[pve-devel] [PATCH docs v3 1/1] fix #4411: openid: add docs for openid groups support

2025-02-10 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pveum.adoc | 44 1 file changed, 44 insertions(+) diff --git a/pveum.adoc b/pveum.adoc index 81565ab..1166f17 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -456,6 +456,15 @@ use the `autocreate` option to automatically

[pve-devel] [PATCH access-control v3 1/1] fix #4411: openid: add logic for openid groups support

2025-02-10 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 79 src/PVE/AccessControl.pm | 2 +- src/PVE/Auth/OpenId.pm | 33 + src/PVE/Auth/Plugin.pm | 1 + 4 files changed, 114 insertions(+), 1 deletion(-) diff --git a/src/PVE

[pve-devel] [PATCH manager v3 1/1] fix #4411: openid: add ui config for openid groups support

2025-02-10 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- www/manager6/dc/AuthEditOpenId.js | 44 --- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/www/manager6/dc/AuthEditOpenId.js b/www/manager6/dc/AuthEditOpenId.js index 544c0de5..7a578c36 100644 --- a/www/manager6/dc

[pve-devel] [PATCH SERIES access-control/docs/manager/proxmox-openid v3] fix #4411: add support for openid groups

2025-02-10 Thread Thomas Skinner
and automatic group creation access-control: Thomas Skinner (1): fix #4411: openid: add logic for openid groups support src/PVE/API2/OpenId.pm | 79 src/PVE/AccessControl.pm | 2 +- src/PVE/Auth/OpenId.pm | 33 + src/PVE/Auth

[pve-devel] [PATCH proxmox-openid v3 1/1] fix #4411: openid: add library code for generic id token claim support

2025-02-10 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 55 +-- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..bf8c650b 100644 --- a/proxmox-openid/src/lib.rs +++ b

Re: [pve-devel] [PATCH access-control v2 1/1] fix #4411: openid: add logic for openid groups support

2025-02-10 Thread Thomas Skinner
On Mon, Feb 10, 2025 at 4:43=E2=80=AFAM Fabian Gr=C3=BCnbichler wrote: > > On February 6, 2025 6:06 am, Thomas Skinner wrote: > > On Fri, Jan 24, 2025 at 4:18=E2=80=AFAM Fabian Gr=C3=BCnbichler > > wrote: > >> > >> On December 24, 2024 9:24 pm, Thomas Skinner

Re: [pve-devel] [PATCH access-control v2 1/1] fix #4411: openid: add logic for openid groups support

2025-02-07 Thread Thomas Skinner
> do we want to mangle the group names to include the OIDC-realm name, > like we do for LDAP/AD syncing? that way it is more clear that those > groups originated from OIDC.. downside is that you can't use a group > shared between OIDC and other realms.. More on this: it looks like in LDAP/AD sync,

[pve-devel] [PATCH perl-rs v3 1/1] fix #4234: openid: adjust openid verification function for userinfo option

2025-02-07 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pve-rs/src/openid/mod.rs | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pve-rs/src/openid/mod.rs b/pve-rs/src/openid/mod.rs index 1fa7572..8f914ad 100644 --- a/pve-rs/src/openid/mod.rs +++ b/pve-rs/src/openid/mod.rs @@ -54,9 +54,14

[pve-devel] [PATCH docs v3 1/1] fix #4234: add docs for openid optional userinfo request

2025-02-07 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pveum.adoc | 8 1 file changed, 8 insertions(+) diff --git a/pveum.adoc b/pveum.adoc index 81565ab..1d18d38 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -479,6 +479,14 @@ Another option is to use `email`, which also yields human readable usernames

[pve-devel] [PATCH proxmox-openid v3 1/1] fix #4234: openid: add library functions for optional userinfo endpoint

2025-02-07 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 30 +- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..d2a53d45 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox

[pve-devel] [PATCH manager v3 1/1] fix #4234: add GUI option for openid optional userinfo request

2025-02-07 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- www/manager6/dc/AuthEditOpenId.js | 9 + 1 file changed, 9 insertions(+) diff --git a/www/manager6/dc/AuthEditOpenId.js b/www/manager6/dc/AuthEditOpenId.js index 544c0de5..904e508c 100644 --- a/www/manager6/dc/AuthEditOpenId.js +++ b/www/manager6/dc

[pve-devel] [PATCH SERIES access-control/docs/manager/perl-rs/proxmox-openid v3] Make OIDC userinfo endpoint optional

2025-02-07 Thread Thomas Skinner
Continues work on adding an option to disable querying the userinfo endpoint for an OIDC provider. Changes since v2: - Adjust verify_authorization_code in pve-rs to be backwards compatible - Fix defaults in wrapper functions access-control: Thomas Skinner (1): fix #4234: add library

[pve-devel] [PATCH access-control v3 1/1] fix #4234: add library functions for openid optional userinfo request

2025-02-07 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 6 +- src/PVE/Auth/OpenId.pm | 7 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm index 77410e6..456e96a 100644 --- a/src/PVE/API2/OpenId.pm +++ b/src/PVE/API2

Re: [pve-devel] [PATCH access-control v2 1/1] fix #4411: openid: add logic for openid groups support

2025-02-05 Thread Thomas Skinner
On Fri, Jan 24, 2025 at 4:18 AM Fabian Grünbichler wrote: > > On December 24, 2024 9:24 pm, Thomas Skinner wrote: > > Signed-off-by: Thomas Skinner > > --- > > src/PVE/API2/OpenId.pm | 68 > > src/PVE/AccessControl.pm |

Re: [pve-devel] [PATCH perl-rs v2 4/5] fix #4234: openid: adjust openid verification function for userinfo option

2025-01-28 Thread Thomas Skinner
On Fri, Jan 24, 2025 at 3:17 AM Fabian Grünbichler wrote: > > On December 16, 2024 5:14 am, Thomas Skinner wrote: > > Signed-off-by: Thomas Skinner > > --- > > pve-rs/src/openid/mod.rs | 9 +++-- > > 1 file changed, 7 insertions(+), 2 deletions(-) > >

Re: [pve-devel] [PATCH proxmox v2 5/5] fix #4234: openid: add library functions for optional userinfo endpoint

2025-01-28 Thread Thomas Skinner
On Fri, Jan 24, 2025 at 3:17 AM Fabian Grünbichler wrote: > > On December 16, 2024 5:14 am, Thomas Skinner wrote: > > Signed-off-by: Thomas Skinner > > --- > > proxmox-openid/src/lib.rs | 30 +- > > 1 file changed, 29 insertions(+), 1 de

[pve-devel] [PATCH access-control v2 1/1] fix #4411: openid: add logic for openid groups support

2024-12-24 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 68 src/PVE/AccessControl.pm | 13 +--- src/PVE/Auth/OpenId.pm | 30 ++ 3 files changed, 107 insertions(+), 4 deletions(-) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE

[pve-devel] [PATCH docs v2 1/1] fix #4411: openid: add docs for openid groups support

2024-12-24 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pveum.adoc | 39 +++ 1 file changed, 39 insertions(+) diff --git a/pveum.adoc b/pveum.adoc index 81565ab..36b7560 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -456,6 +456,15 @@ use the `autocreate` option to automatically add

[pve-devel] [PATCH proxmox v2 1/1] fix #4411: openid: add library code for generic id token claim support

2024-12-24 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 55 +-- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..bf8c650b 100644 --- a/proxmox-openid/src/lib.rs +++ b

[pve-devel] [PATCH SERIES openid/access-control/docs/manager v2 0/1] fix #4411: add support for openid groups

2024-12-24 Thread Thomas Skinner
automatically on login - update commit message for proxmox-openid - move docs for replacement character to "Advanced Settings" section pve-access-control: Thomas Skinner (1): fix #4411: openid: add logic for openid groups support src/PVE/API2/OpenId

[pve-devel] [PATCH manager v2 1/1] fix #4411: openid: add ui config for openid groups support

2024-12-24 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- www/manager6/dc/AuthEditOpenId.js | 44 --- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/www/manager6/dc/AuthEditOpenId.js b/www/manager6/dc/AuthEditOpenId.js index 544c0de5..7a578c36 100644 --- a/www/manager6/dc

Re: [pve-devel] [PATCH access-control 1/1] fix #4411: openid: add logic for openid groups support

2024-12-17 Thread Thomas Skinner
On Wed, Nov 13, 2024 at 6:46 AM Fabian Grünbichler wrote: > > a few nits, mostly style related below Will get these fixed up and submit in a v2 patch. > On September 1, 2024 6:55 pm, Thomas Skinner wrote: > > Signed-off-by: Thomas Skinner > > --- > >

Re: [pve-devel] [PATCH openid 1/1] fix #4411: openid: add library code for openid groups support

2024-12-17 Thread Thomas Skinner
lready be in some serializable format. > On September 1, 2024 6:55 pm, Thomas Skinner wrote: > > Signed-off-by: Thomas Skinner > > --- > > proxmox-openid/src/lib.rs | 55 +-- > > 1 file changed, 47 insertions(+), 8 deletions(-) >

[pve-devel] [PATCH proxmox v2 5/5] fix #4234: openid: add library functions for optional userinfo endpoint

2024-12-15 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 30 +- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..87be1c8a 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox

[pve-devel] [PATCH perl-rs v2 4/5] fix #4234: openid: adjust openid verification function for userinfo option

2024-12-15 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pve-rs/src/openid/mod.rs | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pve-rs/src/openid/mod.rs b/pve-rs/src/openid/mod.rs index 1fa7572..cd573ee 100644 --- a/pve-rs/src/openid/mod.rs +++ b/pve-rs/src/openid/mod.rs @@ -50,13 +50,18

[pve-devel] [PATCH access-control/docs/manager/perl-rs/proxmox-openid v2 0/5] Make OIDC userinfo endpoint optional

2024-12-15 Thread Thomas Skinner
Continues work on adding an option to disable querying the userinfo endpoint for an OIDC provider. Changes since v1: - Adjust to add option in the UI to enable the functionality - Add documentation for the option - Adjust API back to previous behavior access-control: Thomas Skinner (1): fix

[pve-devel] [PATCH docs v2 2/5] fix #4234: add docs for openid optional userinfo request

2024-12-15 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pveum.adoc | 8 1 file changed, 8 insertions(+) diff --git a/pveum.adoc b/pveum.adoc index 81565ab..1d18d38 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -479,6 +479,14 @@ Another option is to use `email`, which also yields human readable usernames

[pve-devel] [PATCH manager v2 3/5] fix #4234: add GUI option for openid optional userinfo request

2024-12-15 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- www/manager6/dc/AuthEditOpenId.js | 9 + 1 file changed, 9 insertions(+) diff --git a/www/manager6/dc/AuthEditOpenId.js b/www/manager6/dc/AuthEditOpenId.js index 544c0de5..904e508c 100644 --- a/www/manager6/dc/AuthEditOpenId.js +++ b/www/manager6/dc

[pve-devel] [PATCH access-control v2 1/5] fix #4234: add library functions for openid optional userinfo request

2024-12-15 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 6 +- src/PVE/Auth/OpenId.pm | 7 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm index 77410e6..ea1de16 100644 --- a/src/PVE/API2/OpenId.pm +++ b/src/PVE/API2

Re: [pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix #4411: add support for openid groups

2024-12-11 Thread Thomas Skinner
> It seemed to work reliably once Keycloak was configured correctly. One > thing that was confusing, even with `Overwrite Groups` no groups are set > if they aren't already configured on the PVE cluster. This is by design (and mentioned in docs patch) to prevent an arbitrary number of groups being

[pve-devel] [PATCH manager v2 3/3] fix #5699: pveproxy: add settings for real IP support

2024-12-11 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- PVE/Service/pveproxy.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm index ac108545..df3601bd 100755 --- a/PVE/Service/pveproxy.pm +++ b/PVE/Service/pveproxy.pm @@ -115,6 +115,8 @@ sub init

[pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods for real IP support

2024-12-11 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- src/PVE/APIServer/AnyEvent.pm | 38 ++- src/PVE/APIServer/Utils.pm| 15 ++ 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index 24209a1

[pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support

2024-12-11 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- pveproxy.adoc | 29 + 1 file changed, 29 insertions(+) diff --git a/pveproxy.adoc b/pveproxy.adoc index 4b5dac0..29f54d7 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -198,6 +198,35 @@ content, if the client supports it. This can

[pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP

2024-12-11 Thread Thomas Skinner
-docs: Thomas Skinner (1): fix #5699: pveproxy: add docs for real IP support pveproxy.adoc | 29 + 1 file changed, 29 insertions(+) pve-http-server: Thomas Skinner (1): fix #5699: pveproxy: add library methods for real IP support src/PVE/APIServer/AnyEvent.pm

Re: [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support

2024-11-25 Thread Thomas Skinner
On Mon, Nov 25, 2024 at 5:31 AM Fabian Grünbichler wrote: > > > > Thomas Lamprecht hat am 25.11.2024 12:17 CET > > geschrieben: > > > > > > Am 25.11.24 um 10:05 schrieb Fabian Grünbichler: > > > yeah, we could switch to the new format *only* if the header option is > > > set? > > > as else, the

Re: [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support

2024-11-24 Thread Thomas Skinner
> On September 10, 2024 2:30 am, Thomas Skinner wrote: >> --- >> src/PVE/APIServer/AnyEvent.pm | 43 --- >> src/PVE/APIServer/Utils.pm| 15 >> 2 files changed, 55 insertions(+), 3 deletions(-) >> >> diff --gi

Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

2024-10-02 Thread Thomas Skinner
This is still applicable to the latest master for the referenced repositories. Any movement? On Fri, Aug 30, 2024, 5:34 PM Thomas Skinner wrote: > In the OpenID Connect documentation ( > https://openid.net/specs/openid-connect-core-1_0.html), the > protocol abstract defined in 1.3

Re: [pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix #4411: add support for openid groups

2024-10-02 Thread Thomas Skinner
This is still applicable to the latest master for the referenced repositories. Any movement? On Sun, Sep 1, 2024, 11:55 AM Thomas Skinner wrote: > This patch series adds support for groups for OpenID logins. > > The following options are implemented: > - Configurable claim for

[pve-devel] [PATCH manager 1/1] fix #5699: pveproxy: add settings for real IP support

2024-09-09 Thread Thomas Skinner
--- PVE/Service/pveproxy.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm index ac108545..66db7a73 100755 --- a/PVE/Service/pveproxy.pm +++ b/PVE/Service/pveproxy.pm @@ -115,6 +115,8 @@ sub init { honor_cipher_order => $proxycon

[pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP

2024-09-09 Thread Thomas Skinner
will have the extracted IP address logged. pve-docs: Thomas Skinner (1): fix #5699: pveproxy: add docs for real IP support pveproxy.adoc | 29 + 1 file changed, 29 insertions(+) pve-http-server: Thomas Skinner (1): fix #5699: pveproxy: add library methods for real

[pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support

2024-09-09 Thread Thomas Skinner
--- src/PVE/APIServer/AnyEvent.pm | 43 --- src/PVE/APIServer/Utils.pm| 15 2 files changed, 55 insertions(+), 3 deletions(-) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index a8d60c1..c2afb4d 100644 --- a/src/PVE/API

[pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support

2024-09-09 Thread Thomas Skinner
--- pveproxy.adoc | 29 + 1 file changed, 29 insertions(+) diff --git a/pveproxy.adoc b/pveproxy.adoc index 4b5dac0..f0ae0f7 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -198,6 +198,35 @@ content, if the client supports it. This can disabled in `/etc/default/pvep

[pve-devel] [PATCH access-control 1/1] fix #4411: openid: add logic for openid groups support

2024-09-02 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 32 src/PVE/Auth/OpenId.pm | 21 + 2 files changed, 53 insertions(+) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm index 77410e6..22a2188 100644 --- a/src/PVE/API2

[pve-devel] [PATCH openid 1/1] fix #4411: openid: add library code for openid groups support

2024-09-02 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 55 +-- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..bf8c650b 100644 --- a/proxmox-openid/src/lib.rs +++ b

[pve-devel] [PATCH manager 1/1] fix #4411: openid: add ui config for openid groups support

2024-09-02 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- www/manager6/dc/AuthEditOpenId.js | 35 --- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/www/manager6/dc/AuthEditOpenId.js b/www/manager6/dc/AuthEditOpenId.js index 544c0de5..30ee050a 100644 --- a/www/manager6/dc

[pve-devel] [PATCH docs 1/1] fix #4411: openid: add docs for openid groups support

2024-09-02 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- api-viewer/apidata.js | 40 pveum.adoc| 32 2 files changed, 72 insertions(+) diff --git a/api-viewer/apidata.js b/api-viewer/apidata.js index 8ba94e4..0edafd7 100644 --- a

[pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix #4411: add support for openid groups

2024-09-02 Thread Thomas Skinner
tion in the userinfo endpoint. proxmox/proxmox-openid: Thomas Skinner (1): fix #4411: openid: add library code for openid groups support proxmox-openid/src/lib.rs | 55 +-- 1 file changed, 47 insertions(+), 8 deletions(-) pve-access-control: Thomas Skinner (1):

[pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional

2024-09-02 Thread Thomas Skinner
Signed-off-by: Thomas Skinner --- proxmox-openid/src/lib.rs | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..7cef06e0 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox-openid/src/lib.rs @@ -195,7

[pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

2024-09-02 Thread Thomas Skinner
have some log output when claims cannot be retrieved for troubleshooting purposes, but I'm not sure how the PVE team would prefer that be handled. Thomas Skinner (1): fix #4234: openid: make userinfo request optional proxmox-openid/src/lib.rs | 9 ++--- 1 file changed, 6 insertions(