[pve-devel] [PATCH proxmox v2 1/1] fix #5076: Added logic to handle OIDC audiences

Shannon Sterz s.sterz at proxmox.com
Tue Jun 3 10:39:17 CEST 2025 

On Mon Jun 2, 2025 at 4:14 PM CEST, Alexander Abraham wrote:
> A field for OIDC audiences was added, logic to handle these audiences,
> and the audiences supplied by an OIDC IDP are validated against
> the audiences a user saves in their realm domains
> configuration.
>
> Signed-off-by: Alexander Abraham <a.abraham at proxmox.com>
> ---
>  proxmox-openid/src/lib.rs | 20 ++++++++++++++++++--
>  1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
> index fe65fded..fa22638a 100644
> --- a/proxmox-openid/src/lib.rs
> +++ b/proxmox-openid/src/lib.rs
> @@ -53,6 +53,8 @@ pub struct OpenIdConfig {
>      pub prompt: Option<String>,
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub acr_values: Option<Vec<String>>,
> +    #[serde(skip_serializing_if = "Option::is_none")]
> +    pub audiences: Option<Vec<String>>,

this patch doesn't seem to apply anymore. also is there a reason this
couldn't be:

    #[serde(skip_serializing_if = "Vec::is_empty")]
    pub audiences: Vec<String>,

>  }
>
>  pub struct OpenIdAuthenticator {
> @@ -205,12 +207,26 @@ impl OpenIdAuthenticator {
>              .request(http_client)
>              .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
>
> -        let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
>          let id_token_claims: &CoreIdTokenClaims = token_response
>              .extra_fields()
>              .id_token()
>              .expect("Server did not return an ID token")
> -            .claims(&id_token_verifier, &private_auth_state.nonce)
> +            .claims(
> +                &((self.client.id_token_verifier())
> +                    .require_audience_match(true)
> +                    .set_other_audience_verifier_fn(|aud| {
> +                        let curr_aud: &String = aud;
> +                        if &self.config.client_id == curr_aud {
> +                            true
> +                        } else {
> +                            match self.config.audiences.as_ref() {
> +                                Some(confd_auds) => confd_auds.contains(curr_aud),
> +                                None => false,
> +                            }

then this could simply be:

self.config.audiences.contains(curr_aud)

> +                        }
> +                    })),
> +                &private_auth_state.nonce,
> +            )
>              .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
>
>          let userinfo_claims: GenericUserInfoClaims = self

More information about the pve-devel mailing list