On 2/11/25 06:40, Thomas Skinner wrote: > Continued work on adding support for OIDC groups. > > changes since v2: > - Move RE for group name characters to Plugin.pm > - Undo refactoring of user group deletion > - Refactor logic to use hashes instead of arrays > - Cleanup code style > - Add RE and length limit for group claim > - Clarify docs on suffix and automatic group creation > > > access-control: > > Thomas Skinner (1): > fix #4411: openid: add logic for openid groups support > > src/PVE/API2/OpenId.pm | 79 ++++++++++++++++++++++++++++++++++++++++ > src/PVE/AccessControl.pm | 2 +- > src/PVE/Auth/OpenId.pm | 33 +++++++++++++++++ > src/PVE/Auth/Plugin.pm | 1 + > 4 files changed, 114 insertions(+), 1 deletion(-) > > > docs: > > Thomas Skinner (1): > fix #4411: openid: add docs for openid groups support > > pveum.adoc | 44 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 44 insertions(+) > > > manager: > > Thomas Skinner (1): > fix #4411: openid: add ui config for openid groups support > > www/manager6/dc/AuthEditOpenId.js | 44 ++++++++++++++++++++++++++++--- > > > proxmox-openid: > > Thomas Skinner (1): > fix #4411: openid: add library code for generic id token claim support > > proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------ > >
Tested this with Authentik for now. Logging looks good when groups are created and when users have groups removed and assigned again. It could be nice to also log when groups are renamed because of invalid characters that are replaced? Group claim, adding and overwriting groups looks good. One test group was renamed because of a `!` in its name. When changing the replacement character it created a new group and the old one still existed. So you can end up with lots of leftover groups if you change the replacement character later on. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
