From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 251E786685 for ; Fri, 24 Dec 2021 07:46:07 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1601729161 for ; Fri, 24 Dec 2021 07:46:07 +0100 (CET) Received: from sonic301-30.consmr.mail.ne1.yahoo.com (sonic301-30.consmr.mail.ne1.yahoo.com [66.163.184.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 701222914C for ; Fri, 24 Dec 2021 07:46:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1640328354; bh=LqdGpdpHaBO9uU0ZxVCZv6AIwtsHBfU/uBFSDSjVcdE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From:Subject:Reply-To; b=resb/gZ10MKvAL1t1QqCF4FT6Ae6w/+vC4rZJ4N2/6mBh6s2jjl1HCuI4tC1OV7htSTXm8aDWjBxLOdEMuMYRZTDiIpqMVPeOtWAuuVo0PxBbrqmQVOq/Zi/C0qfVOAPNtBla9M1ximXZCR4dHeqApakCxqIMhimcjKBI+t6+KPRanv64UY2Gk6NDfVbwrYqLL9P2D6FnmduZnFqmAKj6XFGfBqI+6nvRC+wKdkyCDQmc/c828PTPec0iTPOSlYloWK5FGDk+0fflqtEht65aNKzg/v8zMwioSa4oCYsgTnSzFZZCXqUN/C0HFLGlfIe8Jyvs2l+bQ4Pre1tWP9ahg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1640328354; bh=i5S0I7XtgfxnUtb/qsdwMRIiFeWEDYYh7JHKnrzCidl=; h=X-Sonic-MF:From:Date:Subject:To:From:Subject; b=GATMVyPumKIEctItPluSi4kkph4T1bcDs2vZKcKqHn52kD1cOlesisnputy9H6PufgAr/SJP5rGKeHR5fsdQ5Sevh9PdD+/Dt5HWCIHVTgl7TFm+dz9XMg464A3fwkff2xn+O8lfmtjyDLNzKzN8UsIkXALO4cppTdT13qSQd/iuz8rvImsTT6a9278x0nIM/FqbycwCU+khDvRxRp8DxEig5MEkBwZTTHWHJ79oSs7F1fvenSkHMhk5EmpcVNRBMPVQ3VDLGRUKM1Xfgfk2nTK9iWxU4kZig3AYyK3fUkhc68i8sP6uXP2JM/DsEm6FkaJDGDV4d2OLnwVqess21g== X-YMail-OSG: WY9dYJEVM1l_7yrJS_KM3oIxfb2..nr9lQb0haIJHcqgQPZ38GxlgnzmHCaxtw0 FecrXQWJ42Mc1ONuN.mZkqP0fMNUqauVy6RyR4D.ddKjZPS6ShB7CsF7qaqD8QbdTxDFcSCNlYfT NFseKUPUDZv66PVn1BVjIFBpE4_5xoomCkLp7OKR9azruRPHm0K7IfucP7Lv5MU1f.RKwOxlYh.F 9sW5YUpSQFSm2cQMzOT10YaKuX0M3EcuY1QweiX0PoryYREuTVG9kqzHcQ6EP27Bb0uAYtpjkcw1 UIhLuSik0UGivhLw6hoiWV6T7bIDm6r5cnifzOZWvF7c9PkK7PCd3pWc.S6w.FQbvyefMIRjnmGS PRvpd5xrexClTYm3APopJEGUbsDoimKCW5Ga9snVLoS6RJ7eo1k0SDw_LavPlQo9NWtA0mUUDycO tAHPxAbjtLr.KByXFOYlcbRDeRS3.Dc6ap6mv30iHCLDUOHNAwdMiLWrAPtZqQV7ZIEuv43cYaYn Ucjl0IWjqsY3CEFrhRJVBEE9JvfibJtTrKYhQecKsPGtXKmwqmoHyziiw_JcxUlkScEfjrEmDvo3 ZuhQaLTQw0xCR6K2SsgdoubRTbPxuwTxy401aIm7WIy9geRAvbjhEIZy994HR5hwnjrSMHXSDpvT svQ19GxrHwpG0kTx8ywNBVEfhbKlmBtU7wmL0T9a4WaAjHiIfp1tQlyFjOOCSSefJi6444YKF7xw 6G7CGZRJtPHrYwMPcEBlQ2_6kHfjLzxgaFjDCKyJg5m3jctZm8NCQv888ndqr.fPb2eLAVsqyzNN G7GIvjmIWXpRVjmIvp9qu22ymwkV0yIe7w8own8jY_jJpiwrsr8VH7RoTTH4JlAdaFzgvpqYEjMj GjmL7V4pIMP55NyNHViPe0kelDlPCQWpJvpkd5F22VJfcOksnPnhUwsRNZwoqvt_WSVaOf7OaV7H Brkzl5LU0WHxOuPiwkeiLcdAD0InAnlTl8r3sy2fO74nTuLVU5XNrbZfynYDssHgz8LWI_T6hU7Y ftPu_w6HYJvjPY8NX_CYhT7OzwHk9.BNnEVVN6nH7bMPsTBiX7xlY0al315_1v4jx3k11Y1jilxo WqR2RLa6Aw9xpAfPt33qzLBnLmjf8vyEImGLg0dUbj1zKXSfGP8ziHHlxGRPrqQWt7igCl9ueIyW U47RODfYlAXRtMBsnGo_WDsOPwca4273XiKr_UlQ3rzzKXoJcLoVeZgbrG_pCF75Aj3xuxTRpAoC MrNf0KnogYUXvhccFA15AZ2f3lZ_hdXocXIJmUYYFDs1X.pdOYZk1iZsgJIR7J_0CBw.9CgQ1KKf SAdlPxXcoJdkQeR9z0mSCcsxyGawlSS547jyeoOAWegl7JTrWNaBd35dVaABBstAnkQ5HuBqLbE6 HJF8cDO6NoxeJ0ZET4X9tOwSHmrdwhkSb2Do1w.MtmAcKAdgOGxIrCBm6Xk1EN_jewCsoBZcgArQ s7Jf.lCDARRSyGVrk6fpCYWBZJycz_NLJmznH1ezT5e60zfZOTu3BwBqSsAX891HOMA6Z1PLMc81 eEHq7fkkfkUS.wWMbUrkirs.D9wC3qdWunfdz5U2YwKz8BYcxhPESNfAg2dBsKEX.oEbG8EMfBZQ EDowBgltRFNuTCccC3ngb6.Y60JIKar7GGROfDm1755OOXH_ZRnFywYkG9LUoYedciofCV9Q0Xwn Sh2s_gsJrWImED7QZVZIg4ksJ3_bs97PjLLIkoPBrIum3JSPxqvBbRUgfOOahGaLg4KWMA1AAJjk 2L3OfdgDziHyzuFMREnx_BaW9dM.gZtRcbUIsCHQ5rg0ViO6t24pfhhF7U7B7qV4S43X0r26AB.u sf4zu_x0.D5PNcHvDHJF_C_lzfX8r_2M4WS1RtSUdvdiSgXgFYAzIEjuN.iXYJwekQnVpmi3C9jl IQFYwTo_yPZYCet7ghFNTZJ9OQ1T_iqu9yekn68Tt_UyoQmzoy33wqi.tBReRdDoG.FyyOQ5k07q KVzelVMOAWUdlEZaORzblK4ymI7FF8YWQBDEruWZCcQHGVMZLZaO2JGpnlYk4w0ou3zBnkBg54mO r8mne8bgayBQJ3qxw7dAe5W8zzInoB9XW8KUu.IcJWqQHnmeXMiovb6R_P9Y14Ivz8Ro3TlpeYFT fJamSHx8_XIWPR_z0ngOm5MOqy4OtjQqER4Cbz9rdom.jQtx8NDvS6PlEb8G5O.HdbET54B8sU0f KgK_hUb8GSXg0O_EGIP1ry60k X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Fri, 24 Dec 2021 06:45:54 +0000 Received: by kubenode517.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d89b7d10a83f3a93a3c3660dbd96cd50; Fri, 24 Dec 2021 06:45:54 +0000 (UTC) Received: by mail-ua1-f53.google.com with SMTP id u6so6676396uaq.0 for ; Thu, 23 Dec 2021 22:45:53 -0800 (PST) X-Gm-Message-State: AOAM533zjdnW8OvOWBcRZeTeVOURCWSVwpOQR5NHwqEnJihy2oHf4moh gWdfyko1ozSBaz65Req1LEkPbS7KfJDJQjwkyoM= X-Google-Smtp-Source: ABdhPJyk/317r105NMRvz+DUMnHe/2n6Krk1tw+T4LB2BQJEni+398kLmHFfsdbxh02BZ890sjHny0cjMHmrPt+NuQc= X-Received: by 2002:ab0:6414:: with SMTP id x20mr1831033uao.81.1640328353383; Thu, 23 Dec 2021 22:45:53 -0800 (PST) MIME-Version: 1.0 References: <567234771.1641.1640326947572@webmail.proxmox.com> In-Reply-To: <567234771.1641.1640326947572@webmail.proxmox.com> From: Victor Hooi Date: Fri, 24 Dec 2021 17:45:39 +1100 X-Gmail-Original-Message-ID: Message-ID: To: Dietmar Maurer Cc: Proxmox VE development discussion X-Mailer: WebService/1.1.19498 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-SPAM-LEVEL: Spam detection results: 0 AWL 0.373 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HTML_MESSAGE 0.001 HTML included in message RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [pve-devel] Groups for OpenID Connect? X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Dec 2021 06:46:07 -0000 Hi, This endpoint here would be Google Workspace (i.e. Google's OIDC provider). Currently, in the Proxmox LDAP sync - it translates Google Groups (in the Google Workspace domain) into LDAP groups, which is what we want. I'm not too familiar with the OIDC - I do know that Google Workspace has it's own APIs to lookup group membership: https://stackoverflow.com/questions/16601699/determine-whether-user-is-group-member https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups#get_all_member_groups It sounds like that might have to be added into Proxmox, though? Thanks, Victor On Fri, 24 Dec 2021 at 17:22, Dietmar Maurer wrote: > > However, is there any support for groups in OpenID Connect, or a similar > concept? > > In OpenID, it is possible to request "scopes" from the server, which can > then send additional data (claims). > > But I am unsure if and how people use those system to manage groups. So > what kind of OpenID server do you use, and how does it store the group > information? > >