From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E2DEB1FF136 for ; Mon, 20 Apr 2026 17:34:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0AB7B72EA; Mon, 20 Apr 2026 17:34:09 +0200 (CEST) From: Shannon Sterz To: pve-devel@lists.proxmox.com Subject: [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Date: Mon, 20 Apr 2026 17:33:29 +0200 Message-ID: <20260420153332.414620-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776699129192 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.123 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: DBRPNBVBLVTLG3DYLW7S6DTJWRJTJYKC X-Message-ID-Hash: DBRPNBVBLVTLG3DYLW7S6DTJWRJTJYKC X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: this series adapts the original patch series by Alexander Abraham [1]. below is the text of the original cover letter: > fix #5076: Added Open ID audiences > > This series adds support for handling Open ID audiences as described in bug > #5076. PVE's API schema was updated to accept an optional field, an array of > strings and the Rust code was also updated to accordingly handle any incoming > audiences and compare them to the realm config's audiences. In the realm > dialogue for adding an Open ID realm, a new field titled "Audiences" was added > so that users can save any audiences in their realm domains config file. essentially, some open id providers such as zitadel [1] may provide additional audiences that their id tokens are valid for instead of just the client id. these patches allow setting such additional audiences. if an audience that is not explicitly allowed is encountered, the id token is rejected as before. [1]: https://zitadel.com/ Changelog --------- changes since the last public version of these patches * rebased on current master * see the list of changes made by Shannon Sterz specified in each commit message [1]: https://lore.proxmox.com/pve-devel/20250603091256.40923-1-a.abraham@proxmox.com/ proxmox: Shannon Sterz (1): fix #5076: openid: add logic to handle OIDC audiences proxmox-openid/src/lib.rs | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) proxmox: Shannon Sterz (1): fix #5076: auth: open id: add an optional "audiences" field src/PVE/API2/OpenId.pm | 4 ++++ src/PVE/Auth/OpenId.pm | 12 ++++++++++++ 2 files changed, 16 insertions(+) proxmox: Shannon Sterz (1): fix #5076: ui: dc: add an optional "audiences" field for open id realms www/manager6/dc/AuthEditOpenId.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) Summary over all repositories: 4 files changed, 48 insertions(+), 2 deletions(-) -- Generated by murpp 0.10.0