Re: [PATCH docs/manager/proxmox{,-perl-rs,-widget-toolkit,-backup} v3 00/23] fix #7238: Add XOAUTH2 authentication support for SMTP notification targets

[Arthur Bied-Charreton <a.bied-charreton@proxmox.com>]

On Tue, Apr 21, 2026 at 10:40:57AM +0200, Lukas Wagner wrote:
> On Wed Apr 15, 2026 at 9:01 AM CEST, Arthur Bied-Charreton wrote:
> > This series adds XOAUTH2 support for SMTP notification targets in PVE
> > and PBS, motivated by Microsoft's upcoming deprecation of basic
> > authentication for SMTP [0]. Google and Microsoft are supported as
> > OAuth2 providers.
> >
> > The main challenge is the OAuth2 refresh tokens management. The
> > implementations differ from provider to provider, and for Microsoft
> > specifically, the token needs to be writable by proxmox-notify, since
> > Microsoft Exchange Online OAuth2 rotates it at every use.
> >
> > This series solves this by introducing state files. Each SMTP endpoint
> > gets its own to avoid having to lock all endpoints every time a state
> > update is made (which can be on every notification for Microsoft
> > targets). These files are managed entirely from the Rust side.
> >
> > Tokens are refreshed every time a notification is sent, and proactively
> > via pveupdate/proxmox-backup-daily-update. State file updates are
> > atomic (sys::fs::replace_file).
> >
> > Note that this is technically racy, since multiple notifications could
> > be sent at the same time from different nodes, but that is okay in
> > practice given the implementations of the providers we support:
> >
> > * Google: The token is refreshed in-place, meaning its lifetime is
> >   extended at every use without it being *actually* rotated [1], so no
> >   changes to the state file.
> > * Microsoft: The token is rotated at each request, however tokens have
> >   a fixed lifetime of 90 days, meaning the old token can still be used.
> >   Concurrent access just means we are letting the last updater win, but
> >   in both cases we end up with a valid token that can be used for
> >   subsequent exchanges [2].
> >
> 
> 
> Tested these changes through PBS (since PVE already worked flawless
> in the last versions). Worked fine, but I stumbled across a bug where
> after authorizing the OAuth2 endpoint, the `PBSAuthToken` was lost in
> the Web UI after the redirect, leading to being kicked out of the
> session. We discussed the issue off-list and Arthur already found the
> solution, which he will include in v4.
> 
> The patches itself worked well, tested them against Google.
> 
> The code also looks good to me, left some minor notes that should be
> addressed for the next version. Did not do a deep review this time,
> since most of the code was already in a very good shape in v2.
> 
> 
> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
> 
> (through PBS):
> Tested-by: Lukas Wagner <l.wagner@proxmox.com>


I overlooked a detail in the PBS login logic which leads to OpenID 
logins and SMTP OAuth2 redirects being confused. I will explicitly 
check for the oauth2 prefix in the channelName state parameter to 
differentiate properly between the two, as well as address you other
review comments in v4.

Thanks a lot for the review!