From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-widget-toolkit v5 15/27] notifications: add opt-in OAuth2 support for SMTP targets
Date: Tue, 5 May 2026 10:32:36 +0200 [thread overview]
Message-ID: <20260505083248.36450-16-a.bied-charreton@proxmox.com> (raw)
In-Reply-To: <20260505083248.36450-1-a.bied-charreton@proxmox.com>
Add Google & Microsoft OAuth2 authorization support to SMTP endpoint
config.
The enableOAuth2 config flag in pmxSmtpEditPanel allows consumers to opt
into this new feature, so it can be gradually introduced into products.
When disabled, no changes are visible from the UI.
The exchange trading the initial authorization code for a refresh token
needs to happen in the backend, Azure AD does not allow
browser-originated token requests for "Web" client types, which we
require in order to be able to keep tokens valid without requiring
re-authorization by users.
Since the exposed endpoints for performing this exchange live at
different paths in PBS and PVE, expect the URL as a config argument
passed by the products and throw if it is not set.
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/panel/SmtpEditPanel.js | 266 ++++++++++++++++++++++++++++++---
src/window/EndpointEditBase.js | 2 +
2 files changed, 244 insertions(+), 24 deletions(-)
diff --git a/src/panel/SmtpEditPanel.js b/src/panel/SmtpEditPanel.js
index 37e4d51..3c32029 100644
--- a/src/panel/SmtpEditPanel.js
+++ b/src/panel/SmtpEditPanel.js
@@ -6,12 +6,31 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
type: 'smtp',
+ enableOAuth2: false,
+ // Backend URL for endpoint exchanging the initial OAuth2 authorization code
+ // for a refresh token.
+ refreshTokenUrl: undefined,
+
+ initConfig: function (config) {
+ this.callParent(arguments);
+
+ if (config.enableOAuth2 && !config.refreshTokenUrl) {
+ throw new Error('refreshTokenUrl must be set if XOAUTH2 is enabled');
+ }
+
+ return config;
+ },
+
viewModel: {
xtype: 'viewmodel',
data: {
mode: 'tls',
- authentication: true,
- originalAuthentication: true,
+ authMethod: 'plain',
+ oAuth2ClientId: '',
+ oAuth2ClientSecret: '',
+ oAuth2TenantId: '',
+ oAuth2RefreshToken: '',
+ originalAuthMethod: undefined,
},
formulas: {
portEmptyText: function (get) {
@@ -30,14 +49,47 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
}
return `${Proxmox.Utils.defaultText} (${port})`;
},
+ authKind: function (get) {
+ let method = get('authMethod');
+ let isOAuth2 = method === 'google-oauth2' || method === 'microsoft-oauth2';
+ return isOAuth2 && !this.getView().enableOAuth2 ? 'none' : method;
+ },
+ isOAuth2Authentication: function (get) {
+ let kind = get('authKind');
+ return kind === 'google-oauth2' || kind === 'microsoft-oauth2';
+ },
+ enableAuthorize: function (get) {
+ if (!get('isOAuth2Authentication')) {
+ return false;
+ }
+ let clientId = get('oAuth2ClientId')?.trim();
+ let clientSecret = get('oAuth2ClientSecret')?.trim();
+ if (!clientId || !clientSecret) {
+ return false;
+ }
+ if (get('authKind') === 'microsoft-oauth2') {
+ return !!get('oAuth2TenantId')?.trim();
+ }
+ return true;
+ },
passwordEmptyText: function (get) {
let isCreate = this.getView().isCreate;
-
- let auth = get('authentication');
- let origAuth = get('originalAuthentication');
- let shouldShowUnchanged = !isCreate && auth && origAuth;
-
- return shouldShowUnchanged ? gettext('Unchanged') : '';
+ let isPlain = get('authKind') === 'plain';
+ let wasPlain = get('originalAuthMethod') === 'plain';
+ return !isCreate && isPlain && wasPlain ? gettext('Unchanged') : '';
+ },
+ oAuth2ClientSecretEmptyText: function (get) {
+ let isCreate = this.getView().isCreate;
+ let isOAuth2 = get('isOAuth2Authentication');
+ let origMethod = get('originalAuthMethod');
+ let wasOAuth2 = origMethod === 'google-oauth2' || origMethod === 'microsoft-oauth2';
+ return !isCreate && isOAuth2 && wasOAuth2 ? gettext('Unchanged') : '';
+ },
+ isAuthorized: function (get) {
+ return get('isOAuth2Authentication') && !!get('oAuth2RefreshToken');
+ },
+ authorizeButtonDisabled: function (get) {
+ return !get('enableAuthorize') || get('isAuthorized');
},
},
},
@@ -102,11 +154,25 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
],
column2: [
{
- xtype: 'proxmoxcheckbox',
- fieldLabel: gettext('Authenticate'),
- name: 'authentication',
- bind: {
- value: '{authentication}',
+ xtype: 'proxmoxKVComboBox',
+ fieldLabel: gettext('Authentication'),
+ name: 'auth-method',
+ comboItems: [
+ ['none', gettext('None')],
+ ['plain', gettext('Username/Password')],
+ ['google-oauth2', gettext('OAuth2 (Google)')],
+ ['microsoft-oauth2', gettext('OAuth2 (Microsoft)')],
+ ],
+ bind: '{authMethod}',
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ listeners: {
+ render: function () {
+ if (!this.up('pmxSmtpEditPanel').enableOAuth2) {
+ this.getStore().filter('key', /^(none|plain)$/);
+ }
+ },
},
},
{
@@ -118,7 +184,8 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
deleteEmpty: '{!isCreate}',
},
bind: {
- disabled: '{!authentication}',
+ hidden: '{authKind !== "plain"}',
+ disabled: '{authKind !== "plain"}',
},
},
{
@@ -130,10 +197,109 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
allowBlank: '{!isCreate}',
},
bind: {
- disabled: '{!authentication}',
+ hidden: '{authKind !== "plain"}',
+ disabled: '{authKind !== "plain"}',
emptyText: '{passwordEmptyText}',
},
},
+ {
+ xtype: 'proxmoxtextfield',
+ fieldLabel: gettext('Client ID'),
+ name: 'oauth2-client-id',
+ allowBlank: false,
+ bind: {
+ hidden: '{!isOAuth2Authentication}',
+ disabled: '{!isOAuth2Authentication}',
+ value: '{oAuth2ClientId}',
+ },
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ {
+ xtype: 'proxmoxtextfield',
+ inputType: 'password',
+ fieldLabel: gettext('Client Secret'),
+ name: 'oauth2-client-secret',
+ bind: {
+ hidden: '{!isOAuth2Authentication}',
+ disabled: '{!isOAuth2Authentication}',
+ value: '{oAuth2ClientSecret}',
+ emptyText: '{oAuth2ClientSecretEmptyText}',
+ },
+ cbind: {
+ allowBlank: '{!isCreate}',
+ },
+ },
+ {
+ xtype: 'proxmoxtextfield',
+ fieldLabel: gettext('Tenant ID'),
+ name: 'oauth2-tenant-id',
+ allowBlank: false,
+ bind: {
+ hidden: '{authKind !== "microsoft-oauth2"}',
+ disabled: '{authKind !== "microsoft-oauth2"}',
+ value: '{oAuth2TenantId}',
+ },
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ {
+ xtype: 'fieldcontainer',
+ fieldLabel: gettext('Authorize'),
+ layout: 'hbox',
+ bind: {
+ hidden: '{!isOAuth2Authentication}',
+ },
+ items: [
+ {
+ xtype: 'button',
+ text: gettext('Authorize'),
+ handler: async function () {
+ let panel = this.up('pmxSmtpEditPanel');
+ let form = panel.up('form');
+ let values = form.getValues();
+
+ try {
+ let refreshToken = await panel.handleOAuth2Flow(values);
+ panel.getViewModel().set('oAuth2RefreshToken', refreshToken);
+ } catch (e) {
+ Ext.Msg.alert('Error', e);
+ }
+ },
+ bind: {
+ disabled: '{authorizeButtonDisabled}',
+ },
+ },
+ {
+ xtype: 'displayfield',
+ renderer: Ext.identityFn,
+ value: `<i class="fa fa-check-circle good"></i> <span class="good">${gettext('Authorized')}</span>`,
+ margin: '0 0 0 8',
+ bind: {
+ hidden: '{!isAuthorized}',
+ },
+ },
+ ],
+ },
+ {
+ xtype: 'hiddenfield',
+ name: 'oauth2-refresh-token',
+ allowBlank: false,
+ bind: {
+ value: '{oAuth2RefreshToken}',
+ disabled: '{!isOAuth2Authentication}',
+ },
+ // Silently block form submissions on create until the user has clicked Authorize
+ // and obtained a refresh token.
+ getErrors: function () {
+ if (this.disabled || !this.up('pmxSmtpEditPanel').isCreate) {
+ return [];
+ }
+ return this.getValue() ? [] : [''];
+ },
+ },
],
columnB: [
{
@@ -172,7 +338,25 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
},
},
],
+ handleOAuth2Flow: function (values) {
+ let authMethod = values['auth-method'];
+ let refreshTokenUrl = this.refreshTokenUrl;
+ if (authMethod === 'microsoft-oauth2') {
+ return Proxmox.OAuth2.handleMicrosoftFlow(
+ values['oauth2-client-id'],
+ values['oauth2-client-secret'],
+ values['oauth2-tenant-id'],
+ refreshTokenUrl,
+ );
+ } else if (authMethod === 'google-oauth2') {
+ return Proxmox.OAuth2.handleGoogleFlow(
+ values['oauth2-client-id'],
+ values['oauth2-client-secret'],
+ refreshTokenUrl,
+ );
+ }
+ },
onGetValues: function (values) {
let me = this;
@@ -180,9 +364,31 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
values.mailto = values.mailto.split(/[\s,;]+/);
}
- if (!values.authentication && !me.isCreate) {
- Proxmox.Utils.assemble_field_data(values, { delete: 'username' });
- Proxmox.Utils.assemble_field_data(values, { delete: 'password' });
+ let authMethod = values['auth-method'];
+ if (!this.enableOAuth2 || authMethod === 'none') {
+ delete values['auth-method'];
+ }
+
+ if (!values['oauth2-refresh-token']) {
+ delete values['oauth2-refresh-token'];
+ }
+
+ if (!me.isCreate) {
+ let oauthFields = ['oauth2-client-id', 'oauth2-client-secret', 'oauth2-tenant-id'];
+ let deletionsByMethod = {
+ none: [
+ 'username',
+ 'password',
+ ...(this.enableOAuth2 ? ['auth-method', ...oauthFields] : []),
+ ],
+ plain: this.enableOAuth2 ? oauthFields : [],
+ 'microsoft-oauth2': ['username', 'password'],
+ 'google-oauth2': ['username', 'password', 'oauth2-tenant-id'],
+ };
+
+ for (let field of deletionsByMethod[authMethod] || []) {
+ Proxmox.Utils.assemble_field_data(values, { delete: field });
+ }
}
if (values.enable) {
@@ -199,19 +405,31 @@ Ext.define('Proxmox.panel.SmtpEditPanel', {
return values;
},
-
onSetValues: function (values) {
let me = this;
- values.authentication = !!values.username;
values.enable = !values.disable;
+
+ if (values['auth-method'] === undefined && this.enableOAuth2) {
+ if (values['oauth2-tenant-id']) {
+ values['auth-method'] = 'microsoft-oauth2';
+ } else if (values['oauth2-client-id']) {
+ values['auth-method'] = 'google-oauth2';
+ } else if (values.username) {
+ values['auth-method'] = 'plain';
+ } else {
+ values['auth-method'] = 'none';
+ }
+ }
+
delete values.disable;
// Fix race condition in chromium-based browsers. Without this, the
- // 'Authenticate' remains ticked (the default value) if loading an
- // SMTP target without authentication.
