From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id E2BA91FF141 for ; Tue, 05 May 2026 10:36:54 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9AB581D497; Tue, 5 May 2026 10:34:11 +0200 (CEST) From: Arthur Bied-Charreton To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v5 22/27] notifications: add endpoint for initial OAuth2 refresh token exchange Date: Tue, 5 May 2026 10:32:43 +0200 Message-ID: <20260505083248.36450-23-a.bied-charreton@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260505083248.36450-1-a.bied-charreton@proxmox.com> References: <20260505083248.36450-1-a.bied-charreton@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.260 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: LKO5UPENMC5O6I4XZI5MT2YPWFRBWD4P X-Message-ID-Hash: LKO5UPENMC5O6I4XZI5MT2YPWFRBWD4P X-MailFrom: abied-charreton@jett.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Expose endpoint under /config/notifications/smtp-oauth2-token to exchange the initial authorization code for a refresh token. Azure AD's "Web" client type, which we require in order to be able to keep getting new access tokens in the backend without requiring re-authorization by users, rejects browser-originated token requests, so this must run on the backend. Signed-off-by: Arthur Bied-Charreton --- src/api2/config/notifications/mod.rs | 1 + src/api2/config/notifications/smtp.rs | 65 ++++++++++++++++++++++++++- 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/src/api2/config/notifications/mod.rs b/src/api2/config/notifications/mod.rs index 2b94f715..a05c8982 100644 --- a/src/api2/config/notifications/mod.rs +++ b/src/api2/config/notifications/mod.rs @@ -29,6 +29,7 @@ const SUBDIRS: SubdirMap = &sorted!([ ("endpoints", &ENDPOINT_ROUTER), ("matcher-fields", &FIELD_ROUTER), ("matcher-field-values", &VALUE_ROUTER), + ("smtp-oauth2-token", &smtp::OAUTH2_TOKEN_ROUTER), ("targets", &targets::ROUTER), ("matchers", &matchers::ROUTER), ]); diff --git a/src/api2/config/notifications/smtp.rs b/src/api2/config/notifications/smtp.rs index 4d88bd65..0de23241 100644 --- a/src/api2/config/notifications/smtp.rs +++ b/src/api2/config/notifications/smtp.rs @@ -5,7 +5,7 @@ use proxmox_notify::endpoints::smtp::{ DeleteableSmtpProperty, SmtpConfig, SmtpConfigUpdater, SmtpPrivateConfig, SmtpPrivateConfigUpdater, }; -use proxmox_notify::schema::ENTITY_NAME_SCHEMA; +use proxmox_notify::{endpoints::smtp::SmtpAuthMethod, schema::ENTITY_NAME_SCHEMA}; use proxmox_router::{Permission, Router, RpcEnvironment}; use proxmox_schema::api; @@ -219,3 +219,66 @@ pub const ROUTER: Router = Router::new() .get(&API_METHOD_LIST_ENDPOINTS) .post(&API_METHOD_ADD_ENDPOINT) .match_all("name", &ITEM_ROUTER); + +#[api( + protected: true, + input: { + properties: { + "auth-method": { + type: SmtpAuthMethod, + }, + "client-id": { + description: "OAuth2 client ID.", + type: String, + }, + "client-secret": { + description: "OAuth2 client secret.", + type: String, + }, + "tenant-id": { + description: "Microsoft tenant ID (required for microsoft-oauth2).", + type: String, + optional: true, + }, + "authorization-code": { + description: "Authorization code returned by the IdP.", + type: String, + }, + "redirect-uri": { + description: "Redirect URI used in the authorization request.", + type: String, + }, + }, + }, + returns: { + description: "OAuth2 refresh token", + type: String, + }, + access: { + permission: &Permission::Privilege(&["system", "notifications"], PRIV_SYS_MODIFY, false), + }, +)] +/// Exchange an OAuth2 authorization code for a refresh token. +/// +/// The token request is performed server-side so that providers (notably Azure AD +/// Web app registrations) which forbid cross-origin token redemption accept it. +pub fn exchange_oauth2_code( + auth_method: SmtpAuthMethod, + client_id: String, + client_secret: String, + tenant_id: Option, + authorization_code: String, + redirect_uri: String, +) -> Result { + proxmox_notify::api::smtp::exchange_oauth2_code( + auth_method, + client_id, + client_secret, + tenant_id, + authorization_code, + redirect_uri, + ) + .map_err(Into::into) +} + +pub const OAUTH2_TOKEN_ROUTER: Router = Router::new().post(&API_METHOD_EXCHANGE_OAUTH2_CODE); -- 2.47.3