This patch series adds support for groups for OpenID logins.
The following options are implemented:
- Configurable claim for retrieving a list of groups and adding them to the
user in PVE
- Allowing "synchronization" of groups on login by overriding groups assigned
to the user in PVE (this option is off by default)
- Replacing invalid characters in group names with a configurable valid
characters
(by default, this is an underscore '_')
The logic implemented by this patch expects the groups claim in the ID
token/userinfo
endpoint to send a list of groups.
This patch also adds support for using additional claims from the OpenID
provider
by exposing all additional claims and their values from the ID token (previously
only available for the userinfo endpoint). This is necessary for OpenID
providers
that do not support additional information in the userinfo endpoint.
proxmox/proxmox-openid:
Thomas Skinner (1):
fix #4411: openid: add library code for openid groups support
proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------
1 file changed, 47 insertions(+), 8 deletions(-)
pve-access-control:
Thomas Skinner (1):
fix #4411: openid: add logic for openid groups support
src/PVE/API2/OpenId.pm | 32 ++++++++++++++++++++++++++++++++
src/PVE/Auth/OpenId.pm | 21 +++++++++++++++++++++
2 files changed, 53 insertions(+)
pve-docs:
Thomas Skinner (1):
fix #4411: openid: add docs for openid groups support
api-viewer/apidata.js | 40 ++++++++++++++++++++++++++++++++++++++++
pveum.adoc | 32 ++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
pve-manager:
Thomas Skinner (1):
fix #4411: openid: add ui config for openid groups support
www/manager6/dc/AuthEditOpenId.js | 35 ++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
