[pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v6 0/12] fix #3892: OpenID Connect
Lukas Wagner
l.wagner at proxmox.com
Wed Feb 26 12:30:23 CET 2025
On 2025-02-26 12:08, Mira Limbeck wrote:
> Gave it a quick test with Authentik as OIDC provider.
> Login with a non-existent (on PMG) user without an email address works now.
> Setting the username-claim to `email` fails with:
> ```
> openid connect authentication failure; rhost=<host> msg=autocreate
> openid connect user failed: verify entry failed
> username: value does not match the regex pattern
> ```
>
> And setting username-claim to `sub` fails with:
> ```
> openid connect authentication failure; rhost=<host> msg=autocreate
> openid connect user failed: verify entry
> userid: value may only be 64 characters long
> ```
>
> I've documented this in bugzilla [1].
>
>
> [0] https://openid.net/specs/openid-connect-core-1_0.html#IDToken
> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=6200
>
>
Just for the record, tested the same two scenarios against Keycloak:
- username-claim = sub works there, since the generated IDs are shorter (36 chars)
- username-claim = email also does not work, no surprise there
Apart from that it seems to work (but I don't know much about OIDC yet, so maybe
I didn't test some edge cases)
--
- Lukas
More information about the pmg-devel
mailing list