From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B79EE1FF136 for ; Mon, 23 Mar 2026 13:27:19 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 97355164D0; Mon, 23 Mar 2026 13:26:58 +0100 (CET) Content-Type: text/plain; charset=UTF-8 Date: Mon, 23 Mar 2026 13:26:23 +0100 Message-Id: To: "Arthur Bied-Charreton" , Subject: Re: [PATCH proxmox-widget-toolkit 1/2] utils: Add OAuth2 flow handlers From: "Lukas Wagner" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260213160415.609868-1-a.bied-charreton@proxmox.com> <20260213160415.609868-10-a.bied-charreton@proxmox.com> In-Reply-To: <20260213160415.609868-10-a.bied-charreton@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1774268737277 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.049 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 6VMMIZGQI5UMBE4KFRHWGEFKJQYKTV2Y X-Message-ID-Hash: 6VMMIZGQI5UMBE4KFRHWGEFKJQYKTV2Y X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Seems like formatting is off in this and the next patch - make sure to run `make tidy` for your JS changes. :) On Fri Feb 13, 2026 at 5:04 PM CET, Arthur Bied-Charreton wrote: > Introduce the Proxmox.OAuth2 singleton supporting Google and Microsoft > OAuth2. The flow is handled by opening a new window with the > authorization URL, and expects to receive the resulting authorization > code from the redirect handler via a [BroadcastChannel]. > > [BroadcastChannel] > https://developer.mozilla.org/en-US/docs/Web/API/BroadcastChannel > > Signed-off-by: Arthur Bied-Charreton > --- > src/Utils.js | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 88 insertions(+) > > diff --git a/src/Utils.js b/src/Utils.js > index 5457ffa..5cbe9b6 100644 > --- a/src/Utils.js > +++ b/src/Utils.js > @@ -1723,6 +1723,94 @@ Ext.define('Proxmox.Utils', { > }, > }); > =20 > +Ext.define('Proxmox.OAuth2', { > + singleton: true, > + > + handleGoogleFlow: function (clientId, clientSecret) { > + return this._handleFlow({ > + clientId, > + clientSecret, > + authUrl: 'https://accounts.google.com/o/oauth2/v2/auth', > + tokenUrl: 'https://oauth2.googleapis.com/token', > + scope: 'https://mail.google.com', > + extraAuthParams: { > + access_type: 'offline', > + prompt: 'consent', > + }, > + }); > + }, > + > + handleMicrosoftFlow: function(clientId, clientSecret, tenantId) { > + return this._handleFlow({ > + clientId, > + clientSecret, > + authUrl: `https://login.microsoftonline.com/${tenantId}/oaut= h2/v2.0/authorize`, > + tokenUrl: `https://login.microsoftonline.com/${tenantId}/oau= th2/v2.0/token`, > + scope: 'https://outlook.office.com/SMTP.Send offline_access'= , > + extraAuthParams: { > + prompt: 'consent', > + }, > + }); > + }, > + > + _handleFlow: function (config) { > + return new Promise((resolve, reject) =3D> { > + let redirectUri =3D window.location.origin; > + let channelName =3D `oauth2_${crypto.randomUUID()}`; > + let state =3D encodeURIComponent(JSON.stringify({ channelNam= e })); > + > + let authParams =3D new URLSearchParams({ > + client_id: config.clientId, > + response_type: 'code', > + redirect_uri: redirectUri, > + scope: config.scope, > + state, > + ...config.extraAuthParams, > + }); > + > + let authUrl =3D `${config.authUrl}?${authParams}`; > + > + // Opens OAuth2 authentication window. The app's redirect ha= ndler must > + // extract the authorization code from the callback URL and = send it via: > + // new BroadcastChannel(state.channelName).postMessage({ cod= e }) > + let channel =3D new BroadcastChannel(channelName); > + let popup =3D window.open(authUrl); > + if (!popup) { > + reject(new Error('Could not open authentication window')= ); > + return; > + } > + > + channel.addEventListener('message', async (event) =3D> { > + if (popup && !popup.closed) { > + popup.close(); > + } > + channel.close(); > + > + try { > + let response =3D await fetch(config.tokenUrl, { > + method: 'POST', > + headers: { > + 'Content-Type': 'application/x-www-form-urle= ncoded', > + }, > + body: new URLSearchParams({ > + grant_type: 'authorization_code', > + code: event.data.code, > + client_id: config.clientId, > + client_secret: config.clientSecret, > + redirect_uri: redirectUri, > + }), > + }); > + > + let tokens =3D await response.json(); > + resolve(tokens.refresh_token); > + } catch (error) { > + reject(error); > + } > + }); > + }) > + } > +}) > + > Ext.define('Proxmox.Async', { > singleton: true, > =20