From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox v5 06/27] notify: smtp: add API to exchange authorization code for refresh token
Date: Tue, 5 May 2026 10:32:27 +0200 [thread overview]
Message-ID: <20260505083248.36450-7-a.bied-charreton@proxmox.com> (raw)
In-Reply-To: <20260505083248.36450-1-a.bied-charreton@proxmox.com>
Expose a function in SMTP API to exchange the initial authorization
code for a refresh token, which can then be used by proxmox-notify to
keep requesting access tokens without requiring the user to
re-authorize.
Azure AD's "Web" client type rejects browser-originated token requests,
so this must run on the backend.
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
proxmox-notify/src/api/smtp.rs | 48 +++++++++++++
proxmox-notify/src/endpoints/smtp.rs | 2 +-
proxmox-notify/src/endpoints/smtp/xoauth2.rs | 73 +++++++++++++++++++-
3 files changed, 120 insertions(+), 3 deletions(-)
diff --git a/proxmox-notify/src/api/smtp.rs b/proxmox-notify/src/api/smtp.rs
index d1482047..1797b8f8 100644
--- a/proxmox-notify/src/api/smtp.rs
+++ b/proxmox-notify/src/api/smtp.rs
@@ -1,8 +1,10 @@
+use oauth2::{AuthorizationCode, ClientId, ClientSecret, RedirectUrl};
use proxmox_http_error::HttpError;
use crate::api::{http_bail, http_err};
use crate::context::context;
use crate::endpoints::smtp::{
+ xoauth2::{exchange_google_code, exchange_microsoft_code},
DeleteableSmtpProperty, SmtpAuthMethod, SmtpConfig, SmtpConfigUpdater, SmtpPrivateConfig,
SmtpPrivateConfigUpdater, State, SMTP_TYPENAME,
};
@@ -223,6 +225,52 @@ pub fn update_endpoint(
})
}
+/// Exchange an OAuth2 authorization code for a refresh token.
+///
+/// `auth_method` selects the provider; `tenant_id` is required iff
+/// `auth_method == MicrosoftOAuth2`.
+///
+/// The exchange runs server-side because Azure AD's "Web" client type rejects
+/// browser-originated token requests.
+pub fn exchange_oauth2_code(
+ auth_method: SmtpAuthMethod,
+ client_id: String,
+ client_secret: String,
+ tenant_id: Option<String>,
+ authorization_code: String,
+ redirect_uri: String,
+) -> Result<String, HttpError> {
+ let client_id = ClientId::new(client_id);
+ let client_secret = ClientSecret::new(client_secret);
+ let code = AuthorizationCode::new(authorization_code);
+ let redirect_uri = RedirectUrl::new(redirect_uri)
+ .map_err(|e| http_err!(BAD_REQUEST, "invalid redirect-uri: {e}"))?;
+
+ match auth_method {
+ SmtpAuthMethod::GoogleOAuth2 => {
+ exchange_google_code(client_id, client_secret, code, redirect_uri)
+ .map_err(|e| http_err!(BAD_REQUEST, "{e}"))
+ }
+ SmtpAuthMethod::MicrosoftOAuth2 => {
+ let tenant = tenant_id.as_deref().ok_or_else(|| {
+ http_err!(BAD_REQUEST, "tenant-id is required for Microsoft OAuth2")
+ })?;
+ if tenant.is_empty()
+ || !tenant
+ .chars()
+ .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.')
+ {
+ http_bail!(BAD_REQUEST, "invalid tenant-id");
+ }
+ exchange_microsoft_code(client_id, client_secret, tenant, code, redirect_uri)
+ .map_err(|e| http_err!(BAD_REQUEST, "{e}"))
+ }
+ SmtpAuthMethod::Plain => {
+ http_bail!(BAD_REQUEST, "auth-method must be an OAuth2 method");
+ }
+ }
+}
+
/// Delete existing smtp endpoint
///
/// The caller is responsible for any needed permission checks.
diff --git a/proxmox-notify/src/endpoints/smtp.rs b/proxmox-notify/src/endpoints/smtp.rs
index 19b97113..74297969 100644
--- a/proxmox-notify/src/endpoints/smtp.rs
+++ b/proxmox-notify/src/endpoints/smtp.rs
@@ -23,7 +23,7 @@ const SMTP_SUBMISSION_STARTTLS_PORT: u16 = 587;
const SMTP_SUBMISSION_TLS_PORT: u16 = 465;
const SMTP_TIMEOUT: u16 = 5;
-mod xoauth2;
+pub(crate) mod xoauth2;
pub use xoauth2::State;
diff --git a/proxmox-notify/src/endpoints/smtp/xoauth2.rs b/proxmox-notify/src/endpoints/smtp/xoauth2.rs
index 78d90d24..095f7aae 100644
--- a/proxmox-notify/src/endpoints/smtp/xoauth2.rs
+++ b/proxmox-notify/src/endpoints/smtp/xoauth2.rs
@@ -1,8 +1,8 @@
use std::path::Path;
use oauth2::{
- basic::BasicClient, AccessToken, AuthUrl, ClientId, ClientSecret, RefreshToken, TokenResponse,
- TokenUrl,
+ basic::BasicClient, AccessToken, AuthUrl, AuthorizationCode, ClientId, ClientSecret,
+ RedirectUrl, RefreshToken, TokenResponse, TokenUrl,
};
use proxmox_http::{HttpOptions, ProxyConfig};
use serde::{Deserialize, Serialize};
@@ -206,6 +206,45 @@ pub(crate) fn get_microsoft_token(
})
}
+/// Exchange a Microsoft OAuth2 authorization code for a refresh token.
+///
+/// Azure AD's "Web" client-type rejects browser-originated token requests
+/// so this MUST run server-side regardless of where the auth popup was
+/// opened from.
+pub(crate) fn exchange_microsoft_code(
+ client_id: ClientId,
+ client_secret: ClientSecret,
+ tenant_id: &str,
+ code: AuthorizationCode,
+ redirect_uri: RedirectUrl,
+) -> Result<String, Error> {
+ let client = BasicClient::new(client_id)
+ .set_client_secret(client_secret)
+ .set_auth_uri(
+ AuthUrl::new(format!(
+ "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize"
+ ))
+ .map_err(|e| Error::Generic(format!("invalid auth URL: {e}")))?,
+ )
+ .set_token_uri(
+ TokenUrl::new(format!(
+ "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
+ ))
+ .map_err(|e| Error::Generic(format!("invalid token URL: {e}")))?,
+ )
+ .set_redirect_uri(redirect_uri);
+
+ let token_result = client
+ .exchange_code(code)
+ .request(&SyncHttpClient::new()?)
+ .map_err(|e| Error::Generic(format!("OAuth2 token exchange failed: {e}")))?;
+
+ token_result
+ .refresh_token()
+ .map(|t| t.secret().to_owned())
+ .ok_or_else(|| Error::Generic("token endpoint did not return a refresh token".into()))
+}
+
/// Perform a Google OAuth2 token exchange.
///
/// Google refresh tokens' TTL is extended at every use. As long as
@@ -239,3 +278,33 @@ pub(crate) fn get_google_token(
refresh_token: token_result.refresh_token().cloned(),
})
}
+
+/// Exchange a Google OAuth2 authorization code for a refresh token.
+pub(crate) fn exchange_google_code(
+ client_id: ClientId,
+ client_secret: ClientSecret,
+ code: AuthorizationCode,
+ redirect_uri: RedirectUrl,
+) -> Result<String, Error> {
+ let client = BasicClient::new(client_id)
+ .set_client_secret(client_secret)
+ .set_auth_uri(
+ AuthUrl::new("https://accounts.google.com/o/oauth2/v2/auth".into())
+ .map_err(|e| Error::Generic(format!("invalid auth URL: {e}")))?,
+ )
+ .set_token_uri(
+ TokenUrl::new("https://oauth2.googleapis.com/token".into())
+ .map_err(|e| Error::Generic(format!("invalid token URL: {e}")))?,
+ )
+ .set_redirect_uri(redirect_uri);
+
+ let token_result = client
+ .exchange_code(code)
+ .request(&SyncHttpClient::new()?)
+ .map_err(|e| Error::Generic(format!("OAuth2 token exchange failed: {e}")))?;
+
+ token_result
+ .refresh_token()
+ .map(|t| t.secret().to_owned())
+ .ok_or_else(|| Error::Generic("token endpoint did not return a refresh token".into()))
+}
--
2.47.3
next prev parent reply other threads:[~2026-05-05 8:32 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 8:32 [PATCH docs/manager/proxmox{,-perl-rs,-widget-toolkit,-backup} v5 00/27] fix #7238: Add XOAUTH2 authentication support for SMTP notification targets Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 01/27] add oauth2 and ureq to workspace dependencies Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 02/27] notify: smtp: introduce xoauth2 module Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 03/27] notify: smtp: introduce state management Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 04/27] notify: smtp: factor out transport building logic Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 05/27] notify: smtp: update API with OAuth2 parameters Arthur Bied-Charreton
2026-05-05 8:32 ` Arthur Bied-Charreton [this message]
2026-05-05 8:32 ` [PATCH proxmox v5 07/27] notify: smtp: infer auth method for backwards compatibility Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 08/27] notify: smtp: add state handling logic Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 09/27] notify: smtp: add XOAUTH2 authentication support Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-perl-rs v5 10/27] pve-rs: notify: smtp: add OAuth2 parameters to bindings Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-perl-rs v5 11/27] pve-rs: notify: add binding for triggering state refresh Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-perl-rs v5 12/27] pve-rs: notify: add binding for initial OAuth2 refresh token exchange Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-widget-toolkit v5 13/27] utils: add OAuth2 flow handlers Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-widget-toolkit v5 14/27] utils: oauth2: add callback handler Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-widget-toolkit v5 15/27] notifications: add opt-in OAuth2 support for SMTP targets Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 16/27] notifications: smtp: api: add XOAUTH2 parameters Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 17/27] notifications: add endpoint for initial OAuth2 refresh token exchange Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 18/27] pveupdate: refresh notification targets' OAuth2 state Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 19/27] login: handle OAuth2 callback Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 20/27] fix #7238: notifications: smtp: add XOAUTH2 support Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 21/27] notifications: add XOAUTH2 parameters to endpoints Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 22/27] notifications: add endpoint for initial OAuth2 refresh token exchange Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 23/27] login: handle OAuth2 callback Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 24/27] fix #7238: notifications: smtp: add XOAUTH2 support Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 25/27] daily-update: refresh OAuth2 state for SMTP notification endpoints Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 26/27] notifications: add OAuth2 section to SMTP targets docs Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-docs v5 27/27] " Arthur Bied-Charreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505083248.36450-7-a.bied-charreton@proxmox.com \
--to=a.bied-charreton@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox