[pmg-devel] [PATCH pmg-api/pmg-gui v4 0/3] add default realm option and OIDC configuration panel

[pmg-devel] [PATCH pmg-api/pmg-gui v4 0/3] add default realm option and OIDC configuration panel

[Markus Frank]

v4:
* removed the default value of the realm field in the LoginView so that
  the default realm is automatically selected.

v3:
* Patch 1/3 and 2/3 are new and allow the user to set the default realm.
* see more v3 changes in Patch 3/3


pmg-api:

Markus Frank (1):
  Auth Plugin: stop forcing the default realm to be the pmg realm

 src/PMG/Auth/Plugin.pm | 2 --
 1 file changed, 2 deletions(-)



pmg-gui:

Markus Frank (2):
  realms: enable default realm support
  add OIDC configuration panel for PMG

 js/AuthEditOIDC.js   | 244 +++++++++++++++++++++++++++++++++++++++++++
 js/LoginView.js      |   1 -
 js/Makefile          |   1 +
 js/UserManagement.js |   1 +
 js/Utils.js          |  17 +--
 5 files changed, 257 insertions(+), 7 deletions(-)
 create mode 100644 js/AuthEditOIDC.js

-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api v4 1/3] Auth Plugin: stop forcing the default realm to be the pmg realm

[Markus Frank]

This allows a different realm to be set as the default.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
no changes in v4

 src/PMG/Auth/Plugin.pm | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index 9268a49..5969911 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -144,8 +144,6 @@ sub parse_config {
     $cfg->{ids}->{pmg}->{type} = 'pmg'; # force type
     $cfg->{ids}->{pmg}->{comment} = "Proxmox Mail Gateway authentication server"
 	if !$cfg->{ids}->{pmg}->{comment};
-    $cfg->{ids}->{pmg}->{default} = 1
-	if !$cfg->{ids}->{pmg}->{default};
 
     $cfg->{ids}->{pam}->{type} = 'pam'; # force type
     $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-gui v4 2/3] realms: enable default realm support

[Markus Frank]

Allow PAM and PMG realms to be edited and set as default. To make the
login view reflect the default realm setting, the value of the realm
field is removed.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
v4:
* removed the default value of the realm field in the LoginView so that
  the default realm is automatically selected.
* changed commit message

 js/LoginView.js      |  1 -
 js/UserManagement.js |  1 +
 js/Utils.js          | 16 ++++++++++------
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/js/LoginView.js b/js/LoginView.js
index 67940ed..cb7e43f 100644
--- a/js/LoginView.js
+++ b/js/LoginView.js
@@ -374,7 +374,6 @@ Ext.define('PMG.LoginView', {
 			    reference: 'realmfield',
 			    name: 'realm',
 			    baseUrl: '/access/auth-realm',
-			    value: 'pam',
 			},
 			{
 			    xtype: 'proxmoxLanguageSelector',
diff --git a/js/UserManagement.js b/js/UserManagement.js
index f6ada1b..79d1e3f 100644
--- a/js/UserManagement.js
+++ b/js/UserManagement.js
@@ -40,6 +40,7 @@ Ext.define('PMG.UserManagement', {
 	    itemId: 'realms',
 	    baseUrl: '/access/auth-realm',
 	    storeBaseUrl: '/access/auth-realm',
+	    showDefaultRealm: true,
 	    iconCls: 'fa fa-address-book-o',
 	},
     ],
diff --git a/js/Utils.js b/js/Utils.js
index d4a55a8..aa17d83 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -877,12 +877,16 @@ Ext.define('PMG.Utils', {
 	Proxmox.Schema.authDomains.ldap.add = false;
 	Proxmox.Schema.authDomains.ad.add = false;
 
-	Proxmox.Schema.authDomains.pam.edit = false;
-	Proxmox.Schema.authDomains.pmg = {
-	    add: false,
-	    edit: false,
-	    sync: false,
-	};
+	Proxmox.Schema.overrideAuthDomains({
+	    pmg: {
+		name: 'Proxmox Mail Gateway authentication server',
+		ipanel: 'pmxAuthSimplePanel',
+		add: false,
+		edit: true,
+		pwchange: true,
+		sync: false,
+	    },
+	});
 
 	// do whatever you want here
 	Proxmox.Utils.override_task_descriptions({
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-gui v4 3/3] add OIDC configuration panel for PMG

[Markus Frank]

AuthEditOIDC.js is based on AuthEditOpenId from widget-toolkit and
adds additional configuration options for autocreate-role-assignment.

Use sub/preferred_username for username-claim instead of the old names
(subject/username/email) because subject and username do not exist in
the current OpenID Connect specifications and the email option is
incompatible with the username scheme.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
no changes in v4

 js/AuthEditOIDC.js | 244 +++++++++++++++++++++++++++++++++++++++++++++
 js/Makefile        |   1 +
 js/Utils.js        |   1 +
 3 files changed, 246 insertions(+)
 create mode 100644 js/AuthEditOIDC.js

diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
new file mode 100644
index 0000000..ad6683f
--- /dev/null
+++ b/js/AuthEditOIDC.js
@@ -0,0 +1,244 @@
+Ext.define('PMG.OIDCInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmgAuthOIDCPanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    type: 'oidc',
+
+    viewModel: {
+	data: {
+	    roleSource: '__default__',
+	    autocreate: 0,
+	},
+	formulas: {
+	    hideFixedRoleAssignment: function(get) {
+		return get('roleSource') !== 'fixed' || !get('autocreate');
+	    },
+	    hideClaimRoleAssignment: function(get) {
+		return get('roleSource') !== 'from-claim' || !get('autocreate');
+	    },
+	},
+    },
+
+    onGetValues: function(values) {
+	let me = this;
+
+	if (me.isCreate && !me.useTypeInUrl) {
+	    values.type = me.type;
+	}
+
+	let autocreateRoleAssignment = {};
+	if (values.source) {
+	    autocreateRoleAssignment.source = values.source;
+	}
+	if (values.source === 'fixed') {
+	    autocreateRoleAssignment['fixed-role'] = values['fixed-role'];
+	} else if (values.source === 'from-claim') {
+	    autocreateRoleAssignment['role-claim'] = values['role-claim'];
+	}
+	values['autocreate-role-assignment'] = Proxmox.Utils.printPropertyString(autocreateRoleAssignment);
+	Proxmox.Utils.delete_if_default(values, 'autocreate-role-assignment', '', me.isCreate);
+
+	delete values.source;
+	delete values['fixed-role'];
+	delete values['role-claim'];
+
+	return values;
+    },
+
+    setValues: function(values) {
+	let autocreateRoleAssignment =
+	    Proxmox.Utils.parsePropertyString(values['autocreate-role-assignment']);
+
+	values.source = autocreateRoleAssignment.source ?? '__default__';
+
+	if (autocreateRoleAssignment.source === 'fixed') {
+	    values['fixed-role'] = autocreateRoleAssignment['fixed-role'];
+	}
+	if (autocreateRoleAssignment.source === 'from-claim') {
+	    values['role-claim'] = autocreateRoleAssignment['role-claim'];
+	}
+
+	this.callParent(arguments);
+    },
+
+
+    columnT: [
+	{
+	    xtype: 'textfield',
+	    name: 'issuer-url',
+	    fieldLabel: gettext('Issuer URL'),
+	    allowBlank: false,
+	},
+    ],
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+		editable: '{isCreate}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client ID'),
+	    name: 'client-id',
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client Key'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    name: 'client-key',
+	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'username-claim',
+	    fieldLabel: gettext('Username Claim'),
+	    editConfig: {
+		xtype: 'proxmoxKVComboBox',
+		editable: true,
+		comboItems: [
+		    ['__default__', Proxmox.Utils.defaultText],
+		    ['sub', gettext('sub (subject)')],
+		    ['preferred_username', gettext('preferred_username')],
+		],
+	    },
+	    cbind: {
+		value: get => get('isCreate') ? '__default__' : Proxmox.Utils.defaultText,
+		deleteEmpty: '{!isCreate}',
+		editable: '{isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'scopes',
+	    fieldLabel: gettext('Scopes'),
+	    emptyText: `${Proxmox.Utils.defaultText} (email profile)`,
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'prompt',
+	    fieldLabel: gettext('Prompt'),
+	    editable: true,
+	    emptyText: gettext('Auth-Provider Default'),
+	    comboItems: [
+		['__default__', gettext('Auth-Provider Default')],
+		['none', 'none'],
+		['login', 'login'],
+		['consent', 'consent'],
+		['select_account', 'select_account'],
+	    ],
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+
+    columnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'displayfield',
+	    value: gettext('Autocreate Options'),
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Autocreate Users'),
+	    name: 'autocreate',
+	    bind: {
+		value: '{autocreate}',
+	    },
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'source',
+	    fieldLabel: gettext('Source for Role Assignment'),
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    comboItems: [
+		[
+		    '__default__',
+		    Proxmox.Utils.defaultText
+			+ ' (' + gettext('All auto-created users get audit role') + ')',
+		],
+		['fixed', gettext('Fixed role for all auto-created users')],
+		['from-claim', gettext('Get role from OIDC claim')],
+	    ],
+	    bind: {
+		value: '{roleSource}',
+		disabled: '{!autocreate}',
+		hidden: '{!autocreate}',
+	    },
+	},
+	{
+	    xtype: 'pmgRoleSelector',
+	    name: 'fixed-role',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Fixed Role'),
+	    bind: {
+		disabled: '{hideFixedRoleAssignment}',
+		hidden: '{hideFixedRoleAssignment}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'role-claim',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Role Claim'),
+	    bind: {
+		disabled: '{hideClaimRoleAssignment}',
+		hidden: '{hideClaimRoleAssignment}',
+	    },
+	},
+    ],
+
+    advancedColumnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'acr-values',
+	    fieldLabel: gettext('ACR Values'),
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+});
diff --git a/js/Makefile b/js/Makefile
index d1fab9b..c984bf3 100644
--- a/js/Makefile
+++ b/js/Makefile
@@ -78,6 +78,7 @@ JSSRC=							\
 	LDAPConfig.js					\
 	UserEdit.js					\
 	UserView.js					\
+	AuthEditOIDC.js					\
 	TFAView.js					\
 	FetchmailEdit.js				\
 	FetchmailView.js				\
diff --git a/js/Utils.js b/js/Utils.js
index aa17d83..d563483 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -871,6 +871,7 @@ Ext.define('PMG.Utils', {
 	// use oidc instead of openid
 	Proxmox.Schema.authDomains.oidc = Proxmox.Schema.authDomains.openid;
 	Proxmox.Schema.authDomains.oidc.useTypeInUrl = false;
+	Proxmox.Schema.authDomains.oidc.ipanel = 'pmgAuthOIDCPanel';
 	delete Proxmox.Schema.authDomains.openid;
 
 	// Disable LDAP/AD as a realm until LDAP/AD login is implemented
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

Re: [pmg-devel] [PATCH pmg-api/pmg-gui v4 0/3] add default realm option and OIDC configuration panel

[Christoph Heiss]

Tested this with a up-to-date Keycloak.

Checked that upon first login of users, they get assigned the correct
role - for both fixed role assignments and from a OIDC claim.

Also made sure that the default realm selector works as intended - after
clearing `localStorage`, the correct default realm is shown.

W.r.t patch #3: Extending the `AuthEditOpenId` panel from
proxmox-widget-toolkit would probably be more work than its worth,
FWICS? No hard feelings from my side, looking at the required changes,
just that duplicating mostly-similar code is always bit of a PITA, if it
can be avoided.

And there isn't any documentation about the role assignment feature yet,
right? That should be done too, although a separate patch would be
enough too IMO, in case you don't respin this series.
Just a short explanation and mentioning the available values for the
role assignment from an OIDC claim.

In any case, please consider this series:

Tested-by: Christoph Heiss <c.heiss@proxmox.com>
Reviewed-by: Christoph Heiss <c.heiss@proxmox.com>

On Wed Mar 19, 2025 at 2:29 PM CET, Markus Frank wrote:
> v4:
> * removed the default value of the realm field in the LoginView so that
>   the default realm is automatically selected.
>
> v3:
> * Patch 1/3 and 2/3 are new and allow the user to set the default realm.
> * see more v3 changes in Patch 3/3
>
>
> pmg-api:
>
> Markus Frank (1):
>   Auth Plugin: stop forcing the default realm to be the pmg realm
>
>  src/PMG/Auth/Plugin.pm | 2 --
>  1 file changed, 2 deletions(-)
>
>
>
> pmg-gui:
>
> Markus Frank (2):
>   realms: enable default realm support
>   add OIDC configuration panel for PMG
>
>  js/AuthEditOIDC.js   | 244 +++++++++++++++++++++++++++++++++++++++++++
>  js/LoginView.js      |   1 -
>  js/Makefile          |   1 +
>  js/UserManagement.js |   1 +
>  js/Utils.js          |  17 +--
>  5 files changed, 257 insertions(+), 7 deletions(-)
>  create mode 100644 js/AuthEditOIDC.js



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

Re: [pmg-devel] [PATCH pmg-api/pmg-gui v4 0/3] add default realm option and OIDC configuration panel

[Thomas Lamprecht]

Am 20.03.25 um 10:36 schrieb Christoph Heiss:
> W.r.t patch #3: Extending the `AuthEditOpenId` panel from
> proxmox-widget-toolkit would probably be more work than its worth,
> FWICS? No hard feelings from my side, looking at the required changes,
> just that duplicating mostly-similar code is always bit of a PITA, if it
> can be avoided.

It's a trade-off and IME coupling is a much bigger and active PITA than
having some code duplicated.
I think we should consider moving bigger widgets to common libraries
like widget-toolkit on a case-by-case basis to ensure it actually brings
a net benefit and not lots of edge cases that are all relevant only for
a specific implementation in a product and needs to be chained through
multiple components.

Note that I do not propose that we should not share anything, but rather
prioritize sharing the smaller building blocks like fields and keep the
bigger ones that are only used once or twice in a product and just use
these smaller building blocks to create a local copy that targets the
specific capabilities of the product. Or, if two products not only use
basically the same backend but also share feature/implementation goals
then share between them but keep a dedicated local implementation for
another UI for a different product instead of adding chained-through
edge cases to the common implementation.

Anyway, this is definitively something that needs a rather nuanced view
and where there often is no very clear answer, but when integrating
Markus' OIDC implementation in PMG it noticed quite some friction
stemming from using the common bigger components.

> And there isn't any documentation about the role assignment feature yet,
> right? That should be done too, although a separate patch would be
> enough too IMO, in case you don't respin this series.

Yeah, that would be nice to have.

> Just a short explanation and mentioning the available values for the
> role assignment from an OIDC claim.
> 
> In any case, please consider this series:
> 
> Tested-by: Christoph Heiss <c.heiss@proxmox.com>
> Reviewed-by: Christoph Heiss <c.heiss@proxmox.com>



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel