[pve-devel] [PATCH pve-access-control v2 1/1] fix #5076: Changed audiences to an array

Alexander Abraham a.abraham at proxmox.com
Mon Jun 2 16:14:57 CEST 2025 

The API schema was updated so that audiences are treated
as an array of strings. The code for parsing audiences was
updated to also treat audiences like an array of strings
of a certain format.

Signed-off-by: Alexander Abraham <a.abraham at proxmox.com>
---
 src/PVE/API2/OpenId.pm |  5 ++++-
 src/PVE/Auth/OpenId.pm | 11 ++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 77410e6..97bac7c 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -45,6 +45,10 @@ my $lookup_openid_auth = sub {
 	$openid_config->{acr_values} = [ PVE::Tools::split_list($acr) ];
     }
 
+    if (defined(my $audiences = $config->{'audiences'})) {
+        $openid_config->{audiences} = $config->{'audiences'}
+    }
+
     my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
     return ($config, $openid);
 };
@@ -169,7 +173,6 @@ __PACKAGE__->register_method ({
 	    my $redirect_url = extract_param($param, 'redirect-url');
 
 	    my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
-
 	    my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
 	    my $subject = $info->{'sub'};
 
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index c8e4db9..4000142 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -63,6 +63,15 @@ sub properties {
 	    pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
 	    optional => 1,
 	},
+	'audiences' => {
+	    description => "Specifies the authentication claims neccessary for checking the privileges the requesting user has.",
+	    type => 'array',
+            'items' => {
+              type => 'string',
+              pattern => '^[a-zA-Z0-9-_+.]+$',
+              optional => 1
+            }
+	},
    };
 }
 
@@ -76,6 +85,7 @@ sub options {
 	prompt => { optional => 1 },
 	scopes => { optional => 1 },
 	"acr-values" => { optional => 1 },
+	"audiences" => { optional => 1 },
 	default => { optional => 1 },
 	comment => { optional => 1 },
     };
@@ -83,7 +93,6 @@ sub options {
 
 sub authenticate_user {
     my ($class, $config, $realm, $username, $password) = @_;
-
     die "OpenID realm does not allow password verification.\n";
 }
 
-- 
2.39.5

More information about the pve-devel mailing list