[pve-access-control.git] / src / PVE / Auth / OpenId.pm

package PVE::Auth::OpenId;

use strict;
use warnings;

use PVE::Tools;
use PVE::Auth::Plugin;
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);

use base qw(PVE::Auth::Plugin);

sub type {
    return 'openid';
}

sub properties {
    return {
	"issuer-url" => {
	    description => "OpenID Issuer Url",
	    type => 'string',
	    maxLength => 256,
	},
	"client-id" => {
	    description => "OpenID Client ID",
	    type => 'string',
	    maxLength => 256,
	},
	"client-key" => {
	    description => "OpenID Client Key",
	    type => 'string',
	    optional => 1,
	    maxLength => 256,
	},
	autocreate => {
	    description => "Automatically create users if they do not exist.",
	    optional => 1,
	    type => 'boolean',
	    default => 0,
	},
	"username-claim" => {
	    description => "OpenID claim used to generate the unique username.",
	    type => 'string',
	    optional => 1,
	},
	prompt => {
	    description => "Specifies whether the Authorization Server prompts the End-User for"
	        ." reauthentication and consent.",
	    type => 'string',
	    pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant
	    optional => 1,
	},
	scopes => {
	    description => "Specifies the scopes (user details) that should be authorized and"
	        ." returned, for example 'email' or 'profile'.",
	    type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
	    default => "email profile",
	    optional => 1,
	},
   };
}

sub options {
    return {
	"issuer-url" => {},
	"client-id" => {},
	"client-key" => { optional => 1 },
	autocreate => { optional => 1 },
	"username-claim" => { optional => 1, fixed => 1 },
	prompt => { optional => 1 },
	scopes => { optional => 1 },
	default => { optional => 1 },
	comment => { optional => 1 },
    };
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "OpenID realm does not allow password verification.\n";
}


1;
Commit	Line	Data
52d1c1b9 DM	1	package PVE::Auth::OpenId;
	2
	3	use strict;
	4	use warnings;
	5
	6	use PVE::Tools;
	7	use PVE::Auth::Plugin;
	8	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
	9
	10	use base qw(PVE::Auth::Plugin);
	11
	12	sub type {
	13	return 'openid';
	14	}
	15
	16	sub properties {
	17	return {
	18	"issuer-url" => {
	19	description => "OpenID Issuer Url",
	20	type => 'string',
	21	maxLength => 256,
	22	},
	23	"client-id" => {
83f0ad5d TL	24	description => "OpenID Client ID",
83f0ad5d TL	25	type => 'string',
52d1c1b9	26	maxLength => 256,
83f0ad5d TL	27	},
83f0ad5d TL	28	"client-key" => {
52d1c1b9 DM	29	description => "OpenID Client Key",
	30	type => 'string',
	31	optional => 1,
	32	maxLength => 256,
83f0ad5d TL	33	},
	34	autocreate => {
	35	description => "Automatically create users if they do not exist.",
	36	optional => 1,
	37	type => 'boolean',
	38	default => 0,
	39	},
	40	"username-claim" => {
	41	description => "OpenID claim used to generate the unique username.",
	42	type => 'string',
	43	optional => 1,
	44	},
348c7038 TL	45	prompt => {
	46	description => "Specifies whether the Authorization Server prompts the End-User for"
	47	." reauthentication and consent.",
	48	type => 'string',
	49	pattern => '(?:none\|login\|consent\|select_account\|\S+)', # \S+ is the extension variant
	50	optional => 1,
	51	},
48e51c33 TL	52	scopes => {
	53	description => "Specifies the scopes (user details) that should be authorized and"
	54	." returned, for example 'email' or 'profile'.",
	55	type => 'string', # format => 'some-safe-id-list', # FIXME: TODO
	56	default => "email profile",
	57	optional => 1,
	58	},
52d1c1b9 DM	59	};
	60	}
	61
	62	sub options {
	63	return {
	64	"issuer-url" => {},
83f0ad5d TL	65	"client-id" => {},
	66	"client-key" => { optional => 1 },
	67	autocreate => { optional => 1 },
	68	"username-claim" => { optional => 1, fixed => 1 },
348c7038	69	prompt => { optional => 1 },
48e51c33	70	scopes => { optional => 1 },
83f0ad5d TL	71	default => { optional => 1 },
83f0ad5d TL	72	comment => { optional => 1 },
52d1c1b9 DM	73	};
	74	}
	75
	76	sub authenticate_user {
	77	my ($class, $config, $realm, $username, $password) = @_;
	78
	79	die "OpenID realm does not allow password verification.\n";
	80	}
	81
	82
	83	1;