From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 7E4861FF163
	for <inbox@lore.proxmox.com>; Thu, 10 Oct 2024 10:45:58 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 9875114EB5;
	Thu, 10 Oct 2024 10:46:26 +0200 (CEST)
Date: Thu, 10 Oct 2024 10:46:24 +0200
From: Christoph Heiss <c.heiss@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>
Message-ID: <5xxbewb4dkunzplue4zak5je66xx6ijxln73be2klwoohqtbdy@ce54bee3l6fi>
References: <20240624090850.4683-1-m.frank@proxmox.com>
 <20240624090850.4683-5-m.frank@proxmox.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20240624090850.4683-5-m.frank@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.030 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pmg-devel] [PATCH pmg-api v3 4/8] config: add plugin system
 for realms & add openid type realms
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Cc: pmg-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>

On Mon, Jun 24, 2024 at 11:08:46AM GMT, Markus Frank wrote:
[..]
> diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
> new file mode 100755
> index 0000000..3bb758b
> --- /dev/null
> +++ b/src/PMG/Auth/OIDC.pm
> @@ -0,0 +1,99 @@
> +package PMG::Auth::OIDC;

>From the looks of it, this module is basically just a 1:1 copy of
pve-access-control/src/PVE/Auth/OpenId.pm, right?

Would it make sense to re-use that instead of duplicating it? Or are
there any differences that would make it rather cumbersome?

Also FWIW w.r.t the naming, you seem to switch between "OIDC" and
"OpenId" completely random. Everywhere else (i.e. PVE, PBS) we just call
it "OpenID" (or "OpenId" for modules/structs). Sticking to one naming
scheme for consistency sake might be good.

> +
> +use strict;
> +use warnings;
> +
> +use PVE::Tools;
> +use PMG::Auth::Plugin;
> +
> +use base qw(PMG::Auth::Plugin);
> +
> +sub type {
> +    return 'oidc';
> +}
> +
> +sub properties {
> +    return {
> +	'issuer-url' => {
> +	    description => "OpenID Connect Issuer Url",
> +	    type => 'string',
> +	    maxLength => 256,
> +	},
> +	'client-id' => {
> +	    description => "OpenID Connect Client ID",
> +	    type => 'string',
> +	    maxLength => 256,
> +	},
> +	'client-key' => {
> +	    description => "OpenID Connect Client Key",
> +	    type => 'string',
> +	    optional => 1,
> +	    maxLength => 256,
> +	},
> +	autocreate => {
> +	    description => "Automatically create users if they do not exist.",
> +	    optional => 1,
> +	    type => 'boolean',
> +	    default => 0,
> +	},
> +	'username-claim' => {
> +	    description => "OpenID Connect claim used to generate the unique username.",
> +	    type => 'string',
> +	    optional => 1,
> +	},
> +	prompt => {
> +	    description => "Specifies whether the Authorization Server prompts the End-User for"
> +	        ." reauthentication and consent.",
> +	    type => 'string',
> +	    pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant
> +	    optional => 1,
> +	},
> +	scopes => {
> +	    description => "Specifies the scopes (user details) that should be authorized and"
> +	        ." returned, for example 'email' or 'profile'.",
> +	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
> +	    default => "email profile",
> +	    optional => 1,
> +	},
> +	'acr-values' => {
> +	    description => "Specifies the Authentication Context Class Reference values that the"
> +		."Authorization Server is being requested to use for the Auth Request.",
> +	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
> +	    optional => 1,
> +	},
> +	default => {
> +	    description => "Use this as default realm",
> +	    type => 'boolean',
> +	    optional => 1,
> +	},
> +	comment => {
> +	    description => "Description.",
> +	    type => 'string',
> +	    optional => 1,
> +	    maxLength => 4096,
> +	},
> +   };
> +}
> +
> +sub options {
> +    return {
> +	'issuer-url' => {},
> +	'client-id' => {},
> +	'client-key' => { optional => 1 },
> +	autocreate => { optional => 1 },
> +	'username-claim' => { optional => 1, fixed => 1 },
> +	prompt => { optional => 1 },
> +	scopes => { optional => 1 },
> +	'acr-values' => { optional => 1 },
> +	default => { optional => 1 },
> +	comment => { optional => 1 },
> +    };
> +}
> +
> +sub authenticate_user {
> +    my ($class, $config, $realm, $username, $password) = @_;
> +
> +    die "OpenID realm does not allow password verification.\n";
> +}
> +
> +1;


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel