]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/Auth/OpenId.pm
projects / pve-access-control.git / blob
? search:


69b5b5e1912600aca598ac0857875e42b7a44ebe
[pve-access-control.git] / src / PVE / Auth / OpenId.pm
1 package PVE::Auth::OpenId;
2
3 use strict;
4 use warnings;
5
6 use PVE::Tools;
7 use PVE::Auth::Plugin;
8 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
9
10 use base qw(PVE::Auth::Plugin);
11
12 sub type {
13 return 'openid';
14 }
15
16 sub properties {
17 return {
18 "issuer-url" => {
19 description => "OpenID Issuer Url",
20 type => 'string',
21 maxLength => 256,
22 },
23 "client-id" => {
24 description => "OpenID Client ID",
25 type => 'string',
26 maxLength => 256,
27 },
28 "client-key" => {
29 description => "OpenID Client Key",
30 type => 'string',
31 optional => 1,
32 maxLength => 256,
33 },
34 autocreate => {
35 description => "Automatically create users if they do not exist.",
36 optional => 1,
37 type => 'boolean',
38 default => 0,
39 },
40 "username-claim" => {
41 description => "OpenID claim used to generate the unique username.",
42 type => 'string',
43 optional => 1,
44 },
45 prompt => {
46 description => "Specifies whether the Authorization Server prompts the End-User for"
47 ." reauthentication and consent.",
48 type => 'string',
49 pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant
50 optional => 1,
51 },
52 };
53 }
54
55 sub options {
56 return {
57 "issuer-url" => {},
58 "client-id" => {},
59 "client-key" => { optional => 1 },
60 autocreate => { optional => 1 },
61 "username-claim" => { optional => 1, fixed => 1 },
62 prompt => { optional => 1 },
63 default => { optional => 1 },
64 comment => { optional => 1 },
65 };
66 }
67
68 sub authenticate_user {
69 my ($class, $config, $realm, $username, $password) = @_;
70
71 die "OpenID realm does not allow password verification.\n";
72 }
73
74
75 1;
Access control framework