to the realm config's audiences. In the realm
>> dialogue for adding an Open ID realm, a new field titled "Audiences" was added
>> so that users can save any audiences in their realm domains config file.
>
> essentially, some open id providers such as zitadel [1] may provide additional
> audiences that their id tokens are valid for instead of just the client id.
> these patches allow setting such additional audiences. if an audience that is
> not explicitly allowed is encountered, the id token is rejected as before.
>
> [1]: https://zitadel.com/
>
> Changelog
> ---------
>
> changes since the last public version of these patches
>
> * rebased on current master
> * see the list of changes made by Shannon Sterz specified in each commit message
>
> [1]: https://lore.proxmox.com/pve-devel/20250603091256.40923-1-a.abraham@proxmox.com/
>
>
> proxmox:
>
> Shannon Sterz (1):
> fix #5076: openid: add logic to handle OIDC audiences
>
> proxmox-openid/src/lib.rs | 21 +++++++++++++++++++--
> 1 file changed, 19 insertions(+), 2 deletions(-)
>
>
> proxmox:
>
> Shannon Sterz (1):
> fix #5076: auth: open id: add an optional "audiences" field
>
> src/PVE/API2/OpenId.pm | 4 ++++
> src/PVE/Auth/OpenId.pm | 12 ++++++++++++
> 2 files changed, 16 insertions(+)
>
>
> proxmox:
>
> Shannon Sterz (1):
> fix #5076: ui: dc: add an optional "audiences" field for open id
> realms
>
> www/manager6/dc/AuthEditOpenId.js | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
>
> Summary over all repositories:
> 4 files changed, 48 insertions(+), 2 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-21 10:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-04-20 15:33 [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
2026-04-20 15:33 ` [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences Shannon Sterz
2026-04-20 15:33 ` [PATCH access-control v4 2/3] fix #5076: auth: open id: add an optional "audiences" field Shannon Sterz
2026-04-20 15:33 ` [PATCH manager v4 3/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
2026-04-21 10:25 ` [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.