Re: [pve-devel] Groups for OpenID Connect?

Re: [pve-devel] Groups for OpenID Connect?

[Dietmar Maurer]

> However, is there any support for groups in OpenID Connect, or a similar concept?

In OpenID, it is possible to request "scopes" from the server, which can then send additional data (claims). 

But I am unsure if and how people use those system to manage groups. So what kind of OpenID server do you use, and how does it store the group information?

Re: [pve-devel] Groups for OpenID Connect?

[Victor Hooi]

Hi,

This endpoint here would be Google Workspace (i.e. Google's OIDC provider).

Currently, in the Proxmox LDAP sync - it translates Google Groups (in the
Google Workspace domain) into LDAP groups, which is what we want.

I'm not too familiar with the OIDC - I do know that Google Workspace has
it's own APIs to lookup group membership:

https://stackoverflow.com/questions/16601699/determine-whether-user-is-group-member

https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups#get_all_member_groups

It sounds like that might have to be added into Proxmox, though?

Thanks,
Victor

On Fri, 24 Dec 2021 at 17:22, Dietmar Maurer <dietmar@proxmox.com> wrote:

> > However, is there any support for groups in OpenID Connect, or a similar
> concept?
>
> In OpenID, it is possible to request "scopes" from the server, which can
> then send additional data (claims).
>
> But I am unsure if and how people use those system to manage groups. So
> what kind of OpenID server do you use, and how does it store the group
> information?
>
>

Re: [pve-devel] Groups for OpenID Connect?

[Josef Per Johansson]

Hi,

I have started to look at authentik.io, seems quite nice.

Sent from Nine
________________________________
From: Dietmar Maurer <dietmar@proxmox.com>
Sent: Friday, 24 December 2021 07:28
To: Proxmox VE development discussion; Victor Hooi
Subject: Re: [pve-devel] Groups for OpenID Connect?


> However, is there any support for groups in OpenID Connect, or a similar concept?

In OpenID, it is possible to request "scopes" from the server, which can then send additional data (claims). 

But I am unsure if and how people use those system to manage groups. So what kind of OpenID server do you use, and how does it store the group information?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Groups for OpenID Connect?

[Dietmar Maurer]

> This endpoint here would be Google Workspace (i.e. Google's OIDC provider).
> 
> Currently, in the Proxmox LDAP sync - it translates Google Groups (in the Google Workspace domain) into LDAP groups, which is what we want.
> 
> I'm not too familiar with the OIDC - I do know that Google Workspace has it's own APIs to lookup group membership:

OIDC does not provide any snyc protocol, so this kind of thing is impossible.

[pve-devel] Groups for OpenID Connect?

[Victor Hooi]

Hi,

We were previously using LDAP sync to synchronise our Proxmox user/group
database against a Google Workspace test domain.

I noticed there's new OpenID Connect support now in Proxmox, which is super
exciting =).

However, is there any support for groups in OpenID Connect, or a similar
concept?

Thanks,
Victor