From: Markus Frank <m.frank@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-gui v2] add OIDC configuration panel for PMG
Date: Mon, 3 Mar 2025 09:58:33 +0100 [thread overview]
Message-ID: <8b6b3881-f148-4ace-bc62-c772c92f29aa@proxmox.com> (raw)
In-Reply-To: <20250303084958.2742-1-m.frank@proxmox.com>
On 2025-03-03 09:49, Markus Frank wrote:
> AuthEditOIDC.js is based on AuthEditOpenId from widget-toolkit and
> adds additional configuration options for autocreate-role-assignment.
>
> It uses sub/preferred_username for username-claim instead of the old
> names (subject/username/email). Removed email option entirely as it is
> incompatible with the username scheme.
I am sorry.
This part should be:
Use sub/preferred_username for username-claim instead of the old names
(subject/username/email). Remove the email option entirely as it is
incompatible with the username scheme.
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> v2:
> * renamed subject to sub
> * renamed username to preferred_username
> * removed email entirely
>
> js/AuthEditOIDC.js | 270 +++++++++++++++++++++++++++++++++++++++++++++
> js/Makefile | 1 +
> js/Utils.js | 1 +
> 3 files changed, 272 insertions(+)
> create mode 100644 js/AuthEditOIDC.js
>
> diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
> new file mode 100644
> index 0000000..cda9d68
> --- /dev/null
> +++ b/js/AuthEditOIDC.js
> @@ -0,0 +1,270 @@
> +Ext.define('PMG.OIDCInputPanel', {
> + extend: 'Proxmox.panel.InputPanel',
> + xtype: 'pmgAuthOIDCPanel',
> + mixins: ['Proxmox.Mixin.CBind'],
> +
> + showDefaultRealm: false,
> +
> + type: 'oidc',
> +
> + viewModel: {
> + data: {
> + roleSource: '__default__',
> + autocreate: 0,
> + },
> + formulas: {
> + hideRoleAssignment: function(get) {
> + let autocreate = get('autocreate');
> + if (!autocreate) {
> + return 1;
> + }
> + return autocreate === 0;
> + },
> + hideFixedRoleAssignment: function(get) {
> + return get('roleSource') !== 'fixed' || get('hideRoleAssignment');
> + },
> + hideClaimRoleAssignment: function(get) {
> + return get('roleSource') !== 'from-claim' || get('hideRoleAssignment');
> + },
> + },
> + },
> +
> + onGetValues: function(values) {
> + let me = this;
> +
> + if (me.isCreate && !me.useTypeInUrl) {
> + values.type = me.type;
> + }
> +
> + if (values.source) {
> + let autocreateRoleAssignment = {};
> + autocreateRoleAssignment.source = values.source;
> + if (values.source === 'fixed') {
> + autocreateRoleAssignment['fixed-role'] = values['fixed-role'];
> + } else if (values.source === 'from-claim') {
> + autocreateRoleAssignment['role-claim'] = values['role-claim'];
> + }
> + values['autocreate-role-assignment'] =
> + Proxmox.Utils.printPropertyString(autocreateRoleAssignment);
> + }
> +
> + if ((!values.autocreate || !values.source) && !me.isCreate) {
> + if (values.delete) {
> + if (Ext.isArray(values.delete)) {
> + values.delete.push('autocreate-role-assignment');
> + } else {
> + values.delete += ',autocreate-role-assignment';
> + }
> + } else {
> + values.delete = 'autocreate-role-assignment';
> + }
> + }
> + delete values.source;
> + delete values['fixed-role'];
> + delete values['role-claim'];
> +
> + return values;
> + },
> +
> + setValues: function(values) {
> + let autocreateRoleAssignment =
> + Proxmox.Utils.parsePropertyString(values['autocreate-role-assignment']);
> +
> + if (autocreateRoleAssignment.source) {
> + values.source = autocreateRoleAssignment.source;
> + } else {
> + values.source = '__default__';
> + }
> +
> + if (autocreateRoleAssignment.source === 'fixed') {
> + values['fixed-role'] = autocreateRoleAssignment['fixed-role'];
> + }
> + if (autocreateRoleAssignment.source === 'from-claim') {
> + values['role-claim'] = autocreateRoleAssignment['role-claim'];
> + }
> +
> + this.callParent(arguments);
> + },
> +
> +
> + columnT: [
> + {
> + xtype: 'textfield',
> + name: 'issuer-url',
> + fieldLabel: gettext('Issuer URL'),
> + allowBlank: false,
> + },
> + ],
> +
> + column1: [
> + {
> + xtype: 'pmxDisplayEditField',
> + name: 'realm',
> + cbind: {
> + value: '{realm}',
> + editable: '{isCreate}',
> + },
> + fieldLabel: gettext('Realm'),
> + allowBlank: false,
> + },
> + {
> + xtype: 'proxmoxcheckbox',
> + fieldLabel: gettext('Default realm'),
> + name: 'default',
> + value: 0,
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + hidden: '{!showDefaultRealm}',
> + disabled: '{!showDefaultRealm}',
> + },
> + autoEl: {
> + tag: 'div',
> + 'data-qtip': gettext('Set realm as default for login'),
> + },
> + },
> + {
> + xtype: 'proxmoxtextfield',
> + fieldLabel: gettext('Client ID'),
> + name: 'client-id',
> + allowBlank: false,
> + },
> + {
> + xtype: 'proxmoxtextfield',
> + fieldLabel: gettext('Client Key'),
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + },
> + name: 'client-key',
> + },
> + ],
> +
> + column2: [
> + {
> + xtype: 'pmxDisplayEditField',
> + name: 'username-claim',
> + fieldLabel: gettext('Username Claim'),
> + editConfig: {
> + xtype: 'proxmoxKVComboBox',
> + editable: true,
> + comboItems: [
> + ['__default__', Proxmox.Utils.defaultText],
> + ['sub', 'sub (subject)'],
> + ['preferred_username', 'preferred_username'],
> + ],
> + },
> + cbind: {
> + value: get => get('isCreate') ? '__default__' : Proxmox.Utils.defaultText,
> + deleteEmpty: '{!isCreate}',
> + editable: '{isCreate}',
> + },
> + },
> + {
> + xtype: 'proxmoxtextfield',
> + name: 'scopes',
> + fieldLabel: gettext('Scopes'),
> + emptyText: `${Proxmox.Utils.defaultText} (email profile)`,
> + submitEmpty: false,
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + },
> + },
> + {
> + xtype: 'proxmoxKVComboBox',
> + name: 'prompt',
> + fieldLabel: gettext('Prompt'),
> + editable: true,
> + emptyText: gettext('Auth-Provider Default'),
> + comboItems: [
> + ['__default__', gettext('Auth-Provider Default')],
> + ['none', 'none'],
> + ['login', 'login'],
> + ['consent', 'consent'],
> + ['select_account', 'select_account'],
> + ],
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + },
> + },
> + ],
> +
> + columnB: [
> + {
> + xtype: 'proxmoxtextfield',
> + name: 'comment',
> + fieldLabel: gettext('Comment'),
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + },
> + },
> + {
> + xtype: 'displayfield',
> + value: gettext('Autocreate Options'),
> + },
> + {
> + xtype: 'proxmoxcheckbox',
> + fieldLabel: gettext('Autocreate Users'),
> + name: 'autocreate',
> + bind: {
> + value: '{autocreate}',
> + },
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + },
> + },
> + {
> + xtype: 'proxmoxKVComboBox',
> + name: 'source',
> + fieldLabel: gettext('Source for Role Assignment'),
> + allowBlank: false,
> + deleteEmpty: false,
> + comboItems: [
> + [
> + '__default__',
> + Proxmox.Utils.defaultText
> + + ' (' + gettext('All auto-created users get audit role') + ')',
> + ],
> + ['fixed', 'Fixed role for all auto-created users'],
> + ['from-claim', 'Get role from OIDC claim'],
> + ],
> + bind: {
> + value: '{roleSource}',
> + disabled: '{hideRoleAssignment}',
> + hidden: '{hideRoleAssignment}',
> + },
> + },
> + {
> + xtype: 'pmgRoleSelector',
> + name: 'fixed-role',
> + allowBlank: false,
> + deleteEmpty: false,
> + fieldLabel: gettext('Fixed Role'),
> + bind: {
> + disabled: '{hideFixedRoleAssignment}',
> + hidden: '{hideFixedRoleAssignment}',
> + },
> + },
> + {
> + xtype: 'proxmoxtextfield',
> + name: 'role-claim',
> + allowBlank: false,
> + deleteEmpty: false,
> + fieldLabel: gettext('Role Claim'),
> + bind: {
> + disabled: '{hideClaimRoleAssignment}',
> + hidden: '{hideClaimRoleAssignment}',
> + },
> + },
> + ],
> +
> + advancedColumnB: [
> + {
> + xtype: 'proxmoxtextfield',
> + name: 'acr-values',
> + fieldLabel: gettext('ACR Values'),
> + submitEmpty: false,
> + cbind: {
> + deleteEmpty: '{!isCreate}',
> + },
> + },
> + ],
> +});
> diff --git a/js/Makefile b/js/Makefile
> index d1fab9b..c984bf3 100644
> --- a/js/Makefile
> +++ b/js/Makefile
> @@ -78,6 +78,7 @@ JSSRC= \
> LDAPConfig.js \
> UserEdit.js \
> UserView.js \
> + AuthEditOIDC.js \
> TFAView.js \
> FetchmailEdit.js \
> FetchmailView.js \
> diff --git a/js/Utils.js b/js/Utils.js
> index d4a55a8..9dbc76f 100644
> --- a/js/Utils.js
> +++ b/js/Utils.js
> @@ -871,6 +871,7 @@ Ext.define('PMG.Utils', {
> // use oidc instead of openid
> Proxmox.Schema.authDomains.oidc = Proxmox.Schema.authDomains.openid;
> Proxmox.Schema.authDomains.oidc.useTypeInUrl = false;
> + Proxmox.Schema.authDomains.oidc.ipanel = 'pmgAuthOIDCPanel';
> delete Proxmox.Schema.authDomains.openid;
>
> // Disable LDAP/AD as a realm until LDAP/AD login is implemented
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
next prev parent reply other threads:[~2025-03-03 8:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-03 8:49 Markus Frank
2025-03-03 8:58 ` Markus Frank [this message]
2025-03-10 14:37 ` Dominik Csapak
2025-03-11 10:22 ` Markus Frank
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8b6b3881-f148-4ace-bc62-c772c92f29aa@proxmox.com \
--to=m.frank@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal