[PATCH proxmox-backup v5 26/27] notifications: add OAuth2 section to SMTP targets docs

[Arthur Bied-Charreton <a.bied-charreton@proxmox.com>]

Document the new SMTP notification target options, especially that:

1. User intervention is required for initial setup, and

2. Microsoft OAuth2 apps *must not* be configured as SPAs by the user,
   since it would prevent PBS from automatically extending the refresh
   token's lifetime.

Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
 docs/notifications.rst | 89 +++++++++++++++++++++++++++++++++++++++++-
 www/OnlineHelpInfo.js  |  8 ++++
 2 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/docs/notifications.rst b/docs/notifications.rst
index 440c700a..60b23b5b 100644
--- a/docs/notifications.rst
+++ b/docs/notifications.rst
@@ -69,6 +69,94 @@ address will be used.
 
 See :ref:`notifications.cfg` for all configuration options.
 
+.. _notification_targets_smtp_oauth2:
+
+OAuth2 Authentication
+"""""""""""""""""""""
+
+Proxmox Backup Server supports OAuth2 authentication for SMTP targets via the
+XOAUTH2 mechanism. This is currently available for Google and Microsoft mail
+providers.
+
+Creating an OAuth2 Application
+''''''''''''''''''''''''''''''
+
+Before configuring OAuth2 in Proxmox Backup Server, you must register an OAuth2
+application with your mail provider:
+
+* `Google <https://developers.google.com/identity/protocols/oauth2/web-server>`_
+* `Microsoft Entra ID <https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app>`_
+
+Choose **Web application** as application type.
+
+During registration, add a redirect URI pointing to the Proxmox Backup Server
+web interface URL from which you will perform the authorization flow, for
+example:
+
+* ``https://pbs1.example.com:8007``
+* ``https://localhost:8007``
+
+You can add multiple redirect URIs to allow the authorization flow to work from
+any node.
+
+.. NOTE:: Google does not allow bare IP addresses as redirect URIs. If you need
+   to work around this, specify a dummy domain as the redirect URI and make sure
+   your local machine resolves it to the proper IP address (by, for example,
+   adding a line to ``/etc/hosts``).
+
+Configuring OAuth2 in Proxmox Backup Server
+'''''''''''''''''''''''''''''''''''''''''''
+
+In the web UI, open the notification target's edit panel and select
+``OAuth2 (Google)`` or ``OAuth2 (Microsoft)`` as the authentication method.
+Fill in the client ID and secret. For Microsoft, also fill in the tenant ID.
+
+Click **Authorize**. This opens a new window where you can sign in with your
+mail provider and grant the requested permissions. On success, a refresh token
+is obtained and stored.
+
+.. NOTE:: For OAuth2 targets, the configured ``from-address`` is also used as
+   the SMTP authentication identity, so it must match the mailbox authorized
+   with the provider.
+
+Token refresh happens automatically, at least once every 24 hours. If the token
+expires due to extended downtime or is revoked, you will need to re-authorize
+the endpoint: Open the notification target's edit panel, fill in your client
+secret, and click **Authorize** again.
+
+.. NOTE:: OAuth2 cannot be configured through direct configuration file
+   editing. Use the web interface, or alternatively ``proxmox-backup-manager``,
+   to configure OAuth2 targets. Note that when using ``proxmox-backup-manager``,
+   you are responsible for providing the initial refresh token.
+
+::
+
+    proxmox-backup-manager notification endpoint smtp create oauth2-smtp    \
+        --server smtp.example.com                                           \
+        --from-address from@example.com                                       \
+        --mailto-user root@pam                                              \
+        --auth-method google-oauth2                                         \
+        --oauth2-client-id <client ID>                                      \
+        --oauth2-client-secret <client secret>                              \
+        --oauth2-refresh-token <refresh token>
+
+For Microsoft, use ``--auth-method microsoft-oauth2`` and add
+``--oauth2-tenant-id <tenant ID>``.
+
+.. _notification_targets_smtp_oauth2_microsoft:
+
+Microsoft
+'''''''''
+
+.. WARNING:: For Microsoft, the application must **not** be registered as a
+   Single-Page Application (SPA). Proxmox Backup Server requires long-lived
+   refresh tokens, and Microsoft does not allow extending the lifetime of
+   refresh tokens granted for SPAs.
+
+Register your OAuth2 application as a standard **Web** application in the
+Entra admin center. In addition to the client ID and secret, you will also
+need the **tenant ID** from your application registration.
+
 .. _notification_targets_gotify:
 
 Gotify
@@ -417,4 +505,3 @@ Counter Threshold    Description and Usage
 ``s3-download``      Amount of bytes downloaded from the S3 endpoint,
                      independent of request method.
 ==================== ==========================================================
-
diff --git a/www/OnlineHelpInfo.js b/www/OnlineHelpInfo.js
index e118b0ad..f10d5924 100644
--- a/www/OnlineHelpInfo.js
+++ b/www/OnlineHelpInfo.js
@@ -251,6 +251,14 @@ const proxmoxOnlineHelpInfo = {
     "link": "/docs/notifications.html#notification-targets-smtp",
     "title": "SMTP"
   },
+  "notification-targets-smtp-oauth2": {
+    "link": "/docs/notifications.html#notification-targets-smtp-oauth2",
+    "title": "OAuth2 Authentication"
+  },
+  "notification-targets-smtp-oauth2-microsoft": {
+    "link": "/docs/notifications.html#notification-targets-smtp-oauth2-microsoft",
+    "title": "Microsoft"
+  },
   "notification-targets-gotify": {
     "link": "/docs/notifications.html#notification-targets-gotify",
     "title": "Gotify"
-- 
2.47.3