From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A57741FF13F for ; Thu, 23 Apr 2026 14:24:48 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4C345153ED; Thu, 23 Apr 2026 14:24:43 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 23 Apr 2026 14:24:32 +0200 Message-Id: Subject: Re: [PATCH proxmox-widget-toolkit v4 11/24] utils: Add OAuth2 flow handlers To: "Arthur Bied-Charreton" , , X-Mailer: aerc 0.20.0 References: <20260421115957.402589-1-a.bied-charreton@proxmox.com> <20260421115957.402589-12-a.bied-charreton@proxmox.com> In-Reply-To: <20260421115957.402589-12-a.bied-charreton@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776946983719 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.121 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [oauth2.googleapis.com,mozilla.org] Message-ID-Hash: T66OHFFEWKYCIRT35NDDRR2P65XJXSFT X-Message-ID-Hash: T66OHFFEWKYCIRT35NDDRR2P65XJXSFT X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue Apr 21, 2026 at 1:59 PM CEST, Arthur Bied-Charreton wrote: > Introduce the Proxmox.OAuth2 singleton supporting Google and Microsoft > OAuth2. The flow is handled by opening a new window with the > authorization URL, and expecting to receive the resulting authorization > code from the redirect handler via a BroadcastChannel [0], which allows > communication between any two browsing contexts. > > [0] > https://developer.mozilla.org/en-US/docs/Web/API/BroadcastChannel > > Signed-off-by: Arthur Bied-Charreton > --- > src/Utils.js | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 91 insertions(+) > > diff --git a/src/Utils.js b/src/Utils.js > index 5457ffa..ceed4c8 100644 > --- a/src/Utils.js > +++ b/src/Utils.js > @@ -1723,6 +1723,97 @@ Ext.define('Proxmox.Utils', { > }, > }); > > +Ext.define('Proxmox.OAuth2', { > + singleton: true, > + > + handleGoogleFlow: function (clientId, clientSecret) { > + return this._handleFlow({ > + clientId, > + clientSecret, > + authUrl: 'https://accounts.google.com/o/oauth2/v2/auth', > + tokenUrl: 'https://oauth2.googleapis.com/token', > + scope: 'https://mail.google.com', > + extraAuthParams: { > + access_type: 'offline', > + prompt: 'consent', > + }, > + }); > + }, > + > + handleMicrosoftFlow: function (clientId, clientSecret, tenantId) { > + return this._handleFlow({ > + clientId, > + clientSecret, > + authUrl: `https://login.microsoftonline.com/${tenantId}/oaut= h2/v2.0/authorize`, > + tokenUrl: `https://login.microsoftonline.com/${tenantId}/oau= th2/v2.0/token`, > + scope: 'https://outlook.office.com/SMTP.Send offline_access'= , > + extraAuthParams: { > + prompt: 'consent', > + }, > + }); > + }, > + > + _handleFlow: function (config) { > + return new Promise((resolve, reject) =3D> { > + let redirectUri =3D window.location.origin; > + let channelName =3D `oauth2_${crypto.randomUUID()}`; > + let state =3D encodeURIComponent(JSON.stringify({ channelNam= e })); > + > + let authParams =3D new URLSearchParams({ > + client_id: config.clientId, > + response_type: 'code', > + redirect_uri: redirectUri, > + scope: config.scope, > + state, > + ...config.extraAuthParams, > + }); > + > + let authUrl =3D `${config.authUrl}?${authParams}`; > + > + // Opens OAuth2 authorization window. The app's redirect han= dler must > + // extract the authorization code from the callback URL and = send it via > + // the BroadcastChannel whose name we passed along as a stat= e parameter. > + let channel =3D new BroadcastChannel(channelName); > + let popup =3D window.open(authUrl); > + if (!popup) { > + reject(new Error(gettext('Could not open authentication = window'))); > + return; > + } > + > + channel.addEventListener('message', async (event) =3D> { > + if (popup && !popup.closed) { > + popup.close(); > + } > + channel.close(); > + > + try { > + let response =3D await fetch(config.tokenUrl, { > + method: 'POST', > + headers: { > + 'Content-Type': 'application/x-www-form-urle= ncoded', > + }, > + body: new URLSearchParams({ > + grant_type: 'authorization_code', > + code: event.data.code, should we check if code is set here properly? i know the sending code always sets this in theory, but it might be safer to check here again before triggering a request. also if i remember correctly there was an issue with using the async fetch api in extjs, maybe @Dominik Csapak could take a look if this is fine here. > + client_id: config.clientId, > + client_secret: config.clientSecret, > + redirect_uri: redirectUri, > + }), > + }); > + > + let tokens =3D await response.json(); > + if (!tokens.refresh_token) { > + reject(tokens.error_description || gettext('Toke= n exchange failed')); > + } > + resolve(tokens.refresh_token); > + } catch (error) { > + reject(error); > + } > + }); > + }); > + }, > +}); > + > Ext.define('Proxmox.Async', { > singleton: true, >