From: Shannon Sterz <s.sterz@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences
Date: Mon, 20 Apr 2026 17:33:30 +0200 [thread overview]
Message-ID: <20260420153332.414620-2-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260420153332.414620-1-s.sterz@proxmox.com>
allows specifying multiple additionally allowed audiences. an open id
provider may include multiple audiences in its ID token. this allows
specifying all valid audiences, rejecting the token only if an invalid
audience is also included.
Originally-by: Alexander Abraham <a.abraham@proxmox.com>
[SS:
* reformatted the code for clarity and to avoid unnecessary variables
and parentheses
* rephrased the commit message for style and clarity
]
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
proxmox-openid/src/lib.rs | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index 0388a8fa..a8cfd66f 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -95,6 +95,8 @@ pub struct OpenIdConfig {
pub prompt: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub acr_values: Option<Vec<String>>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub audiences: Option<Vec<String>>,
}
pub struct OpenIdAuthenticator {
@@ -258,12 +260,27 @@ impl OpenIdAuthenticator {
.request(&http_client)
.map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
- let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
+ let verifier = &self
+ .client
+ .id_token_verifier()
+ .require_audience_match(true)
+ .set_other_audience_verifier_fn(|aud| {
+ if self.config.client_id == **aud {
+ return true;
+ }
+
+ if let Some(allowed_audiences) = self.config.audiences.as_ref() {
+ return allowed_audiences.contains(aud);
+ }
+
+ false
+ });
+
let id_token_claims: &GenericIdTokenClaims = token_response
.extra_fields()
.id_token()
.expect("Server did not return an ID token")
- .claims(&id_token_verifier, &private_auth_state.nonce)
+ .claims(verifier, &private_auth_state.nonce)
.map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
if !query_userinfo {
--
2.47.3
next prev parent reply other threads:[~2026-04-20 15:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 15:33 [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
2026-04-20 15:33 ` Shannon Sterz [this message]
2026-04-20 15:33 ` [PATCH access-control v4 2/3] fix #5076: auth: open id: add an optional "audiences" field Shannon Sterz
2026-04-20 15:33 ` [PATCH manager v4 3/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
2026-04-21 10:25 ` [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420153332.414620-2-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox