From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 985631FF170 for ; Mon, 2 Sep 2024 10:05:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 37D1536970; Mon, 2 Sep 2024 10:05:51 +0200 (CEST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725209725; x=1725814525; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M71gH7FDiYCKImjiZzeUUTG5BR5Sb9SW0ofzMReDVeg=; b=OhSQQeSNde6lvahhTgsPPAYo7t10vxUYrOuBleJVkM1xoyTOdtg+bV8Qu4kNS6ytDn DFl+OnxJD7WoHEL0ftK3NvimgnZpneJyuYeLaXDUB/nBIN+AOx26tL/Zy/uKRzUBswVo hRxWSHXLYehSSsyUH3SjVlCFWXsoukiKyW5lw4sj3CzoVx50101Ym1bV7C6yGxHwNTdW 3bDaOrnNvJWic9hJT4hsXN/459Gci3+YUnCGQ9gCRyOduvKEjaUH4m3T12F0narMeEoM MdI500W58pNWFvXcCtL9AXfVpNOQJEkWbyZLjNFOWQgdh8Rfxpq8jMs73RCyvoHps0lL n46A== X-Gm-Message-State: AOJu0Yzw/sRkWxQxpSMxWVZLrOZ8Y74UsF+QtdvQqCGTJ+nUQKmWidqW zjQVln2So6XP0EgRECIKNSF1Mgd/gLLh1Uj6c5ztPsuTqxq6//cBXRa6wQ== X-Google-Smtp-Source: AGHT+IGw5jrntsLL8wHq3X0jGf9tP5GprHyR6UdK2ftPA5glmNHjIdI49JCj8gHbFGxrChcDiEjT8Q== X-Received: by 2002:a05:690c:108:b0:62c:e9f8:8228 with SMTP id 00721157ae682-6d40e57e299mr61561297b3.25.1725209725051; Sun, 01 Sep 2024 09:55:25 -0700 (PDT) From: Thomas Skinner To: pve-devel@lists.proxmox.com Date: Sun, 1 Sep 2024 11:55:10 -0500 Message-Id: <20240901165512.687801-3-thomas@atskinner.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240901165512.687801-1-thomas@atskinner.net> References: <20240901165512.687801-1-thomas@atskinner.net> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.001 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom freemail headers are different FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - X-Mailman-Approved-At: Mon, 02 Sep 2024 10:05:47 +0200 Subject: [pve-devel] [PATCH openid 1/1] fix #4411: openid: add library code for openid groups support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Thomas Skinner Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------ 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..bf8c650b 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox-openid/src/lib.rs @@ -15,8 +15,11 @@ pub use auth_state::*; use openidconnect::{ //curl::http_client, core::{ - CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreClient, CoreGenderClaim, - CoreIdTokenClaims, CoreIdTokenVerifier, CoreProviderMetadata, + CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreErrorResponseType, + CoreGenderClaim, CoreIdTokenVerifier, CoreJsonWebKey, CoreJsonWebKeyType, + CoreJsonWebKeyUse, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm, + CoreProviderMetadata, CoreRevocableToken, CoreRevocationErrorResponse, + CoreTokenIntrospectionResponse, CoreTokenType, }, AdditionalClaims, AuthenticationContextClass, @@ -24,6 +27,9 @@ use openidconnect::{ ClientId, ClientSecret, CsrfToken, + EmptyExtraTokenFields, + IdTokenClaims, + IdTokenFields, IssuerUrl, Nonce, OAuth2TokenResponse, @@ -31,15 +37,47 @@ use openidconnect::{ PkceCodeVerifier, RedirectUrl, Scope, + StandardErrorResponse, + StandardTokenResponse, UserInfoClaims, }; /// Stores Additional Claims into a serde_json::Value; -#[derive(Debug, Deserialize, Serialize)] +#[derive(Clone, Debug, Default, Deserialize, PartialEq, Serialize)] pub struct GenericClaims(Value); impl AdditionalClaims for GenericClaims {} pub type GenericUserInfoClaims = UserInfoClaims; +pub type GenericIdTokenClaims = IdTokenClaims; + +pub type GenericIdTokenFields = IdTokenFields< + GenericClaims, + EmptyExtraTokenFields, + CoreGenderClaim, + CoreJweContentEncryptionAlgorithm, + CoreJwsSigningAlgorithm, + CoreJsonWebKeyType, +>; + +pub type GenericTokenResponse = StandardTokenResponse; + +pub type GenericClient = openidconnect::Client< + GenericClaims, + CoreAuthDisplay, + CoreGenderClaim, + CoreJweContentEncryptionAlgorithm, + CoreJwsSigningAlgorithm, + CoreJsonWebKeyType, + CoreJsonWebKeyUse, + CoreJsonWebKey, + CoreAuthPrompt, + StandardErrorResponse, + GenericTokenResponse, + CoreTokenType, + CoreTokenIntrospectionResponse, + CoreRevocableToken, + CoreRevocationErrorResponse, +>; #[derive(Debug, Deserialize, Serialize, Clone)] pub struct OpenIdConfig { @@ -56,7 +94,7 @@ pub struct OpenIdConfig { } pub struct OpenIdAuthenticator { - client: CoreClient, + client: GenericClient, config: OpenIdConfig, } @@ -120,8 +158,9 @@ impl OpenIdAuthenticator { let provider_metadata = CoreProviderMetadata::discover(&issuer_url, http_client)?; - let client = CoreClient::from_provider_metadata(provider_metadata, client_id, client_key) - .set_redirect_uri(RedirectUrl::new(String::from(redirect_url))?); + let client = + GenericClient::from_provider_metadata(provider_metadata, client_id, client_key) + .set_redirect_uri(RedirectUrl::new(String::from(redirect_url))?); Ok(Self { client, @@ -195,7 +234,7 @@ impl OpenIdAuthenticator { &self, code: &str, private_auth_state: &PrivateAuthState, - ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> { + ) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> { let code = AuthorizationCode::new(code.to_string()); // Exchange the code with a token. let token_response = self @@ -206,7 +245,7 @@ impl OpenIdAuthenticator { .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?; let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier(); - let id_token_claims: &CoreIdTokenClaims = token_response + let id_token_claims: &GenericIdTokenClaims = token_response .extra_fields() .id_token() .expect("Server did not return an ID token") -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel