On Wed Feb 4, 2026 at 5:13 PM CET, Arthur Bied-Charreton wrote:
> Add auth-method, as well as optional
> oauth2-{client-id,client-secret,tenant-id,refresh-token} parameters to
> prepare for OAuth2 support.
>
> The auth-method parameter was previously implicit and inferred by
> proxmox-notify based on the presence of a password. It is now made
> explicit, however still kept optional and explicitly inferred in the
> {update,create}_endpoint handlers to avoid breaking the API.
>
> Signed-off-by: Arthur Bied-Charreton <[email protected]>
> ---
> PVE/API2/Cluster/Notifications.pm | 55 +++++++++++++++++++++++++++++++
> 1 file changed, 55 insertions(+)
>
> diff --git a/PVE/API2/Cluster/Notifications.pm
> b/PVE/API2/Cluster/Notifications.pm
> index 8b455227..a45a15b2 100644
> --- a/PVE/API2/Cluster/Notifications.pm
> +++ b/PVE/API2/Cluster/Notifications.pm
> @@ -941,6 +941,13 @@ my $smtp_properties = {
> default => 'tls',
> optional => 1,
> },
> + 'auth-method' => {
> + description =>
> + 'Determine which authentication method shall be used for the
> connection.',
> + type => 'string',
> + enum => [qw(google-oauth2 microsoft-oauth2 plain none)],
> + optional => 1,
> + },
> username => {
> description => 'Username for SMTP authentication',
> type => 'string',
> @@ -951,6 +958,26 @@ my $smtp_properties = {
> type => 'string',
> optional => 1,
> },
> + 'oauth2-client-id' => {
> + description => 'OAuth2 client ID',
> + type => 'string',
> + optional => 1,
> + },
> + 'oauth2-client-secret' => {
> + description => 'OAuth2 client secret',
> + type => 'string',
> + optional => 1,
> + },
> + 'oauth2-tenant-id' => {
> + description => 'OAuth2 tenant ID',
> + type => 'string',
> + optional => 1,
> + },
> + 'oauth2-refresh-token' => {
> + description => 'OAuth2 refresh token',
> + type => 'string',
> + optional => 1,
> + },
> mailto => {
> type => 'array',
> items => {
> @@ -1108,6 +1135,11 @@ __PACKAGE__->register_method({
> my $mode = extract_param($param, 'mode');
> my $username = extract_param($param, 'username');
> my $password = extract_param($param, 'password');
> + my $auth_method = extract_param($param, 'auth-method');
> + my $oauth2_client_secret = extract_param($param,
> 'oauth2-client-secret');
> + my $oauth2_client_id = extract_param($param, 'oauth2-client-id');
> + my $oauth2_tenant_id = extract_param($param, 'oauth2-tenant-id');
> + my $oauth2_refresh_token = extract_param($param,
> 'oauth2-refresh-token');
> my $mailto = extract_param($param, 'mailto');
> my $mailto_user = extract_param($param, 'mailto-user');
> my $from_address = extract_param($param, 'from-address');
> @@ -1115,6 +1147,10 @@ __PACKAGE__->register_method({
> my $comment = extract_param($param, 'comment');
> my $disable = extract_param($param, 'disable');
>
> + if (!defined $auth_method) {
> + $auth_method = defined($password) ? 'plain' : 'none';
> + }
> +
> eval {
> PVE::Notify::lock_config(sub {
> my $config = PVE::Notify::read_config();
> @@ -1126,6 +1162,11 @@ __PACKAGE__->register_method({
> $mode,
> $username,
> $password,
> + $auth_method,
> + $oauth2_client_id,
> + $oauth2_client_secret,
> + $oauth2_tenant_id,
> + $oauth2_refresh_token,
> $mailto,
> $mailto_user,
> $from_address,
> @@ -1187,6 +1228,11 @@ __PACKAGE__->register_method({
> my $mode = extract_param($param, 'mode');
> my $username = extract_param($param, 'username');
> my $password = extract_param($param, 'password');
> + my $auth_method = extract_param($param, 'auth-method');
> + my $oauth2_client_secret = extract_param($param,
> 'oauth2-client-secret');
> + my $oauth2_client_id = extract_param($param, 'oauth2-client-id');
> + my $oauth2_tenant_id = extract_param($param, 'oauth2-tenant-id');
> + my $oauth2_refresh_token = extract_param($param,
> 'oauth2-refresh-token');
> my $mailto = extract_param($param, 'mailto');
> my $mailto_user = extract_param($param, 'mailto-user');
> my $from_address = extract_param($param, 'from-address');
> @@ -1197,6 +1243,10 @@ __PACKAGE__->register_method({
> my $delete = extract_param($param, 'delete');
> my $digest = extract_param($param, 'digest');
>
> + if (!defined $auth_method) {
> + $auth_method = defined($password) ? 'plain' : 'none';
> + }
> +
> eval {
> PVE::Notify::lock_config(sub {
> my $config = PVE::Notify::read_config();
> @@ -1208,6 +1258,11 @@ __PACKAGE__->register_method({
> $mode,
> $username,
> $password,
> + $auth_method,
> + $oauth2_client_id,
> + $oauth2_client_secret,
> + $oauth2_tenant_id,
> + $oauth2_refresh_token,
> $mailto,
> $mailto_user,
> $from_address,
As already explained off-list, I think it's time to switch from a flat
list of parameters to passing hashes for the parameters for the
`add_smtp_target` and `update_smtp_target` methods. This means, the
bindings in proxmox-perl-rs would then directly take
SmtpConfig/SmtpPrivateConfig and
SmtpConfigUpdater/SmtpPrivateConfigUpdater. Then the call could look
something like (not tested)
$config->add_smtp_endpoint(
$name,
{
server => $server,
port => $port,
...
},
{
password => $password,
...
}
);
This makes it much harder to introduce bugs due to parameter ordering.
Long-term we should do the same for the other endpoints, but no need to
do it in this series, I think.
For changes like these and in general it's pretty important to mention
any breaking changes in the cover letter and maybe patch description,
since the changes done in this series affect multiple packages that
*could* be updated independently by our users. For instance, in the
cover-letter you could write something like:
The patch series requires the following version requirement bumps:
pve-manager requires bumped proxmox-perl-rs
proxmox-perl-rs requires bumped proxmox-notify*
*.) although for this one it's not that critical, since its only a
build-dependency, so there is no chance of customer systems breaking due
to partial system updates
This way the maintainer knows that the version requirements in
debian/control must be adapted at some point after applying the patches.
