]>
Commit | Line | Data |
---|---|---|
52d1c1b9 DM |
1 | package PVE::Auth::OpenId; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::Tools; | |
7 | use PVE::Auth::Plugin; | |
8 | use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); | |
9 | ||
10 | use base qw(PVE::Auth::Plugin); | |
11 | ||
12 | sub type { | |
13 | return 'openid'; | |
14 | } | |
15 | ||
16 | sub properties { | |
17 | return { | |
18 | "issuer-url" => { | |
19 | description => "OpenID Issuer Url", | |
20 | type => 'string', | |
21 | maxLength => 256, | |
22 | }, | |
23 | "client-id" => { | |
83f0ad5d TL |
24 | description => "OpenID Client ID", |
25 | type => 'string', | |
52d1c1b9 | 26 | maxLength => 256, |
83f0ad5d TL |
27 | }, |
28 | "client-key" => { | |
52d1c1b9 DM |
29 | description => "OpenID Client Key", |
30 | type => 'string', | |
31 | optional => 1, | |
32 | maxLength => 256, | |
83f0ad5d TL |
33 | }, |
34 | autocreate => { | |
35 | description => "Automatically create users if they do not exist.", | |
36 | optional => 1, | |
37 | type => 'boolean', | |
38 | default => 0, | |
39 | }, | |
40 | "username-claim" => { | |
41 | description => "OpenID claim used to generate the unique username.", | |
42 | type => 'string', | |
43 | optional => 1, | |
44 | }, | |
348c7038 TL |
45 | prompt => { |
46 | description => "Specifies whether the Authorization Server prompts the End-User for" | |
47 | ." reauthentication and consent.", | |
48 | type => 'string', | |
49 | pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant | |
50 | optional => 1, | |
51 | }, | |
48e51c33 TL |
52 | scopes => { |
53 | description => "Specifies the scopes (user details) that should be authorized and" | |
54 | ." returned, for example 'email' or 'profile'.", | |
55 | type => 'string', # format => 'some-safe-id-list', # FIXME: TODO | |
56 | default => "email profile", | |
57 | optional => 1, | |
58 | }, | |
52d1c1b9 DM |
59 | }; |
60 | } | |
61 | ||
62 | sub options { | |
63 | return { | |
64 | "issuer-url" => {}, | |
83f0ad5d TL |
65 | "client-id" => {}, |
66 | "client-key" => { optional => 1 }, | |
67 | autocreate => { optional => 1 }, | |
68 | "username-claim" => { optional => 1, fixed => 1 }, | |
348c7038 | 69 | prompt => { optional => 1 }, |
48e51c33 | 70 | scopes => { optional => 1 }, |
83f0ad5d TL |
71 | default => { optional => 1 }, |
72 | comment => { optional => 1 }, | |
52d1c1b9 DM |
73 | }; |
74 | } | |
75 | ||
76 | sub authenticate_user { | |
77 | my ($class, $config, $realm, $username, $password) = @_; | |
78 | ||
79 | die "OpenID realm does not allow password verification.\n"; | |
80 | } | |
81 | ||
82 | ||
83 | 1; |