From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id 4C5341FF174
for <inbox@lore.proxmox.com>; Mon, 2 Sep 2024 10:05:36 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 945D3368DF;
Mon, 2 Sep 2024 10:05:49 +0200 (CEST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1725209720; x=1725814520;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=9Zjlj9uhFXUFHBzuAt4XGSTJZNzdCunb9snrDF4Qd0Q=;
b=IGMx7Rld90UsnDoASr+gYGAF5/9LWfDRs6XzYasusRPDkNb9T1Yzn1T6gAr7I52gDN
wRSTC0zvYUk1Za75a555Qr6fTd0cRNyKElhxgXS+4j5gGQsQq5wpmtX6N93vmivWY+5j
KVhuZLwqq7BCQWhM/uQcfcRQB7bvUDmxNY9y3NYBKzJBZWiZOeanZYDB3u/D3RoYPyQl
BxmaheJZTvF1hWrPo3CytysGeCQLDXh9CJzoSS0CvMEO2XLwW85gWLI6O2OqzuuKli87
GULJXUwfuUHdzUvNrl1dSHuJE44mlwmq5pgagojnp3ofADRYfLot8EqNvg2GFCZ6DeOo
7Czw==
X-Gm-Message-State: AOJu0YylcWq1YhqRwJZkMF14QN0JgFRqunietyTzdCsQRIezlkJdKQkj
Pn6QWKIoa2eY9vfSmnjuy1Gsd8DvaaEGP9GJzbyfQngiCjncgrc/UFyE9A==
X-Google-Smtp-Source: AGHT+IGyjPK0v0QQUm/+VJUm0n9K1S9/vXl5nz4s+09EHBNS+JvUtET8EaYshOFdwbX+orYBoL7O6A==
X-Received: by 2002:a05:690c:6208:b0:6d6:7c9a:bf58 with SMTP id
00721157ae682-6d67c9ad60bmr24177397b3.28.1725209720058;
Sun, 01 Sep 2024 09:55:20 -0700 (PDT)
From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Date: Sun, 1 Sep 2024 11:55:08 -0500
Message-Id: <20240901165512.687801-1-thomas@atskinner.net>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.001 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom
freemail headers are different
FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail
domains are different
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2)
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
X-Mailman-Approved-At: Mon, 02 Sep 2024 10:05:47 +0200
Subject: [pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix
#4411: add support for openid groups
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Thomas Skinner <thomas@atskinner.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
This patch series adds support for groups for OpenID logins.
The following options are implemented:
- Configurable claim for retrieving a list of groups and adding them to the
user in PVE
- Allowing "synchronization" of groups on login by overriding groups assigned
to the user in PVE (this option is off by default)
- Replacing invalid characters in group names with a configurable valid characters
(by default, this is an underscore '_')
The logic implemented by this patch expects the groups claim in the ID token/userinfo
endpoint to send a list of groups.
This patch also adds support for using additional claims from the OpenID provider
by exposing all additional claims and their values from the ID token (previously
only available for the userinfo endpoint). This is necessary for OpenID providers
that do not support additional information in the userinfo endpoint.
proxmox/proxmox-openid:
Thomas Skinner (1):
fix #4411: openid: add library code for openid groups support
proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------
1 file changed, 47 insertions(+), 8 deletions(-)
pve-access-control:
Thomas Skinner (1):
fix #4411: openid: add logic for openid groups support
src/PVE/API2/OpenId.pm | 32 ++++++++++++++++++++++++++++++++
src/PVE/Auth/OpenId.pm | 21 +++++++++++++++++++++
2 files changed, 53 insertions(+)
pve-docs:
Thomas Skinner (1):
fix #4411: openid: add docs for openid groups support
api-viewer/apidata.js | 40 ++++++++++++++++++++++++++++++++++++++++
pveum.adoc | 32 ++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
pve-manager:
Thomas Skinner (1):
fix #4411: openid: add ui config for openid groups support
www/manager6/dc/AuthEditOpenId.js | 35 ++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel