From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 64BAE1FF141 for ; Tue, 05 May 2026 10:34:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6A1351B938; Tue, 5 May 2026 10:33:41 +0200 (CEST) From: Arthur Bied-Charreton To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com Subject: [PATCH pve-manager v5 17/27] notifications: add endpoint for initial OAuth2 refresh token exchange Date: Tue, 5 May 2026 10:32:38 +0200 Message-ID: <20260505083248.36450-18-a.bied-charreton@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260505083248.36450-1-a.bied-charreton@proxmox.com> References: <20260505083248.36450-1-a.bied-charreton@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.263 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: 27R67K7CS2LBLONPLY6JSFZWMTIPGDKS X-Message-ID-Hash: 27R67K7CS2LBLONPLY6JSFZWMTIPGDKS X-MailFrom: abied-charreton@jett.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Expose endpoint under /cluster/notifications/smtp-oauth2-token to exchange the initial authorization code for a refresh token. Azure AD's "Web" client type, which we require in order to be able to keep getting new access tokens in the backend without requiring re-authorization by users, rejects browser-originated token requests, so this must run on the backend. Signed-off-by: Arthur Bied-Charreton --- PVE/API2/Cluster/Notifications.pm | 77 +++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/PVE/API2/Cluster/Notifications.pm b/PVE/API2/Cluster/Notifications.pm index 8e118483..830070e9 100644 --- a/PVE/API2/Cluster/Notifications.pm +++ b/PVE/API2/Cluster/Notifications.pm @@ -81,6 +81,7 @@ __PACKAGE__->register_method({ { name => 'targets' }, { name => 'matcher-fields' }, { name => 'matcher-field-values' }, + { name => 'smtp-oauth2-token' }, ]; return $result; @@ -321,6 +322,82 @@ __PACKAGE__->register_method({ }, }); +__PACKAGE__->register_method({ + name => 'smtp_oauth2_token', + path => 'smtp-oauth2-token', + protected => 1, + method => 'POST', + description => 'Exchanges the initial OAuth2 authorization code for a refresh token', + permissions => { + check => [ + 'and', + ['perm', '/mapping/notifications', ['Mapping.Modify']], + [ + 'or', + ['perm', '/', ['Sys.Audit', 'Sys.Modify']], + ['perm', '/', ['Sys.AccessNetwork']], + ], + ], + }, + parameters => { + additionalProperties => 0, + properties => { + 'auth-method' => { + description => 'Authentication method', + type => 'string', + enum => [qw(google-oauth2 microsoft-oauth2)], + }, + 'client-id' => { + description => 'OAuth2 client ID', + type => 'string', + }, + 'client-secret' => { + description => 'OAuth2 client secret', + type => 'string', + }, + 'tenant-id' => { + description => 'OAuth2 tenant ID, only required for Microsoft OAuth2 endpoints', + type => 'string', + optional => 1, + }, + 'authorization-code' => { + description => 'Initial OAuth2 authorization code', + type => 'string', + }, + 'redirect-uri' => { + description => "OAuth2 redirect URI", + type => 'string', + }, + }, + }, + returns => { type => 'string' }, + code => sub { + my ($param) = @_; + + my $auth_method = extract_param($param, 'auth-method'); + my $client_id = extract_param($param, 'client-id'); + my $client_secret = extract_param($param, 'client-secret'); + my $tenant_id = extract_param($param, 'tenant-id'); + my $authorization_code = extract_param($param, 'authorization-code'); + my $redirect_uri = extract_param($param, 'redirect-uri'); + + my $refresh_token = eval { + my $config = PVE::Notify::read_config(); + $config->exchange_smtp_oauth2_code( + $auth_method, + $client_id, + $client_secret, + $tenant_id, + $authorization_code, + $redirect_uri, + ); + }; + raise_api_error($@) if $@; + + return $refresh_token; + }, +}); + __PACKAGE__->register_method({ name => 'test_target', path => 'targets/{name}/test', -- 2.47.3