* [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes @ 2021-08-06 7:17 Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer ` (5 more replies) 0 siblings, 6 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel --- src/lib.rs | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 72bcd31..dcd08dd 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -34,16 +34,19 @@ use openidconnect::{ Scope, }; -#[derive(Debug, Deserialize, Serialize)] +#[derive(Debug, Deserialize, Serialize, Clone)] pub struct OpenIdConfig { pub issuer_url: String, pub client_id: String, #[serde(skip_serializing_if="Option::is_none")] pub client_key: Option<String>, + #[serde(skip_serializing_if="Option::is_none")] + pub scopes: Option<Vec<String>>, } pub struct OpenIdAuthenticator { client: CoreClient, + config: OpenIdConfig, } #[derive(Debug, Deserialize, Serialize)] @@ -111,6 +114,7 @@ impl OpenIdAuthenticator { Ok(Self { client, + config: config.clone(), }) } @@ -123,18 +127,25 @@ impl OpenIdAuthenticator { store_auth_state(Path::new(state_dir), realm, &private_auth_state)?; // Generate the authorization URL to which we'll redirect the user. - let (authorize_url, _csrf_state, _nonce) = self.client + let mut request = self.client .authorize_url( CoreAuthenticationFlow::AuthorizationCode, || CsrfToken::new(public_auth_state), || nonce, ) - .set_display(CoreAuthDisplay::Page) - .add_prompt(CoreAuthPrompt::Login) - .add_scope(Scope::new("email".to_string())) - .add_scope(Scope::new("profile".to_string())) - .set_pkce_challenge(private_auth_state.pkce_challenge()) - .url(); + .set_pkce_challenge(private_auth_state.pkce_challenge()); + + request = request.set_display(CoreAuthDisplay::Page); + + request = request.add_prompt(CoreAuthPrompt::Login); + + if let Some(ref scopes) = self.config.scopes { + for scope in scopes.clone() { + request = request.add_scope(Scope::new(scope)); + } + } + + let (authorize_url, _csrf_state, _nonce) = request.url(); Ok(authorize_url.to_string()) } -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer @ 2021-08-06 7:17 ` Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-backup] openid: allow to configure scopes, prompt and arbitrary username-claim values Dietmar Maurer ` (4 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel --- Cargo.toml | 2 +- debian/changelog | 8 ++++++++ src/openid/mod.rs | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 736bc49..ef8c27c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,5 +20,5 @@ anyhow = "1.0" proxmox = { version = "0.12.1", default-features = false } perlmod = { version = "0.5.2", features = [ "exporter" ] } proxmox-apt = "0.6.0" -proxmox-openid = "0.6.1" +proxmox-openid = "0.7.0" serde = "1.0" diff --git a/debian/changelog b/debian/changelog index b247a35..33ab4a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libpve-rs-perl (0.3.0) bullseye; urgency=medium + + * depend on proxmox-openid 0.7.0 (support prompt an d scopes) + + * openid: use new verify_authorization_code_simple() to return all claims + + -- Proxmox Support Team <support@proxmox.com> Fri, 06 Aug 2021 08:48:59 +0200 + libpve-rs-perl (0.2.3) bullseye; urgency=medium * use newer dependencies for apt to improve repo+suite handling diff --git a/src/openid/mod.rs b/src/openid/mod.rs index febe927..aa31f9c 100644 --- a/src/openid/mod.rs +++ b/src/openid/mod.rs @@ -81,7 +81,7 @@ mod export { ) -> Result<Value, Error> { let open_id = this.inner.lock().unwrap(); - let claims = open_id.verify_authorization_code(code, &private_auth_state)?; + let claims = open_id.verify_authorization_code_simple(code, &private_auth_state)?; Ok(to_value(&claims)?) } -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH proxmox-backup] openid: allow to configure scopes, prompt and arbitrary username-claim values 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer @ 2021-08-06 7:17 ` Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 2/5] also return data from UserInfo endpoint Dietmar Maurer ` (3 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel - no longer set prompt to 'login' (makes auto-login possible) - new prompt configuration - allow arbitrary username-claim values We now allow to change the username-claim in the update API. Depend on proxmox-openid 0.7.0. --- Cargo.toml | 2 +- pbs-api-types/src/lib.rs | 31 +++++++++++++++++- src/api2/access/openid.rs | 54 +++++++++++++++++++++----------- src/api2/config/access/openid.rs | 29 +++++++++++++++++ src/config/domains.rs | 35 ++++++++++----------- 5 files changed, 111 insertions(+), 40 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index c6141842..e71b87ba 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -92,7 +92,7 @@ proxmox = { version = "0.12.1", features = [ "sortable-macro", "api-macro", "cli proxmox-acme-rs = "0.2.1" proxmox-apt = "0.6.0" proxmox-http = { version = "0.3.0", features = [ "client", "http-helpers", "websocket" ] } -proxmox-openid = "0.6.1" +proxmox-openid = "0.7.0" pbs-api-types = { path = "pbs-api-types" } pbs-buildcfg = { path = "pbs-buildcfg" } diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs index 576099eb..1cba21f4 100644 --- a/pbs-api-types/src/lib.rs +++ b/pbs-api-types/src/lib.rs @@ -3,7 +3,7 @@ use serde::{Deserialize, Serialize}; use proxmox::api::api; -use proxmox::api::schema::{ApiStringFormat, EnumEntry, IntegerSchema, Schema, StringSchema}; +use proxmox::api::schema::{ApiStringFormat, EnumEntry, IntegerSchema, Schema, StringSchema, ArraySchema}; use proxmox::const_regex; use proxmox::{IPRE, IPRE_BRACKET, IPV4OCTET, IPV4RE, IPV6H16, IPV6LS32, IPV6RE}; @@ -184,6 +184,35 @@ pub const PRUNE_SCHEMA_KEEP_YEARLY: Schema = pub const PROXMOX_SAFE_ID_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX); +pub const OPENID_SCOPE_FORMAT: ApiStringFormat = + ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX); + +pub const OPENID_SCOPE_SCHEMA: Schema = StringSchema::new("OpenID Scope Name.") + .format(&OPENID_SCOPE_FORMAT) + .schema(); + +pub const OPENID_SCOPE_ARRAY_SCHEMA: Schema = ArraySchema::new( + "Array of OpenId Scopes.", &OPENID_SCOPE_SCHEMA).schema(); + +pub const OPENID_SCOPE_LIST_FORMAT: ApiStringFormat = + ApiStringFormat::PropertyString(&OPENID_SCOPE_ARRAY_SCHEMA); + +pub const OPENID_DEFAILT_SCOPE_LIST: &'static str = "email profile"; +pub const OPENID_SCOPE_LIST_SCHEMA: Schema = StringSchema::new("OpenID Scope List") + .format(&OPENID_SCOPE_LIST_FORMAT) + .default(OPENID_DEFAILT_SCOPE_LIST) + .schema(); + +pub const OPENID_USERNAME_CLAIM_SCHEMA: Schema = StringSchema::new( + "Use the value of this attribute/claim as unique user name. It \ + is up to the identity provider to guarantee the uniqueness. The \ + OpenID specification only guarantees that Subject ('sub') is \ + unique. Also make sure that the user is not allowed to change that \ + attribute by himself!") + .max_length(64) + .min_length(1) + .format(&PROXMOX_SAFE_ID_FORMAT) .schema(); + pub const SINGLE_LINE_COMMENT_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SINGLE_LINE_COMMENT_REGEX); diff --git a/src/api2/access/openid.rs b/src/api2/access/openid.rs index f78e4674..43dc77e4 100644 --- a/src/api2/access/openid.rs +++ b/src/api2/access/openid.rs @@ -18,7 +18,7 @@ use pbs_tools::ticket::Ticket; use crate::server::ticket::ApiTicket; -use crate::config::domains::{OpenIdUserAttribute, OpenIdRealmConfig}; +use crate::config::domains::OpenIdRealmConfig; use crate::config::cached_user_info::CachedUserInfo; use crate::backup::open_backup_lockfile; @@ -27,15 +27,24 @@ use crate::api2::types::*; use crate::auth_helpers::*; fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result<OpenIdAuthenticator, Error> { + + let ref list = realm_config.scopes.as_deref().unwrap_or(OPENID_DEFAILT_SCOPE_LIST); + let scopes: Vec<String> = list + .split(|c: char| c == ',' || c == ';' || char::is_ascii_whitespace(&c)) + .filter(|s| !s.is_empty()) + .map(String::from) + .collect(); + let config = OpenIdConfig { issuer_url: realm_config.issuer_url.clone(), client_id: realm_config.client_id.clone(), client_key: realm_config.client_key.clone(), + prompt: realm_config.prompt.clone(), + scopes: Some(scopes), }; OpenIdAuthenticator::discover(&config, redirect_url) } - #[api( input: { properties: { @@ -93,22 +102,29 @@ pub fn openid_login( let open_id = openid_authenticator(&config, &redirect_url)?; - let info = open_id.verify_authorization_code(&code, &private_auth_state)?; + let info = open_id.verify_authorization_code_simple(&code, &private_auth_state)?; - // eprintln!("VERIFIED {} {:?} {:?}", info.subject().as_str(), info.name(), info.email()); + // eprintln!("VERIFIED {:?}", info); - let unique_name = match config.username_claim { - None | Some(OpenIdUserAttribute::Subject) => info.subject().as_str(), - Some(OpenIdUserAttribute::Username) => { - match info.preferred_username() { - Some(name) => name.as_str(), - None => bail!("missing claim 'preferred_name'"), - } - } - Some(OpenIdUserAttribute::Email) => { - match info.email() { - Some(name) => name.as_str(), - None => bail!("missing claim 'email'"), + let name_attr = config.username_claim.as_deref().unwrap_or("sub"); + + // Try to be compatible with previous versions + let try_attr = match name_attr { + "subject" => Some("sub"), + "username" => Some("preferred_username"), + _ => None, + }; + + let unique_name = match info[name_attr].as_str() { + Some(name) => name.to_owned(), + None => { + if let Some(try_attr) = try_attr { + match info[try_attr].as_str() { + Some(name) => name.to_owned(), + None => bail!("missing claim '{}'", name_attr), + } + } else { + bail!("missing claim '{}'", name_attr); } } }; @@ -124,9 +140,9 @@ pub fn openid_login( comment: None, enable: None, expire: None, - firstname: info.given_name().and_then(|n| n.get(None)).map(|n| n.to_string()), - lastname: info.family_name().and_then(|n| n.get(None)).map(|n| n.to_string()), - email: info.email().map(|e| e.to_string()), + firstname: info["given_name"].as_str().map(|n| n.to_string()), + lastname: info["family_name"].as_str().map(|n| n.to_string()), + email: info["email"].as_str().map(|e| e.to_string()), }; let (mut config, _digest) = user::config()?; if config.sections.get(user.userid.as_str()).is_some() { diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs index b8b07306..9c7ff101 100644 --- a/src/api2/config/access/openid.rs +++ b/src/api2/config/access/openid.rs @@ -155,6 +155,12 @@ pub enum DeletableProperty { comment, /// Delete the autocreate property autocreate, + /// Delete the scopes property + scopes, + /// Delete the prompt property + prompt, + /// Delete the username-claim property + username_claim, } #[api( @@ -179,6 +185,20 @@ pub enum DeletableProperty { type: String, optional: true, }, + "username-claim": { + schema: OPENID_USERNAME_CLAIM_SCHEMA, + optional: true, + }, + "scopes": { + schema: OPENID_SCOPE_LIST_SCHEMA, + optional: true, + }, + prompt: { + description: "OpenID Prompt", + type: String, + format: &PROXMOX_SAFE_ID_FORMAT, + optional: true, + }, autocreate: { description: "Automatically create users if they do not exist.", optional: true, @@ -213,6 +233,9 @@ pub fn update_openid_realm( issuer_url: Option<String>, client_id: Option<String>, client_key: Option<String>, + scopes: Option<String>, + prompt: Option<String>, + username_claim: Option<String>, autocreate: Option<bool>, comment: Option<String>, delete: Option<Vec<DeletableProperty>>, @@ -237,6 +260,9 @@ pub fn update_openid_realm( DeletableProperty::client_key => { config.client_key = None; }, DeletableProperty::comment => { config.comment = None; }, DeletableProperty::autocreate => { config.autocreate = None; }, + DeletableProperty::scopes => { config.scopes = None; }, + DeletableProperty::prompt => { config.prompt = None; }, + DeletableProperty::username_claim => { config.username_claim = None; }, } } } @@ -255,6 +281,9 @@ pub fn update_openid_realm( if client_key.is_some() { config.client_key = client_key; } if autocreate.is_some() { config.autocreate = autocreate; } + if scopes.is_some() { config.scopes = scopes; } + if prompt.is_some() { config.prompt = prompt; } + if username_claim.is_some() { config.username_claim = username_claim; } domains.set_data(&realm, "openid", &config)?; diff --git a/src/config/domains.rs b/src/config/domains.rs index 0d695777..5752e8ad 100644 --- a/src/config/domains.rs +++ b/src/config/domains.rs @@ -20,23 +20,6 @@ lazy_static! { pub static ref CONFIG: SectionConfig = init(); } -#[api()] -#[derive(Eq, PartialEq, Debug, Serialize, Deserialize)] -#[serde(rename_all = "lowercase")] -/// Use the value of this attribute/claim as unique user name. It is -/// up to the identity provider to guarantee the uniqueness. The -/// OpenID specification only guarantees that Subject ('sub') is unique. Also -/// make sure that the user is not allowed to change that attribute by -/// himself! -pub enum OpenIdUserAttribute { - /// Subject (OpenId 'sub' claim) - Subject, - /// Username (OpenId 'preferred_username' claim) - Username, - /// Email (OpenId 'email' claim) - Email, -} - #[api( properties: { realm: { @@ -55,6 +38,16 @@ pub enum OpenIdUserAttribute { type: String, optional: true, }, + "scopes": { + schema: OPENID_SCOPE_LIST_SCHEMA, + optional: true, + }, + prompt: { + description: "OpenID Prompt", + type: String, + format: &PROXMOX_SAFE_ID_FORMAT, + optional: true, + }, comment: { optional: true, schema: SINGLE_LINE_COMMENT_SCHEMA, @@ -66,7 +59,7 @@ pub enum OpenIdUserAttribute { default: false, }, "username-claim": { - type: OpenIdUserAttribute, + schema: OPENID_USERNAME_CLAIM_SCHEMA, optional: true, }, }, @@ -79,13 +72,17 @@ pub struct OpenIdRealmConfig { pub issuer_url: String, pub client_id: String, #[serde(skip_serializing_if="Option::is_none")] + pub scopes: Option<String>, + #[serde(skip_serializing_if="Option::is_none")] + pub prompt: Option<String>, + #[serde(skip_serializing_if="Option::is_none")] pub client_key: Option<String>, #[serde(skip_serializing_if="Option::is_none")] pub comment: Option<String>, #[serde(skip_serializing_if="Option::is_none")] pub autocreate: Option<bool>, #[serde(skip_serializing_if="Option::is_none")] - pub username_claim: Option<OpenIdUserAttribute>, + pub username_claim: Option<String>, } fn init() -> SectionConfig { -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH proxmox-openid-rs 2/5] also return data from UserInfo endpoint 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-backup] openid: allow to configure scopes, prompt and arbitrary username-claim values Dietmar Maurer @ 2021-08-06 7:17 ` Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 3/5] new helper verify_authorization_code_simple() Dietmar Maurer ` (2 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel --- src/lib.rs | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index dcd08dd..abcd06e 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -20,6 +20,7 @@ use openidconnect::{ CoreAuthenticationFlow, CoreAuthDisplay, CoreAuthPrompt, + CoreGenderClaim, }, PkceCodeChallenge, PkceCodeVerifier, @@ -32,9 +33,18 @@ use openidconnect::{ OAuth2TokenResponse, RedirectUrl, Scope, + UserInfoClaims, + AdditionalClaims, }; -#[derive(Debug, Deserialize, Serialize, Clone)] +/// Stores Additional Claims into a serde_json::Value; +#[derive(Debug, Deserialize, Serialize)] +pub struct GenericClaims(serde_json::Value); +impl AdditionalClaims for GenericClaims {} + +pub type GenericUserInfoClaims = UserInfoClaims<GenericClaims, CoreGenderClaim>; + + #[derive(Debug, Deserialize, Serialize, Clone)] pub struct OpenIdConfig { pub issuer_url: String, pub client_id: String, @@ -161,7 +171,7 @@ impl OpenIdAuthenticator { &self, code: &str, private_auth_state: &PrivateAuthState, - ) -> Result<CoreIdTokenClaims, Error> { + ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> { let code = AuthorizationCode::new(code.to_string()); // Exchange the code with a token. @@ -179,6 +189,11 @@ impl OpenIdAuthenticator { .claims(&id_token_verifier, &private_auth_state.nonce) .map_err(|err| format_err!("Failed to verify ID token: {}", err))?; - Ok(id_token_claims.clone()) + let userinfo_claims: GenericUserInfoClaims = self.client + .user_info(token_response.access_token().to_owned(), None)? + .request(http_client) + .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?; + + Ok((id_token_claims.clone(), userinfo_claims)) } } -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH proxmox-openid-rs 3/5] new helper verify_authorization_code_simple() 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer ` (2 preceding siblings ...) 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 2/5] also return data from UserInfo endpoint Dietmar Maurer @ 2021-08-06 7:17 ` Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 4/5] allow to configure prompt behaviour Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 5/5] bump version to 0.7.0-1 Dietmar Maurer 5 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel Simply return data as serde_json::Value. --- src/lib.rs | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/lib.rs b/src/lib.rs index abcd06e..5d8b758 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -2,6 +2,7 @@ use std::path::Path; use anyhow::{format_err, Error}; use serde::{Deserialize, Serialize}; +use serde_json::Value; mod http_client; pub use http_client::http_client; @@ -39,7 +40,7 @@ use openidconnect::{ /// Stores Additional Claims into a serde_json::Value; #[derive(Debug, Deserialize, Serialize)] -pub struct GenericClaims(serde_json::Value); +pub struct GenericClaims(Value); impl AdditionalClaims for GenericClaims {} pub type GenericUserInfoClaims = UserInfoClaims<GenericClaims, CoreGenderClaim>; @@ -196,4 +197,29 @@ impl OpenIdAuthenticator { Ok((id_token_claims.clone(), userinfo_claims)) } + + /// Like verify_authorization_code(), but returns claims as serde_json::Value + pub fn verify_authorization_code_simple( + &self, + code: &str, + private_auth_state: &PrivateAuthState, + ) -> Result<Value, Error> { + + let (id_token_claims, userinfo_claims) = self.verify_authorization_code(&code, &private_auth_state)?; + + let mut data = serde_json::to_value(id_token_claims)?; + + let data2 = serde_json::to_value(userinfo_claims)?; + + if let Some(map) = data2.as_object() { + for (key, value) in map { + if data[key] != Value::Null { + continue; // already set + } + data[key] = value.clone(); + } + } + + Ok(data) + } } -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH proxmox-openid-rs 4/5] allow to configure prompt behaviour 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer ` (3 preceding siblings ...) 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 3/5] new helper verify_authorization_code_simple() Dietmar Maurer @ 2021-08-06 7:17 ` Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 5/5] bump version to 0.7.0-1 Dietmar Maurer 5 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel And do not set it by default. --- src/lib.rs | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 5d8b758..555e5ad 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -45,7 +45,7 @@ impl AdditionalClaims for GenericClaims {} pub type GenericUserInfoClaims = UserInfoClaims<GenericClaims, CoreGenderClaim>; - #[derive(Debug, Deserialize, Serialize, Clone)] +#[derive(Debug, Deserialize, Serialize, Clone)] pub struct OpenIdConfig { pub issuer_url: String, pub client_id: String, @@ -53,6 +53,8 @@ pub struct OpenIdConfig { pub client_key: Option<String>, #[serde(skip_serializing_if="Option::is_none")] pub scopes: Option<Vec<String>>, + #[serde(skip_serializing_if="Option::is_none")] + pub prompt: Option<String>, } pub struct OpenIdAuthenticator { @@ -148,7 +150,24 @@ impl OpenIdAuthenticator { request = request.set_display(CoreAuthDisplay::Page); - request = request.add_prompt(CoreAuthPrompt::Login); + match self.config.prompt.as_deref() { + None => { /* nothing */ }, + Some("none") => { + request = request.add_prompt(CoreAuthPrompt::None); + } + Some("login") => { + request = request.add_prompt(CoreAuthPrompt::Login); + } + Some("consent") => { + request = request.add_prompt(CoreAuthPrompt::Consent); + } + Some("select_account") => { + request = request.add_prompt(CoreAuthPrompt::SelectAccount); + } + Some(extension) => { + request = request.add_prompt(CoreAuthPrompt::Extension(extension.into())); + } + } if let Some(ref scopes) = self.config.scopes { for scope in scopes.clone() { -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH proxmox-openid-rs 5/5] bump version to 0.7.0-1 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer ` (4 preceding siblings ...) 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 4/5] allow to configure prompt behaviour Dietmar Maurer @ 2021-08-06 7:17 ` Dietmar Maurer 5 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 7:17 UTC (permalink / raw) To: pbs-devel --- Cargo.toml | 2 +- debian/changelog | 12 ++++++++++++ debian/control | 8 ++++---- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index fc839c2..ed41091 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "proxmox-openid" -version = "0.6.1" +version = "0.7.0" authors = ["Dietmar Maurer <dietmar@proxmox.com>"] edition = "2018" license = "AGPL-3" diff --git a/debian/changelog b/debian/changelog index 2e0baf4..0b400a5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +rust-proxmox-openid (0.7.0-1) unstable; urgency=medium + + * allow to configure prompt behaviour + + * new helper verify_authorization_code_simple() + + * also return data from UserInfo endpoint + + * allow to configure used scopes + + -- Proxmox Support Team <support@proxmox.com> Fri, 06 Aug 2021 08:07:12 +0200 + rust-proxmox-openid (0.6.1-1) unstable; urgency=medium * depend on proxmox 0.12.0 diff --git a/debian/control b/debian/control index 297a1bb..44c5a18 100644 --- a/debian/control +++ b/debian/control @@ -41,10 +41,10 @@ Provides: librust-proxmox-openid+default-dev (= ${binary:Version}), librust-proxmox-openid-0-dev (= ${binary:Version}), librust-proxmox-openid-0+default-dev (= ${binary:Version}), - librust-proxmox-openid-0.6-dev (= ${binary:Version}), - librust-proxmox-openid-0.6+default-dev (= ${binary:Version}), - librust-proxmox-openid-0.6.1-dev (= ${binary:Version}), - librust-proxmox-openid-0.6.1+default-dev (= ${binary:Version}) + librust-proxmox-openid-0.7-dev (= ${binary:Version}), + librust-proxmox-openid-0.7+default-dev (= ${binary:Version}), + librust-proxmox-openid-0.7.0-dev (= ${binary:Version}), + librust-proxmox-openid-0.7.0+default-dev (= ${binary:Version}) Description: Rust crate "proxmox-openid" - Rust source code This package contains the source for the Rust proxmox-openid crate, packaged by debcargo for use with cargo and dh-cargo. -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH proxmox-openid-rs v2 1/6] allow to configure used scopes @ 2021-08-06 11:57 Dietmar Maurer 2021-08-06 11:57 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer 0 siblings, 1 reply; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 11:57 UTC (permalink / raw) To: pbs-devel --- src/lib.rs | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 72bcd31..dcd08dd 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -34,16 +34,19 @@ use openidconnect::{ Scope, }; -#[derive(Debug, Deserialize, Serialize)] +#[derive(Debug, Deserialize, Serialize, Clone)] pub struct OpenIdConfig { pub issuer_url: String, pub client_id: String, #[serde(skip_serializing_if="Option::is_none")] pub client_key: Option<String>, + #[serde(skip_serializing_if="Option::is_none")] + pub