From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id 957441FF173
for <inbox@lore.proxmox.com>; Mon, 24 Mar 2025 04:01:12 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id D790F9812;
Mon, 24 Mar 2025 04:01:09 +0100 (CET)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1742785259; x=1743390059;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=eO2br3NAwwPV1MDKEIlBZeqsztm+kr7mOMpfTjsIB/s=;
b=jxwdIhgH8a8K0pVFGCWknQA22x6d1MIg3el7ae4f5nsinD/hNKB3BEe4Mw7xcgUVbi
llCOPmMxCBsBZfiaL4m7FeOWegrna99C633NSby7uXVbtxlz1bCXOgJmrb65saCKFtOy
m/Y+gxWQaqB13hWVgbtGwthVD2GcZ2EVtwCPV3ta3CeLFe0l55fUri44SYlvtnhiW5G/
1uU7sHg6xrpQKonZcJVBBPHGE3TAGz0JrrDVPLfEveX35zDG1lVtDEVOWrMbKeWLpvxD
+UC+FSF8QmhqZfXR6ZhWxgsJ1+kSmWC5BeGaopjHWiaw39RwFFcFg73G+RDmmW4XTJrp
l/gg==
X-Gm-Message-State: AOJu0YzycV84RRJ6DEkxMvePOiSS4WORumDzHCt6lXjc8yWEA+ajtLp6
d1tJ5RyAhqAXDoxevrKRluI3fMXS0hnd5CLLowAoZdx/q1g8iA7Q2ooViA==
X-Gm-Gg: ASbGncu1l0y7awcvMONNqxZxC5ir0B9GKgRDRI1RzgdpD/BOCLc75OhFRQg5bdKJlr2
WJoGUgtkCty3ZbTVtDVUzGW43m22rltAaFqUIz/9I2kkR5I27gbkAAv6K4l25nogo+Uw6nFA34p
XwPqR+/ftrL2Y61zE2Lj5Unhm5R9kYunRxTzfPUi+Y7mfNCoSIV3P777Vng+L3CGY0z8ciJ+q/u
LlnNjxhya/kXQ6JkT1pkrsA/4Z1YWR/9ol/6zzraXXtzXVa0sIPpjjXP6YTAM3NtnTcsf/I62qv
OGKh8qCkuizaWZBkuR57grCbe4njSKKWzXzQT3UxvCINIq33ccIIgzQYaskowc9jOLru3jIrkjL
tuyKJv5Wyey5iTbeoNRdeHsfEj5+Fuej2JVRbHkK/FiZaj6AeDGhiOcuaSg==
X-Google-Smtp-Source: AGHT+IHozNXoGR/ondzpUBeGs5k9bRjGKOTUq/PwuBgDKy1+gKOoQVWJjXmgHH6MgKpnKrMBXE9KJA==
X-Received: by 2002:a05:690c:6501:b0:6f9:acb3:4439 with SMTP id
00721157ae682-700bac7c4d4mr142560017b3.22.1742783872102;
Sun, 23 Mar 2025 19:37:52 -0700 (PDT)
From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Date: Sun, 23 Mar 2025 21:37:26 -0500
Message-Id: <20250324023728.1294436-3-thomas@atskinner.net>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250324023728.1294436-1-thomas@atskinner.net>
References: <20250324023728.1294436-1-thomas@atskinner.net>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.016 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom
freemail headers are different
FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
HEADER_FROM_DIFFERENT_DOMAINS 0.062 From and EnvelopeFrom 2nd level mail
domains are different
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/,
no trust RCVD_IN_MSPIKE_H2 -0.01 Average reputation (+2)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [lib.rs]
Subject: [pve-devel] [PATCH proxmox-openid v4 1/1] fix #4411: openid: add
library code for generic id token claim support
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Thomas Skinner <thomas@atskinner.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------
1 file changed, 47 insertions(+), 8 deletions(-)
diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index fe65fded..bf8c650b 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -15,8 +15,11 @@ pub use auth_state::*;
use openidconnect::{
//curl::http_client,
core::{
- CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreClient, CoreGenderClaim,
- CoreIdTokenClaims, CoreIdTokenVerifier, CoreProviderMetadata,
+ CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreErrorResponseType,
+ CoreGenderClaim, CoreIdTokenVerifier, CoreJsonWebKey, CoreJsonWebKeyType,
+ CoreJsonWebKeyUse, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm,
+ CoreProviderMetadata, CoreRevocableToken, CoreRevocationErrorResponse,
+ CoreTokenIntrospectionResponse, CoreTokenType,
},
AdditionalClaims,
AuthenticationContextClass,
@@ -24,6 +27,9 @@ use openidconnect::{
ClientId,
ClientSecret,
CsrfToken,
+ EmptyExtraTokenFields,
+ IdTokenClaims,
+ IdTokenFields,
IssuerUrl,
Nonce,
OAuth2TokenResponse,
@@ -31,15 +37,47 @@ use openidconnect::{
PkceCodeVerifier,
RedirectUrl,
Scope,
+ StandardErrorResponse,
+ StandardTokenResponse,
UserInfoClaims,
};
/// Stores Additional Claims into a serde_json::Value;
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Default, Deserialize, PartialEq, Serialize)]
pub struct GenericClaims(Value);
impl AdditionalClaims for GenericClaims {}
pub type GenericUserInfoClaims = UserInfoClaims<GenericClaims, CoreGenderClaim>;
+pub type GenericIdTokenClaims = IdTokenClaims<GenericClaims, CoreGenderClaim>;
+
+pub type GenericIdTokenFields = IdTokenFields<
+ GenericClaims,
+ EmptyExtraTokenFields,
+ CoreGenderClaim,
+ CoreJweContentEncryptionAlgorithm,
+ CoreJwsSigningAlgorithm,
+ CoreJsonWebKeyType,
+>;
+
+pub type GenericTokenResponse = StandardTokenResponse<GenericIdTokenFields, CoreTokenType>;
+
+pub type GenericClient = openidconnect::Client<
+ GenericClaims,
+ CoreAuthDisplay,
+ CoreGenderClaim,
+ CoreJweContentEncryptionAlgorithm,
+ CoreJwsSigningAlgorithm,
+ CoreJsonWebKeyType,
+ CoreJsonWebKeyUse,
+ CoreJsonWebKey,
+ CoreAuthPrompt,
+ StandardErrorResponse<CoreErrorResponseType>,
+ GenericTokenResponse,
+ CoreTokenType,
+ CoreTokenIntrospectionResponse,
+ CoreRevocableToken,
+ CoreRevocationErrorResponse,
+>;
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct OpenIdConfig {
@@ -56,7 +94,7 @@ pub struct OpenIdConfig {
}
pub struct OpenIdAuthenticator {
- client: CoreClient,
+ client: GenericClient,
config: OpenIdConfig,
}
@@ -120,8 +158,9 @@ impl OpenIdAuthenticator {
let provider_metadata = CoreProviderMetadata::discover(&issuer_url, http_client)?;
- let client = CoreClient::from_provider_metadata(provider_metadata, client_id, client_key)
- .set_redirect_uri(RedirectUrl::new(String::from(redirect_url))?);
+ let client =
+ GenericClient::from_provider_metadata(provider_metadata, client_id, client_key)
+ .set_redirect_uri(RedirectUrl::new(String::from(redirect_url))?);
Ok(Self {
client,
@@ -195,7 +234,7 @@ impl OpenIdAuthenticator {
&self,
code: &str,
private_auth_state: &PrivateAuthState,
- ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> {
+ ) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> {
let code = AuthorizationCode::new(code.to_string());
// Exchange the code with a token.
let token_response = self
@@ -206,7 +245,7 @@ impl OpenIdAuthenticator {
.map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
- let id_token_claims: &CoreIdTokenClaims = token_response
+ let id_token_claims: &GenericIdTokenClaims = token_response
.extra_fields()
.id_token()
.expect("Server did not return an ID token")
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel