public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Christoph Heiss <c.heiss@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v3 4/8] config: add plugin system for realms & add openid type realms
Date: Thu, 10 Oct 2024 10:46:24 +0200	[thread overview]
Message-ID: <5xxbewb4dkunzplue4zak5je66xx6ijxln73be2klwoohqtbdy@ce54bee3l6fi> (raw)
In-Reply-To: <20240624090850.4683-5-m.frank@proxmox.com>

On Mon, Jun 24, 2024 at 11:08:46AM GMT, Markus Frank wrote:
[..]
> diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
> new file mode 100755
> index 0000000..3bb758b
> --- /dev/null
> +++ b/src/PMG/Auth/OIDC.pm
> @@ -0,0 +1,99 @@
> +package PMG::Auth::OIDC;

From the looks of it, this module is basically just a 1:1 copy of
pve-access-control/src/PVE/Auth/OpenId.pm, right?

Would it make sense to re-use that instead of duplicating it? Or are
there any differences that would make it rather cumbersome?

Also FWIW w.r.t the naming, you seem to switch between "OIDC" and
"OpenId" completely random. Everywhere else (i.e. PVE, PBS) we just call
it "OpenID" (or "OpenId" for modules/structs). Sticking to one naming
scheme for consistency sake might be good.

> +
> +use strict;
> +use warnings;
> +
> +use PVE::Tools;
> +use PMG::Auth::Plugin;
> +
> +use base qw(PMG::Auth::Plugin);
> +
> +sub type {
> +    return 'oidc';
> +}
> +
> +sub properties {
> +    return {
> +	'issuer-url' => {
> +	    description => "OpenID Connect Issuer Url",
> +	    type => 'string',
> +	    maxLength => 256,
> +	},
> +	'client-id' => {
> +	    description => "OpenID Connect Client ID",
> +	    type => 'string',
> +	    maxLength => 256,
> +	},
> +	'client-key' => {
> +	    description => "OpenID Connect Client Key",
> +	    type => 'string',
> +	    optional => 1,
> +	    maxLength => 256,
> +	},
> +	autocreate => {
> +	    description => "Automatically create users if they do not exist.",
> +	    optional => 1,
> +	    type => 'boolean',
> +	    default => 0,
> +	},
> +	'username-claim' => {
> +	    description => "OpenID Connect claim used to generate the unique username.",
> +	    type => 'string',
> +	    optional => 1,
> +	},
> +	prompt => {
> +	    description => "Specifies whether the Authorization Server prompts the End-User for"
> +	        ." reauthentication and consent.",
> +	    type => 'string',
> +	    pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant
> +	    optional => 1,
> +	},
> +	scopes => {
> +	    description => "Specifies the scopes (user details) that should be authorized and"
> +	        ." returned, for example 'email' or 'profile'.",
> +	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
> +	    default => "email profile",
> +	    optional => 1,
> +	},
> +	'acr-values' => {
> +	    description => "Specifies the Authentication Context Class Reference values that the"
> +		."Authorization Server is being requested to use for the Auth Request.",
> +	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
> +	    optional => 1,
> +	},
> +	default => {
> +	    description => "Use this as default realm",
> +	    type => 'boolean',
> +	    optional => 1,
> +	},
> +	comment => {
> +	    description => "Description.",
> +	    type => 'string',
> +	    optional => 1,
> +	    maxLength => 4096,
> +	},
> +   };
> +}
> +
> +sub options {
> +    return {
> +	'issuer-url' => {},
> +	'client-id' => {},
> +	'client-key' => { optional => 1 },
> +	autocreate => { optional => 1 },
> +	'username-claim' => { optional => 1, fixed => 1 },
> +	prompt => { optional => 1 },
> +	scopes => { optional => 1 },
> +	'acr-values' => { optional => 1 },
> +	default => { optional => 1 },
> +	comment => { optional => 1 },
> +    };
> +}
> +
> +sub authenticate_user {
> +    my ($class, $config, $realm, $username, $password) = @_;
> +
> +    die "OpenID realm does not allow password verification.\n";
> +}
> +
> +1;


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


  reply	other threads:[~2024-10-10  8:45 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-24  9:08 [pmg-devel] [PATCH pve-common/proxmox-perl-rs/pmg-api/pmg-gui v3 0/8] fix #3892: OpenID Markus Frank
2024-06-24  9:08 ` [pmg-devel] [PATCH pve-common v3 1/8] add Schema package with auth module that contains realm sync options Markus Frank
2024-06-24  9:08 ` [pmg-devel] [PATCH proxmox-perl-rs v3 2/8] move openid code from pve-rs to common Markus Frank
2024-10-09 11:30   ` Christoph Heiss
2024-06-24  9:08 ` [pmg-devel] [PATCH proxmox-perl-rs v3 3/8] remove empty PMG::RS::OpenId package to avoid confusion Markus Frank
2024-06-24  9:08 ` [pmg-devel] [PATCH pmg-api v3 4/8] config: add plugin system for realms & add openid type realms Markus Frank
2024-10-10  8:46   ` Christoph Heiss [this message]
2024-10-18 12:07   ` Christoph Heiss
2024-06-24  9:08 ` [pmg-devel] [PATCH pmg-api v3 5/8] api: add/update/remove realms like in PVE Markus Frank
2024-06-24  9:08 ` [pmg-devel] [PATCH pmg-api v3 6/8] api: openid login similar to PVE Markus Frank
2024-06-24  9:08 ` [pmg-devel] [PATCH pmg-gui v3 7/8] login: add OpenID realms Markus Frank
2024-06-24  9:08 ` [pmg-devel] [PATCH pmg-gui v3 8/8] add panel for realms to User Management Markus Frank
2024-10-09 11:30 ` [pmg-devel] [PATCH pve-common/proxmox-perl-rs/pmg-api/pmg-gui v3 0/8] fix #3892: OpenID Christoph Heiss

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5xxbewb4dkunzplue4zak5je66xx6ijxln73be2klwoohqtbdy@ce54bee3l6fi \
    --to=c.heiss@proxmox.com \
    --cc=m.frank@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal