[pmg-devel] [PATCH pmg-api v4 5/10] config: add openid type realm
Markus Frank
m.frank at proxmox.com
Tue Jan 14 10:30:05 CET 2025
If the autocreate option is enabled, the user is automatically created
with the Audit role. To change the role for automatically created users,
set the autocreate-role option to the preferred role.
Signed-off-by: Markus Frank <m.frank at proxmox.com>
---
src/Makefile | 1 +
src/PMG/AccessControl.pm | 2 +
src/PMG/Auth/OpenId.pm | 95 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
create mode 100755 src/PMG/Auth/OpenId.pm
diff --git a/src/Makefile b/src/Makefile
index 659a666..3ed0ea1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -169,6 +169,7 @@ LIBSOURCES = \
PMG/Auth/Plugin.pm \
PMG/Auth/PAM.pm \
PMG/Auth/PMG.pm \
+ PMG/Auth/OpenId.pm \
SOURCES = ${LIBSOURCES} ${CLI_BINARIES} ${TEMPLATES_FILES} ${CONF_MANS} ${CLI_MANS} ${SERVICE_MANS} ${SERVICE_UNITS} ${TIMER_UNITS} pmg-sources.list pmg-initramfs.conf
diff --git a/src/PMG/AccessControl.pm b/src/PMG/AccessControl.pm
index ced5f9a..534385e 100644
--- a/src/PMG/AccessControl.pm
+++ b/src/PMG/AccessControl.pm
@@ -14,9 +14,11 @@ use PMG::LDAPSet;
use PMG::TFAConfig;
use PMG::Auth::Plugin;
+use PMG::Auth::OpenId;
use PMG::Auth::PAM;
use PMG::Auth::PMG;
+PMG::Auth::OpenId->register();
PMG::Auth::PAM->register();
PMG::Auth::PMG->register();
PMG::Auth::Plugin->init();
diff --git a/src/PMG/Auth/OpenId.pm b/src/PMG/Auth/OpenId.pm
new file mode 100755
index 0000000..bbc4e38
--- /dev/null
+++ b/src/PMG/Auth/OpenId.pm
@@ -0,0 +1,95 @@
+package PMG::Auth::OpenId;
+
+use strict;
+use warnings;
+
+use PVE::Tools;
+use PMG::Auth::Plugin;
+
+use base qw(PMG::Auth::Plugin);
+
+sub type {
+ return 'oidc';
+}
+
+sub properties {
+ return {
+ 'issuer-url' => {
+ description => "OpenID Connect Issuer Url",
+ type => 'string',
+ maxLength => 256,
+ },
+ 'client-id' => {
+ description => "OpenID Connect Client ID",
+ type => 'string',
+ maxLength => 256,
+ },
+ 'client-key' => {
+ description => "OpenID Connect Client Key",
+ type => 'string',
+ optional => 1,
+ maxLength => 256,
+ },
+ autocreate => {
+ description => "Automatically create users if they do not exist.",
+ optional => 1,
+ type => 'boolean',
+ default => 0,
+ },
+ 'autocreate-role' => {
+ description => "Automatically create users with a specific role.",
+ type => 'string',
+ enum => ['admin', 'qmanager', 'audit', 'helpdesk'],
+ optional => 1,
+ },
+ 'username-claim' => {
+ description => "OpenID Connect claim used to generate the unique username.",
+ type => 'string',
+ optional => 1,
+ },
+ prompt => {
+ description => "Specifies whether the Authorization Server prompts the End-User for"
+ ." reauthentication and consent.",
+ type => 'string',
+ pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant
+ optional => 1,
+ },
+ scopes => {
+ description => "Specifies the scopes (user details) that should be authorized and"
+ ." returned, for example 'email' or 'profile'.",
+ type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+ default => "email profile",
+ optional => 1,
+ },
+ 'acr-values' => {
+ description => "Specifies the Authentication Context Class Reference values that the"
+ ."Authorization Server is being requested to use for the Auth Request.",
+ type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
+ optional => 1,
+ },
+ };
+}
+
+sub options {
+ return {
+ 'issuer-url' => {},
+ 'client-id' => {},
+ 'client-key' => { optional => 1 },
+ autocreate => { optional => 1 },
+ 'autocreate-role' => { optional => 1 },
+ 'username-claim' => { optional => 1, fixed => 1 },
+ prompt => { optional => 1 },
+ scopes => { optional => 1 },
+ 'acr-values' => { optional => 1 },
+ default => { optional => 1 },
+ comment => { optional => 1 },
+ };
+}
+
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $password) = @_;
+
+ die "OpenID Connect realm does not allow password verification.\n";
+}
+
+1;
--
2.39.5
More information about the pmg-devel
mailing list