- me.getViewModel().set('authentication', values.authentication);
- me.getViewModel().set('originalAuthentication', values.authentication);
+ // auth method remains set to 'plain' (the default) when loading a
+ // target with a different method set, which in some cases leads to
+ // the 'unchanged' empty text for the OAuth2 client secret being
+ // skipped.
+ me.getViewModel().set('originalAuthMethod', values['auth-method']);
return values;
},
diff --git a/src/window/EndpointEditBase.js b/src/window/EndpointEditBase.js
index 8c1bfc1..d7810a2 100644
--- a/src/window/EndpointEditBase.js
+++ b/src/window/EndpointEditBase.js
@@ -47,6 +47,8 @@ Ext.define('Proxmox.window.EndpointEditBase', {
baseUrl: me.baseUrl,
type: me.type,
defaultMailAuthor: endpointConfig.defaultMailAuthor,
+ enableOAuth2: endpointConfig.enableOAuth2,
+ refreshTokenUrl: endpointConfig.refreshTokenUrl,
},
],
});
--
2.47.3
next prev parent reply other threads:[~2026-05-05 8:35 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 8:32 [PATCH docs/manager/proxmox{,-perl-rs,-widget-toolkit,-backup} v5 00/27] fix #7238: Add XOAUTH2 authentication support for SMTP notification targets Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 01/27] add oauth2 and ureq to workspace dependencies Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 02/27] notify: smtp: introduce xoauth2 module Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 03/27] notify: smtp: introduce state management Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 04/27] notify: smtp: factor out transport building logic Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 05/27] notify: smtp: update API with OAuth2 parameters Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 06/27] notify: smtp: add API to exchange authorization code for refresh token Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 07/27] notify: smtp: infer auth method for backwards compatibility Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 08/27] notify: smtp: add state handling logic Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox v5 09/27] notify: smtp: add XOAUTH2 authentication support Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-perl-rs v5 10/27] pve-rs: notify: smtp: add OAuth2 parameters to bindings Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-perl-rs v5 11/27] pve-rs: notify: add binding for triggering state refresh Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-perl-rs v5 12/27] pve-rs: notify: add binding for initial OAuth2 refresh token exchange Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-widget-toolkit v5 13/27] utils: add OAuth2 flow handlers Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-widget-toolkit v5 14/27] utils: oauth2: add callback handler Arthur Bied-Charreton
2026-05-05 8:32 ` Arthur Bied-Charreton [this message]
2026-05-05 8:32 ` [PATCH pve-manager v5 16/27] notifications: smtp: api: add XOAUTH2 parameters Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 17/27] notifications: add endpoint for initial OAuth2 refresh token exchange Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 18/27] pveupdate: refresh notification targets' OAuth2 state Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 19/27] login: handle OAuth2 callback Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-manager v5 20/27] fix #7238: notifications: smtp: add XOAUTH2 support Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 21/27] notifications: add XOAUTH2 parameters to endpoints Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 22/27] notifications: add endpoint for initial OAuth2 refresh token exchange Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 23/27] login: handle OAuth2 callback Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 24/27] fix #7238: notifications: smtp: add XOAUTH2 support Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 25/27] daily-update: refresh OAuth2 state for SMTP notification endpoints Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH proxmox-backup v5 26/27] notifications: add OAuth2 section to SMTP targets docs Arthur Bied-Charreton
2026-05-05 8:32 ` [PATCH pve-docs v5 27/27] " Arthur Bied-Charreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505083248.36450-16-a.bied-charreton@proxmox.com \
--to=a.bied-charreton@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox