Proxmox 7 has introduced OpenID-Connect authentication which enables us to go on the path of federated login.
However for all the different Identity provider solutions the option will have to get ALOT more flexible.
Options at the moment are soo limited they are constricting to a single IDP solution, and do not allow acr_values to be implemented - which is part of the OIDC standard.
Suggestions in this :
[Documentation]
- clarify callback-uri for cluster setups - as you need to define all nodes in the definition on the IdP as to what can possibly be the callback-url
=> in my case i have 4 nodes, meaning i need to define all 4 nodes in a potential callback-uri ( else you will get an error - invalid redirect_uri)
- the grants required by Proxmox need to be defined.
=> i have the option on my end to set multiple options : code, implicit, resource owner credendials, client credentials, and even SAML2 assertion.
This needs to be clarified !
[Enhancements needed]
- The abillity to define acr_values / sent them with the authentication request - meaning one can actually dictate the authentication contract a user logs in with - this option is defined in the OIDC standards, and should be available.
- The functionality to define scopes in requesting attributes ( some of us have custom scopes tailored to the needs of an application besides of the default scopes available.
- The freedom to arbitrary set an (unique) attribute-name wanted as identifyer, if its transmitted as username, user, commonname, or whatever, it should honor what i dictate as admin.
However for all the different Identity provider solutions the option will have to get ALOT more flexible.
Options at the moment are soo limited they are constricting to a single IDP solution, and do not allow acr_values to be implemented - which is part of the OIDC standard.
Suggestions in this :
[Documentation]
- clarify callback-uri for cluster setups - as you need to define all nodes in the definition on the IdP as to what can possibly be the callback-url
=> in my case i have 4 nodes, meaning i need to define all 4 nodes in a potential callback-uri ( else you will get an error - invalid redirect_uri)
- the grants required by Proxmox need to be defined.
=> i have the option on my end to set multiple options : code, implicit, resource owner credendials, client credentials, and even SAML2 assertion.
This needs to be clarified !
[Enhancements needed]
- The abillity to define acr_values / sent them with the authentication request - meaning one can actually dictate the authentication contract a user logs in with - this option is defined in the OIDC standards, and should be available.
- The functionality to define scopes in requesting attributes ( some of us have custom scopes tailored to the needs of an application besides of the default scopes available.
- The freedom to arbitrary set an (unique) attribute-name wanted as identifyer, if its transmitted as username, user, commonname, or whatever, it should honor what i dictate as admin.
Last edited:
In the forum the suggestions might get buried by new posts, but in Bugzilla they will not.