From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 5492E1FF136 for ; Mon, 23 Mar 2026 13:25:48 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CF061153F2; Mon, 23 Mar 2026 13:26:04 +0100 (CET) Content-Type: text/plain; charset=UTF-8 Date: Mon, 23 Mar 2026 13:25:58 +0100 Message-Id: Subject: Re: [PATCH cluster/docs/manager/proxmox{,-perl-rs,-widget-toolkit} 00/17] fix #7238: Add XOAUTH2 authentication support for SMTP notification targets From: "Lukas Wagner" To: "Arthur Bied-Charreton" , Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260213160415.609868-1-a.bied-charreton@proxmox.com> In-Reply-To: <20260213160415.609868-1-a.bied-charreton@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1774268713046 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.047 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: JXJYHKQH3FYPF2AX4UNHZOGG2IS6G6G4 X-Message-ID-Hash: JXJYHKQH3FYPF2AX4UNHZOGG2IS6G6G4 X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri Feb 13, 2026 at 5:03 PM CET, Arthur Bied-Charreton wrote: > This series adds XOAUTH2 support for SMTP notification targets, motivated= by Microsoft's > upcoming deprecation of basic authentication for SMTP [0]. Google and Mic= rosoft are supported as > OAuth2 providers. > > OAuth2 refresh tokens may need to be rotated, therefore they are treated = as state, not config. > They are persisted in separate JSON files and managed entirely from the R= ust side. Each endpoint > has its own state file to avoid having to lock the entire file system eve= rytime a state update > is made. > > The oauth2 crate is used with a local ureq backend (newtype over ureq::Ag= ent). oauth2's ureq > feature is currently patched out in Debian due to a ureq 2/3 version mism= atch (oauth2 still > depends on ureq 2.x, and Debian only packages 3.x). > > Since tokens that are not used for extended periods of time may expire, t= oken refresh is triggered > proactively via pveupdate, additionally to every time a notification is s= ent, to prevent > unused endpoints' tokens from expiring. > > The UI part of the OAuth2 flow is made opt-in in order to allow adding it= only to PVE, and later > to PBS in a follow-up series. > > This series requires the following version requirement bumps: > * pve-manager requires bumped proxmox-widget-toolkit and proxmox-perl-rs > * proxmox-perl-rs requires bumped proxmox-notify > > Known issues: > - Microsoft OAuth2 support is untested (no test tenant, somehow impossibl= e to create a free test > account). It is implemented by following the Microsoft Entra ID docs, b= ut there might be something > I overlooked. I would highly appreciate it if someone was able to test = it with their account. > Tested this with Gmail, seems to work fine! Tested-by: Lukas Wagner Very nice work overall! I also verified that the feature-flag opt-in approach for the GUI works. I installed the widget-toolkit .deb on a PBS installation, existing SMTP with plain auth continued to work fine there. See the individual patches for some suggestions for the next version, but this is already in quite good shape, I think!