scopes: Option<Vec<String>>, } pub struct OpenIdAuthenticator { client: CoreClient, + config: OpenIdConfig, } #[derive(Debug, Deserialize, Serialize)] @@ -111,6 +114,7 @@ impl OpenIdAuthenticator { Ok(Self { client, + config: config.clone(), }) } @@ -123,18 +127,25 @@ impl OpenIdAuthenticator { store_auth_state(Path::new(state_dir), realm, &private_auth_state)?; // Generate the authorization URL to which we'll redirect the user. - let (authorize_url, _csrf_state, _nonce) = self.client + let mut request = self.client .authorize_url( CoreAuthenticationFlow::AuthorizationCode, || CsrfToken::new(public_auth_state), || nonce, ) - .set_display(CoreAuthDisplay::Page) - .add_prompt(CoreAuthPrompt::Login) - .add_scope(Scope::new("email".to_string())) - .add_scope(Scope::new("profile".to_string())) - .set_pkce_challenge(private_auth_state.pkce_challenge()) - .url(); + .set_pkce_challenge(private_auth_state.pkce_challenge()); + + request = request.set_display(CoreAuthDisplay::Page); + + request = request.add_prompt(CoreAuthPrompt::Login); + + if let Some(ref scopes) = self.config.scopes { + for scope in scopes.clone() { + request = request.add_scope(Scope::new(scope)); + } + } + + let (authorize_url, _csrf_state, _nonce) = request.url(); Ok(authorize_url.to_string()) } -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 2021-08-06 11:57 [pbs-devel] [PATCH proxmox-openid-rs v2 1/6] allow to configure used scopes Dietmar Maurer @ 2021-08-06 11:57 ` Dietmar Maurer 0 siblings, 0 replies; 8+ messages in thread From: Dietmar Maurer @ 2021-08-06 11:57 UTC (permalink / raw) To: pbs-devel --- Cargo.toml | 2 +- debian/changelog | 8 ++++++++ src/openid/mod.rs | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 736bc49..ef8c27c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,5 +20,5 @@ anyhow = "1.0" proxmox = { version = "0.12.1", default-features = false } perlmod = { version = "0.5.2", features = [ "exporter" ] } proxmox-apt = "0.6.0" -proxmox-openid = "0.6.1" +proxmox-openid = "0.7.0" serde = "1.0" diff --git a/debian/changelog b/debian/changelog index b247a35..33ab4a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libpve-rs-perl (0.3.0) bullseye; urgency=medium + + * depend on proxmox-openid 0.7.0 (support prompt an d scopes) + + * openid: use new verify_authorization_code_simple() to return all claims + + -- Proxmox Support Team <support@proxmox.com> Fri, 06 Aug 2021 08:48:59 +0200 + libpve-rs-perl (0.2.3) bullseye; urgency=medium * use newer dependencies for apt to improve repo+suite handling diff --git a/src/openid/mod.rs b/src/openid/mod.rs index febe927..aa31f9c 100644 --- a/src/openid/mod.rs +++ b/src/openid/mod.rs @@ -81,7 +81,7 @@ mod export { ) -> Result<Value, Error> { let open_id = this.inner.lock().unwrap(); - let claims = open_id.verify_authorization_code(code, &private_auth_state)?; + let claims = open_id.verify_authorization_code_simple(code, &private_auth_state)?; Ok(to_value(&claims)?) } -- 2.30.2 ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-08-06 11:58 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-06 7:17 [pbs-devel] [PATCH proxmox-openid-rs 1/5] allow to configure used scopes Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-backup] openid: allow to configure scopes, prompt and arbitrary username-claim values Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 2/5] also return data from UserInfo endpoint Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 3/5] new helper verify_authorization_code_simple() Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 4/5] allow to configure prompt behaviour Dietmar Maurer 2021-08-06 7:17 ` [pbs-devel] [PATCH proxmox-openid-rs 5/5] bump version to 0.7.0-1 Dietmar Maurer 2021-08-06 11:57 [pbs-devel] [PATCH proxmox-openid-rs v2 1/6] allow to configure used scopes Dietmar Maurer 2021-08-06 11:57 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox