From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pve-devel@lists.proxmox.com>
Subject: Re: [PATCH access-control/manager/proxmox v4 0/3] fix #5076: add support for open id audiences
Date: Tue, 21 Apr 2026 12:25:50 +0200 [thread overview]
Message-ID: <DHYRE0MUZGJF.2SEMA6PYXMWNR@proxmox.com> (raw)
In-Reply-To: <20260420153332.414620-1-s.sterz@proxmox.com>
just noticed that pbs/pdm will need adaption too to properly support
this. sorry for missing that, will send an updated version.
On Mon Apr 20, 2026 at 5:33 PM CEST, Shannon Sterz wrote:
> this series adapts the original patch series by Alexander Abraham [1]. below is
> the text of the original cover letter:
>
>> fix #5076: Added Open ID audiences
>>
>> This series adds support for handling Open ID audiences as described in bug
>> #5076. PVE's API schema was updated to accept an optional field, an array of
>> strings and the Rust code was also updated to accordingly handle any incoming
>> audiences and compare them to the realm config's audiences. In the realm
>> dialogue for adding an Open ID realm, a new field titled "Audiences" was added
>> so that users can save any audiences in their realm domains config file.
>
> essentially, some open id providers such as zitadel [1] may provide additional
> audiences that their id tokens are valid for instead of just the client id.
> these patches allow setting such additional audiences. if an audience that is
> not explicitly allowed is encountered, the id token is rejected as before.
>
> [1]: https://zitadel.com/
>
> Changelog
> ---------
>
> changes since the last public version of these patches
>
> * rebased on current master
> * see the list of changes made by Shannon Sterz specified in each commit message
>
> [1]: https://lore.proxmox.com/pve-devel/20250603091256.40923-1-a.abraham@proxmox.com/
>
>
> proxmox:
>
> Shannon Sterz (1):
> fix #5076: openid: add logic to handle OIDC audiences
>
> proxmox-openid/src/lib.rs | 21 +++++++++++++++++++--
> 1 file changed, 19 insertions(+), 2 deletions(-)
>
>
> proxmox:
>
> Shannon Sterz (1):
> fix #5076: auth: open id: add an optional "audiences" field
>
> src/PVE/API2/OpenId.pm | 4 ++++
> src/PVE/Auth/OpenId.pm | 12 ++++++++++++
> 2 files changed, 16 insertions(+)
>
>
> proxmox:
>
> Shannon Sterz (1):
> fix #5076: ui: dc: add an optional "audiences" field for open id
> realms
>
> www/manager6/dc/AuthEditOpenId.js | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
>
> Summary over all repositories:
> 4 files changed, 48 insertions(+), 2 deletions(-)
prev parent reply other threads:[~2026-04-21 10:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 15:33 Shannon Sterz
2026-04-20 15:33 ` [PATCH proxmox v4 1/3] fix #5076: openid: add logic to handle OIDC audiences Shannon Sterz
2026-04-20 15:33 ` [PATCH access-control v4 2/3] fix #5076: auth: open id: add an optional "audiences" field Shannon Sterz
2026-04-20 15:33 ` [PATCH manager v4 3/3] fix #5076: ui: dc: add an optional "audiences" field for open id realms Shannon Sterz
2026-04-21 10:25 ` Shannon Sterz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHYRE0MUZGJF.2SEMA6PYXMWNR@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox