From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 7E4861FF163 for ; Thu, 10 Oct 2024 10:45:58 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9875114EB5; Thu, 10 Oct 2024 10:46:26 +0200 (CEST) Date: Thu, 10 Oct 2024 10:46:24 +0200 From: Christoph Heiss To: Markus Frank Message-ID: <5xxbewb4dkunzplue4zak5je66xx6ijxln73be2klwoohqtbdy@ce54bee3l6fi> References: <20240624090850.4683-1-m.frank@proxmox.com> <20240624090850.4683-5-m.frank@proxmox.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20240624090850.4683-5-m.frank@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.030 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-api v3 4/8] config: add plugin system for realms & add openid type realms X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pmg-devel@lists.proxmox.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" On Mon, Jun 24, 2024 at 11:08:46AM GMT, Markus Frank wrote: [..] > diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm > new file mode 100755 > index 0000000..3bb758b > --- /dev/null > +++ b/src/PMG/Auth/OIDC.pm > @@ -0,0 +1,99 @@ > +package PMG::Auth::OIDC; >From the looks of it, this module is basically just a 1:1 copy of pve-access-control/src/PVE/Auth/OpenId.pm, right? Would it make sense to re-use that instead of duplicating it? Or are there any differences that would make it rather cumbersome? Also FWIW w.r.t the naming, you seem to switch between "OIDC" and "OpenId" completely random. Everywhere else (i.e. PVE, PBS) we just call it "OpenID" (or "OpenId" for modules/structs). Sticking to one naming scheme for consistency sake might be good. > + > +use strict; > +use warnings; > + > +use PVE::Tools; > +use PMG::Auth::Plugin; > + > +use base qw(PMG::Auth::Plugin); > + > +sub type { > + return 'oidc'; > +} > + > +sub properties { > + return { > + 'issuer-url' => { > + description => "OpenID Connect Issuer Url", > + type => 'string', > + maxLength => 256, > + }, > + 'client-id' => { > + description => "OpenID Connect Client ID", > + type => 'string', > + maxLength => 256, > + }, > + 'client-key' => { > + description => "OpenID Connect Client Key", > + type => 'string', > + optional => 1, > + maxLength => 256, > + }, > + autocreate => { > + description => "Automatically create users if they do not exist.", > + optional => 1, > + type => 'boolean', > + default => 0, > + }, > + 'username-claim' => { > + description => "OpenID Connect claim used to generate the unique username.", > + type => 'string', > + optional => 1, > + }, > + prompt => { > + description => "Specifies whether the Authorization Server prompts the End-User for" > + ." reauthentication and consent.", > + type => 'string', > + pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant > + optional => 1, > + }, > + scopes => { > + description => "Specifies the scopes (user details) that should be authorized and" > + ." returned, for example 'email' or 'profile'.", > + type => 'string', # format => 'some-safe-id-list', # FIXME: TODO > + default => "email profile", > + optional => 1, > + }, > + 'acr-values' => { > + description => "Specifies the Authentication Context Class Reference values that the" > + ."Authorization Server is being requested to use for the Auth Request.", > + type => 'string', # format => 'some-safe-id-list', # FIXME: TODO > + optional => 1, > + }, > + default => { > + description => "Use this as default realm", > + type => 'boolean', > + optional => 1, > + }, > + comment => { > + description => "Description.", > + type => 'string', > + optional => 1, > + maxLength => 4096, > + }, > + }; > +} > + > +sub options { > + return { > + 'issuer-url' => {}, > + 'client-id' => {}, > + 'client-key' => { optional => 1 }, > + autocreate => { optional => 1 }, > + 'username-claim' => { optional => 1, fixed => 1 }, > + prompt => { optional => 1 }, > + scopes => { optional => 1 }, > + 'acr-values' => { optional => 1 }, > + default => { optional => 1 }, > + comment => { optional => 1 }, > + }; > +} > + > +sub authenticate_user { > + my ($class, $config, $realm, $username, $password) = @_; > + > + die "OpenID realm does not allow password verification.\n"; > +} > + > +1; _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel