all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>,
	"Alexander Abraham" <a.abraham@proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox v2 1/1] fix #5076: Added logic to handle OIDC audiences
Date: Tue, 03 Jun 2025 10:39:17 +0200	[thread overview]
Message-ID: <DACRH0RSNID4.RN7TP27MTUAC@proxmox.com> (raw)
In-Reply-To: <20250602141458.142000-2-a.abraham@proxmox.com>

On Mon Jun 2, 2025 at 4:14 PM CEST, Alexander Abraham wrote:
> A field for OIDC audiences was added, logic to handle these audiences,
> and the audiences supplied by an OIDC IDP are validated against
> the audiences a user saves in their realm domains
> configuration.
>
> Signed-off-by: Alexander Abraham <a.abraham@proxmox.com>
> ---
>  proxmox-openid/src/lib.rs | 20 ++++++++++++++++++--
>  1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
> index fe65fded..fa22638a 100644
> --- a/proxmox-openid/src/lib.rs
> +++ b/proxmox-openid/src/lib.rs
> @@ -53,6 +53,8 @@ pub struct OpenIdConfig {
>      pub prompt: Option<String>,
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub acr_values: Option<Vec<String>>,
> +    #[serde(skip_serializing_if = "Option::is_none")]
> +    pub audiences: Option<Vec<String>>,

this patch doesn't seem to apply anymore. also is there a reason this
couldn't be:

    #[serde(skip_serializing_if = "Vec::is_empty")]
    pub audiences: Vec<String>,

>  }
>
>  pub struct OpenIdAuthenticator {
> @@ -205,12 +207,26 @@ impl OpenIdAuthenticator {
>              .request(http_client)
>              .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
>
> -        let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
>          let id_token_claims: &CoreIdTokenClaims = token_response
>              .extra_fields()
>              .id_token()
>              .expect("Server did not return an ID token")
> -            .claims(&id_token_verifier, &private_auth_state.nonce)
> +            .claims(
> +                &((self.client.id_token_verifier())
> +                    .require_audience_match(true)
> +                    .set_other_audience_verifier_fn(|aud| {
> +                        let curr_aud: &String = aud;
> +                        if &self.config.client_id == curr_aud {
> +                            true
> +                        } else {
> +                            match self.config.audiences.as_ref() {
> +                                Some(confd_auds) => confd_auds.contains(curr_aud),
> +                                None => false,
> +                            }

then this could simply be:

self.config.audiences.contains(curr_aud)

> +                        }
> +                    })),
> +                &private_auth_state.nonce,
> +            )
>              .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
>
>          let userinfo_claims: GenericUserInfoClaims = self



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2025-06-03  8:39 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-02 14:14 [pve-devel] [PATCH access-control-5076/manager/proxmox-5076 v2 0/3] fix #5076: Added Open ID audiences Alexander Abraham
2025-06-02 14:14 ` [pve-devel] [PATCH proxmox v2 1/1] fix #5076: Added logic to handle OIDC audiences Alexander Abraham
2025-06-03  8:39   ` Shannon Sterz [this message]
2025-06-02 14:14 ` [pve-devel] [PATCH pve-access-control v2 1/1] fix #5076: Changed audiences to an array Alexander Abraham
2025-06-02 14:14 ` [pve-devel] [PATCH pve-manager v2 1/1] fix #5076: Added an "audiences" field for Open ID Alexander Abraham

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DACRH0RSNID4.RN7TP27MTUAC@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=a.abraham@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal