From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id AC3261FF136 for ; Mon, 20 Apr 2026 17:34:17 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F250873DC; Mon, 20 Apr 2026 17:34:09 +0200 (CEST) From: Shannon Sterz To: pve-devel@lists.proxmox.com Subject: [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences Date: Mon, 20 Apr 2026 17:33:30 +0200 Message-ID: <20260420153332.414620-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260420153332.414620-1-s.sterz@proxmox.com> References: <20260420153332.414620-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776699129250 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.123 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: AP5SZ3V4WZVW4Q6CVPCGAPYW7RHPPBBY X-Message-ID-Hash: AP5SZ3V4WZVW4Q6CVPCGAPYW7RHPPBBY X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: allows specifying multiple additionally allowed audiences. an open id provider may include multiple audiences in its ID token. this allows specifying all valid audiences, rejecting the token only if an invalid audience is also included. Originally-by: Alexander Abraham [SS: * reformatted the code for clarity and to avoid unnecessary variables and parentheses * rephrased the commit message for style and clarity ] Signed-off-by: Shannon Sterz --- proxmox-openid/src/lib.rs | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index 0388a8fa..a8cfd66f 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox-openid/src/lib.rs @@ -95,6 +95,8 @@ pub struct OpenIdConfig { pub prompt: Option, #[serde(skip_serializing_if = "Option::is_none")] pub acr_values: Option>, + #[serde(skip_serializing_if = "Option::is_none")] + pub audiences: Option>, } pub struct OpenIdAuthenticator { @@ -258,12 +260,27 @@ impl OpenIdAuthenticator { .request(&http_client) .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?; - let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier(); + let verifier = &self + .client + .id_token_verifier() + .require_audience_match(true) + .set_other_audience_verifier_fn(|aud| { + if self.config.client_id == **aud { + return true; + } + + if let Some(allowed_audiences) = self.config.audiences.as_ref() { + return allowed_audiences.contains(aud); + } + + false + }); + let id_token_claims: &GenericIdTokenClaims = token_response .extra_fields() .id_token() .expect("Server did not return an ID token") - .claims(&id_token_verifier, &private_auth_state.nonce) + .claims(verifier, &private_auth_state.nonce) .map_err(|err| format_err!("Failed to verify ID token: {}", err))?; if !query_userinfo { -- 2.47.3