add OpenId configuration
authorDietmar Maurer <dietmar@proxmox.com>
Wed, 30 Jun 2021 06:10:04 +0000 (08:10 +0200)
committerThomas Lamprecht <t.lamprecht@proxmox.com>
Thu, 1 Jul 2021 11:13:59 +0000 (13:13 +0200)
src/PVE/AccessControl.pm
src/PVE/Auth/Makefile
src/PVE/Auth/OpenId.pm [new file with mode: 0755]

index 86286781ed72fe5039f612e5709af92d2a644cea..3d8d01c0dfb99d1331b3f57a23f2724cfbeb2b0f 100644 (file)
@@ -24,6 +24,7 @@ use PVE::Auth::AD;
 use PVE::Auth::LDAP;
 use PVE::Auth::PVE;
 use PVE::Auth::PAM;
+use PVE::Auth::OpenId;
 
 # load and initialize all plugins
 
@@ -31,6 +32,7 @@ PVE::Auth::AD->register();
 PVE::Auth::LDAP->register();
 PVE::Auth::PVE->register();
 PVE::Auth::PAM->register();
+PVE::Auth::OpenId->register();
 PVE::Auth::Plugin->init();
 
 # $authdir must be writable by root only!
index 58ae362d4d53282dfd19ca1806d07035a8e7859b..be7bde3cbb48ea4d276a55c44116883f86745ef8 100644 (file)
@@ -4,7 +4,8 @@ AUTH_SOURCES=                   \
        PVE.pm                  \
        PAM.pm                  \
        AD.pm                   \
-       LDAP.pm
+       LDAP.pm                 \
+       OpenId.pm
 
 .PHONY: install
 install:
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
new file mode 100755 (executable)
index 0000000..515d2f4
--- /dev/null
@@ -0,0 +1,68 @@
+package PVE::Auth::OpenId;
+
+use strict;
+use warnings;
+
+use PVE::Tools;
+use PVE::Auth::Plugin;
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+sub type {
+    return 'openid';
+}
+
+sub properties {
+    return {
+       "issuer-url" => {
+           description => "OpenID Issuer Url",
+           type => 'string',
+           maxLength => 256,
+       },
+       "client-id" => {
+            description => "OpenID Client ID",
+            type => 'string',
+           maxLength => 256,
+       },
+       "client-key" => {
+           description => "OpenID Client Key",
+           type => 'string',
+           optional => 1,
+           maxLength => 256,
+       },
+       autocreate => {
+          description => "Automatically create users if they do not exist.",
+          optional => 1,
+          type => 'boolean',
+          default => 0,
+       },
+       "username-claim" => {
+          description => "OpenID claim used to generate the unique username.",
+          type => 'string',
+          enum => ['subject', 'username', 'email'],
+          optional => 1,
+       },
+   };
+}
+
+sub options {
+    return {
+       "issuer-url" => {},
+        "client-id" => {},
+        "client-key" => { optional => 1 },
+        autocreate => { optional => 1 },
+        "username-claim" => { optional => 1, fixed => 1 },
+        default => { optional => 1 },
+        comment => { optional => 1 },
+    };
+}
+
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $password) = @_;
+
+    die "OpenID realm does not allow password verification.\n";
+}
+
+
+1;