* [PATCH widget-toolkit v6 1/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms
2026-06-09 12:22 [PATCH many v6 0/3] fix #5076: add support for open id audiences Shannon Sterz
@ 2026-06-09 12:22 ` Shannon Sterz
2026-06-09 12:22 ` [PATCH pmg-api v6 2/3] fix #5076: auth: openid: add support for an optional "audiences" field Shannon Sterz
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-06-09 12:22 UTC (permalink / raw)
To: pmg-devel
allows users to configure additional open id audiences that may be
provided by the open id realm.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
Notes:
applying this should be fine now, pbs is the only real user here and
the backend already supports this feature as of eadde76c7c (fix #5076:
api: support audiences property for open id realms)
https://git.proxmox.com/?p=proxmox-backup.git;a=commitdiff;h=eadde76c7cc4b58722306224a80ad309e0f892ee
src/window/AuthEditOpenId.js | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js
index c850019..d70b77b 100644
--- a/src/window/AuthEditOpenId.js
+++ b/src/window/AuthEditOpenId.js
@@ -148,5 +148,14 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
deleteEmpty: '{!isCreate}',
},
},
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'audiences',
+ fieldLabel: gettext('Audiences'),
+ submitEmpty: false,
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
],
});
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH pmg-api v6 2/3] fix #5076: auth: openid: add support for an optional "audiences" field
2026-06-09 12:22 [PATCH many v6 0/3] fix #5076: add support for open id audiences Shannon Sterz
2026-06-09 12:22 ` [PATCH widget-toolkit v6 1/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
@ 2026-06-09 12:22 ` Shannon Sterz
2026-06-09 12:22 ` [PATCH pmg-gui v6 3/3] fix #5076: auth edit open id: add an optional audiences field Shannon Sterz
2026-06-09 13:17 ` partially-applied: [PATCH many v6 0/3] fix #5076: add support for open id audiences Stoiko Ivanov
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-06-09 12:22 UTC (permalink / raw)
To: pmg-devel
adds an optional "audiences" field to the open id configuration
schema. "audiences" is a list of additionally accepted audiences that
an open id provider may include.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
src/PMG/API2/OIDC.pm | 4 ++++
src/PMG/Auth/OIDC.pm | 9 +++++++++
2 files changed, 13 insertions(+)
diff --git a/src/PMG/API2/OIDC.pm b/src/PMG/API2/OIDC.pm
index 7ea8f8c..f6fbe63 100644
--- a/src/PMG/API2/OIDC.pm
+++ b/src/PMG/API2/OIDC.pm
@@ -46,6 +46,10 @@ my $lookup_oidc_auth = sub {
$oidc_config->{acr_values} = [PVE::Tools::split_list($acr)];
}
+ if (defined(my $audiences = $config->{'audiences'})) {
+ $oidc_config->{audiences} = [PVE::Tools::split_list($audiences)];
+ }
+
my $oidc = Proxmox::RS::OIDC->discover($oidc_config, $redirect_url);
return ($config, $oidc);
};
diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
index be57afb..993466e 100755
--- a/src/PMG/Auth/OIDC.pm
+++ b/src/PMG/Auth/OIDC.pm
@@ -129,6 +129,14 @@ sub properties {
pattern => qr/^[a-zA-Z0-9._:-]+$/,
optional => 1,
},
+ 'audiences' => {
+ description =>
+ "A list of audiences that the OpenID Issuer may include that are accepted in "
+ . "addition to 'client-id'.",
+ type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+ pattern => qr/^[a-zA-Z0-9._:-]+$/,
+ optional => 1,
+ },
};
}
@@ -144,6 +152,7 @@ sub options {
prompt => { optional => 1 },
scopes => { optional => 1 },
'acr-values' => { optional => 1 },
+ audiences => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
};
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH pmg-gui v6 3/3] fix #5076: auth edit open id: add an optional audiences field
2026-06-09 12:22 [PATCH many v6 0/3] fix #5076: add support for open id audiences Shannon Sterz
2026-06-09 12:22 ` [PATCH widget-toolkit v6 1/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
2026-06-09 12:22 ` [PATCH pmg-api v6 2/3] fix #5076: auth: openid: add support for an optional "audiences" field Shannon Sterz
@ 2026-06-09 12:22 ` Shannon Sterz
2026-06-09 13:17 ` partially-applied: [PATCH many v6 0/3] fix #5076: add support for open id audiences Stoiko Ivanov
3 siblings, 0 replies; 5+ messages in thread
From: Shannon Sterz @ 2026-06-09 12:22 UTC (permalink / raw)
To: pmg-devel
allows users to configure additional open id audiences that may be
provided by the open id realm.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
js/AuthEditOIDC.js | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
index d5daec5..2692ae0 100644
--- a/js/AuthEditOIDC.js
+++ b/js/AuthEditOIDC.js
@@ -244,5 +244,14 @@ Ext.define('PMG.OIDCInputPanel', {
deleteEmpty: '{!isCreate}',
},
},
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'audiences',
+ fieldLabel: gettext('Audiences'),
+ submitEmpty: false,
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
],
});
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* partially-applied: [PATCH many v6 0/3] fix #5076: add support for open id audiences
2026-06-09 12:22 [PATCH many v6 0/3] fix #5076: add support for open id audiences Shannon Sterz
` (2 preceding siblings ...)
2026-06-09 12:22 ` [PATCH pmg-gui v6 3/3] fix #5076: auth edit open id: add an optional audiences field Shannon Sterz
@ 2026-06-09 13:17 ` Stoiko Ivanov
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2026-06-09 13:17 UTC (permalink / raw)
To: Shannon Sterz; +Cc: pmg-devel
Thanks for tackling this and the quick iteration!
I applied the patch for pmg-api (2/3) and for pmg-gui (3/3):
[2/3] fix #5076: auth: openid: add support for an optional "audiences" field
commit: 7b72b62dfbb68e36133b1eac50d37579fe011e67
[3/3] fix #5076: auth edit open id: add an optional audiences field
commit: c13eadb0814dc95894ce79ada90961d7f1cbbe2b
On Tue, 9 Jun 2026 14:22:11 +0200
Shannon Sterz <s.sterz@proxmox.com> wrote:
> this series adapts the original patch series by Alexander Abraham [1]. below is
> the text of the original cover letter:
>
> > fix #5076: Added Open ID audiences
> >
> > This series adds support for handling Open ID audiences as described in bug
> > #5076. PVE's API schema was updated to accept an optional field, an array of
> > strings and the Rust code was also updated to accordingly handle any incoming
> > audiences and compare them to the realm config's audiences. In the realm
> > dialogue for adding an Open ID realm, a new field titled "Audiences" was added
> > so that users can save any audiences in their realm domains config file.
>
> essentially, some open id providers such as zitadel [2] may provide additional
> audiences that their id tokens are valid for instead of just the client id.
> these patches allow setting such additional audiences. if an audience that is
> not explicitly allowed is encountered, the id token is rejected as before.
>
> Changelog
> ---------
>
> changes since v5:
>
> * fix up an issue affecting the pmg patches regarding a false variable name
> (thanks @ Stoiko Ivanov)
> * drop patches that have already been applied
>
> changes since v4:
>
> * add patches to support audiences in proxmox-backup and
> proxmox-datacenter-manager as well
> * instead of the api type and configs taking an array, it will now take a string
> that is a list of audiences. this is more consistent with other parameters
> here.
> * rebased on current master.
>
> changes since v3:
>
> * rebased on current master
> * see the list of changes made by Shannon Sterz specified in each commit message
>
> [1]: https://lore.proxmox.com/pve-devel/20250603091256.40923-1-a.abraham@proxmox.com/
> [2]: https://zitadel.com/
>
>
> widget-toolkit:
>
> Shannon Sterz (1):
> fix #5076: ui: dc: add an optional "audiences" field for open id
> realms
>
> src/window/AuthEditOpenId.js | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
>
> pmg-api:
>
> Shannon Sterz (1):
> fix #5076: auth: openid: add support for an optional "audiences" field
>
> src/PMG/API2/OIDC.pm | 4 ++++
> src/PMG/Auth/OIDC.pm | 9 +++++++++
> 2 files changed, 13 insertions(+)
>
>
> pmg-api:
>
> Shannon Sterz (1):
> fix #5076: auth edit open id: add an optional audiences field
>
> js/AuthEditOIDC.js | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
>
> Summary over all repositories:
> 4 files changed, 31 insertions(+), 0 deletions(-)
>
^ permalink raw reply [flat|nested] 5+ messages in thread