Re: [PATCH docs/manager/proxmox{,-perl-rs,-widget-toolkit,-backup} v3 00/23] fix #7238: Add XOAUTH2 authentication support for SMTP notification targets

["Lukas Wagner" <l.wagner@proxmox.com>]

On Wed Apr 15, 2026 at 9:01 AM CEST, Arthur Bied-Charreton wrote:
> This series adds XOAUTH2 support for SMTP notification targets in PVE
> and PBS, motivated by Microsoft's upcoming deprecation of basic
> authentication for SMTP [0]. Google and Microsoft are supported as
> OAuth2 providers.
>
> The main challenge is the OAuth2 refresh tokens management. The
> implementations differ from provider to provider, and for Microsoft
> specifically, the token needs to be writable by proxmox-notify, since
> Microsoft Exchange Online OAuth2 rotates it at every use.
>
> This series solves this by introducing state files. Each SMTP endpoint
> gets its own to avoid having to lock all endpoints every time a state
> update is made (which can be on every notification for Microsoft
> targets). These files are managed entirely from the Rust side.
>
> Tokens are refreshed every time a notification is sent, and proactively
> via pveupdate/proxmox-backup-daily-update. State file updates are
> atomic (sys::fs::replace_file).
>
> Note that this is technically racy, since multiple notifications could
> be sent at the same time from different nodes, but that is okay in
> practice given the implementations of the providers we support:
>
> * Google: The token is refreshed in-place, meaning its lifetime is
>   extended at every use without it being *actually* rotated [1], so no
>   changes to the state file.
> * Microsoft: The token is rotated at each request, however tokens have
>   a fixed lifetime of 90 days, meaning the old token can still be used.
>   Concurrent access just means we are letting the last updater win, but
>   in both cases we end up with a valid token that can be used for
>   subsequent exchanges [2].
>


Tested these changes through PBS (since PVE already worked flawless
in the last versions). Worked fine, but I stumbled across a bug where
after authorizing the OAuth2 endpoint, the `PBSAuthToken` was lost in
the Web UI after the redirect, leading to being kicked out of the
session. We discussed the issue off-list and Arthur already found the
solution, which he will include in v4.

The patches itself worked well, tested them against Google.

The code also looks good to me, left some minor notes that should be
addressed for the next version. Did not do a deep review this time,
since most of the code was already in a very good shape in v2.


Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>

(through PBS):
Tested-by: Lukas Wagner <l.wagner@proxmox.com>