From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 4C5341FF174 for ; Mon, 2 Sep 2024 10:05:36 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 945D3368DF; Mon, 2 Sep 2024 10:05:49 +0200 (CEST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725209720; x=1725814520; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9Zjlj9uhFXUFHBzuAt4XGSTJZNzdCunb9snrDF4Qd0Q=; b=IGMx7Rld90UsnDoASr+gYGAF5/9LWfDRs6XzYasusRPDkNb9T1Yzn1T6gAr7I52gDN wRSTC0zvYUk1Za75a555Qr6fTd0cRNyKElhxgXS+4j5gGQsQq5wpmtX6N93vmivWY+5j KVhuZLwqq7BCQWhM/uQcfcRQB7bvUDmxNY9y3NYBKzJBZWiZOeanZYDB3u/D3RoYPyQl BxmaheJZTvF1hWrPo3CytysGeCQLDXh9CJzoSS0CvMEO2XLwW85gWLI6O2OqzuuKli87 GULJXUwfuUHdzUvNrl1dSHuJE44mlwmq5pgagojnp3ofADRYfLot8EqNvg2GFCZ6DeOo 7Czw== X-Gm-Message-State: AOJu0YylcWq1YhqRwJZkMF14QN0JgFRqunietyTzdCsQRIezlkJdKQkj Pn6QWKIoa2eY9vfSmnjuy1Gsd8DvaaEGP9GJzbyfQngiCjncgrc/UFyE9A== X-Google-Smtp-Source: AGHT+IGyjPK0v0QQUm/+VJUm0n9K1S9/vXl5nz4s+09EHBNS+JvUtET8EaYshOFdwbX+orYBoL7O6A== X-Received: by 2002:a05:690c:6208:b0:6d6:7c9a:bf58 with SMTP id 00721157ae682-6d67c9ad60bmr24177397b3.28.1725209720058; Sun, 01 Sep 2024 09:55:20 -0700 (PDT) From: Thomas Skinner To: pve-devel@lists.proxmox.com Date: Sun, 1 Sep 2024 11:55:08 -0500 Message-Id: <20240901165512.687801-1-thomas@atskinner.net> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.001 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom freemail headers are different FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - X-Mailman-Approved-At: Mon, 02 Sep 2024 10:05:47 +0200 Subject: [pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix #4411: add support for openid groups X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Thomas Skinner Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This patch series adds support for groups for OpenID logins. The following options are implemented: - Configurable claim for retrieving a list of groups and adding them to the user in PVE - Allowing "synchronization" of groups on login by overriding groups assigned to the user in PVE (this option is off by default) - Replacing invalid characters in group names with a configurable valid characters (by default, this is an underscore '_') The logic implemented by this patch expects the groups claim in the ID token/userinfo endpoint to send a list of groups. This patch also adds support for using additional claims from the OpenID provider by exposing all additional claims and their values from the ID token (previously only available for the userinfo endpoint). This is necessary for OpenID providers that do not support additional information in the userinfo endpoint. proxmox/proxmox-openid: Thomas Skinner (1): fix #4411: openid: add library code for openid groups support proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------ 1 file changed, 47 insertions(+), 8 deletions(-) pve-access-control: Thomas Skinner (1): fix #4411: openid: add logic for openid groups support src/PVE/API2/OpenId.pm | 32 ++++++++++++++++++++++++++++++++ src/PVE/Auth/OpenId.pm | 21 +++++++++++++++++++++ 2 files changed, 53 insertions(+) pve-docs: Thomas Skinner (1): fix #4411: openid: add docs for openid groups support api-viewer/apidata.js | 40 ++++++++++++++++++++++++++++++++++++++++ pveum.adoc | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) pve-manager: Thomas Skinner (1): fix #4411: openid: add ui config for openid groups support www/manager6/dc/AuthEditOpenId.js | 35 ++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel