From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 459721FF13F for ; Thu, 23 Apr 2026 15:35:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2B0231884D; Thu, 23 Apr 2026 15:35:57 +0200 (CEST) From: Shannon Sterz To: pve-devel@lists.proxmox.com Subject: [PATCH proxmox v5 1/8] fix #5076: openid: add logic to handle OIDC audiences Date: Thu, 23 Apr 2026 15:35:41 +0200 Message-ID: <20260423133548.349086-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260423133548.349086-1-s.sterz@proxmox.com> References: <20260423133548.349086-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776951264009 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.120 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: QT2DO7S52G4UR36CGQXTFHZ6F3GLVMWG X-Message-ID-Hash: QT2DO7S52G4UR36CGQXTFHZ6F3GLVMWG X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: allows specifying multiple additionally allowed audiences. an open id provider may include multiple audiences in its ID token. this allows specifying all valid audiences, rejecting the token only if an invalid audience is also included. Originally-by: Alexander Abraham [SS: * reformatted the code for clarity and to avoid unnecessary variables and parentheses * rephrased the commit message for style and clarity ] Signed-off-by: Shannon Sterz --- proxmox-openid/src/lib.rs | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index 0388a8fa..a8cfd66f 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox-openid/src/lib.rs @@ -95,6 +95,8 @@ pub struct OpenIdConfig { pub prompt: Option, #[serde(skip_serializing_if = "Option::is_none")] pub acr_values: Option>, + #[serde(skip_serializing_if = "Option::is_none")] + pub audiences: Option>, } pub struct OpenIdAuthenticator { @@ -258,12 +260,27 @@ impl OpenIdAuthenticator { .request(&http_client) .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?; - let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier(); + let verifier = &self + .client + .id_token_verifier() + .require_audience_match(true) + .set_other_audience_verifier_fn(|aud| { + if self.config.client_id == **aud { + return true; + } + + if let Some(allowed_audiences) = self.config.audiences.as_ref() { + return allowed_audiences.contains(aud); + } + + false + }); + let id_token_claims: &GenericIdTokenClaims = token_response .extra_fields() .id_token() .expect("Server did not return an ID token") - .claims(&id_token_verifier, &private_auth_state.nonce) + .claims(verifier, &private_auth_state.nonce) .map_err(|err| format_err!("Failed to verify ID token: {}", err))?; if !query_userinfo { -- 2.47.3