[pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

[pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

[Thomas Skinner]

In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the
protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access 
Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo
endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support
retrieving any additional claims in the UserInfo endpoint.

This patch changes the userinfo claims to be optional instead of required. If the claims can be
retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims
cannot be retrieved successfully, the claims are returned as None.

While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of
the userinfo endpoint not providing claims properly.

It would be nice to have some log output when claims cannot be retrieved for troubleshooting
purposes, but I'm not sure how the PVE team would prefer that be handled.

Thomas Skinner (1):
  fix #4234: openid: make userinfo request optional

 proxmox-openid/src/lib.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional

[Thomas Skinner]

Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
 proxmox-openid/src/lib.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index fe65fded..7cef06e0 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -195,7 +195,7 @@ impl OpenIdAuthenticator {
         &self,
         code: &str,
         private_auth_state: &PrivateAuthState,
-    ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> {
+    ) -> Result<(CoreIdTokenClaims, Option<GenericUserInfoClaims>), Error> {
         let code = AuthorizationCode::new(code.to_string());
         // Exchange the code with a token.
         let token_response = self
@@ -213,11 +213,14 @@ impl OpenIdAuthenticator {
             .claims(&id_token_verifier, &private_auth_state.nonce)
             .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
 
-        let userinfo_claims: GenericUserInfoClaims = self
+        let userinfo_claims: Option<GenericUserInfoClaims> = match self
             .client
             .user_info(token_response.access_token().to_owned(), None)?
             .request(http_client)
-            .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?;
+        {
+            Ok(claims) => Some(claims),
+            Err(..) => None,
+        };
 
         Ok((id_token_claims.clone(), userinfo_claims))
     }
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

[Thomas Skinner]

This is still applicable to the latest master for the referenced
repositories. Any movement?

On Fri, Aug 30, 2024, 5:34 PM Thomas Skinner <thomas@atskinner.net> wrote:

> In the OpenID Connect documentation (
> https://openid.net/specs/openid-connect-core-1_0.html), the
> protocol abstract defined in 1.3 states in step 4 that "The RP can send a
> request with the Access
> Token to the UserInfo Endpoint", which would imply that getting
> information from the UserInfo
> endpoint is not a requirement for the protocol. Some OpenID Providers
> (e.g. ADFS) do not support
> retrieving any additional claims in the UserInfo endpoint.
>
> This patch changes the userinfo claims to be optional instead of required.
> If the claims can be
> retrieved successfully from the userinfo endpoint, they are returned as
> retrieved. If the claims
> cannot be retrieved successfully, the claims are returned as None.
>
> While this patch does not explicitly add an option as requested in bug
> #4234, it does fix issue of
> the userinfo endpoint not providing claims properly.
>
> It would be nice to have some log output when claims cannot be retrieved
> for troubleshooting
> purposes, but I'm not sure how the PVE team would prefer that be handled.
>
> Thomas Skinner (1):
>   fix #4234: openid: make userinfo request optional
>
>  proxmox-openid/src/lib.rs | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> --
> 2.39.2
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional

[Fabian Grünbichler]

On August 31, 2024 12:34 am, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> ---
>  proxmox-openid/src/lib.rs | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
> index fe65fded..7cef06e0 100644
> --- a/proxmox-openid/src/lib.rs
> +++ b/proxmox-openid/src/lib.rs
> @@ -195,7 +195,7 @@ impl OpenIdAuthenticator {
>          &self,
>          code: &str,
>          private_auth_state: &PrivateAuthState,
> -    ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> {
> +    ) -> Result<(CoreIdTokenClaims, Option<GenericUserInfoClaims>), Error> {

this is a breaking change anyway (even though it is masked by
verify_authentication_code_simple ;))

>          let code = AuthorizationCode::new(code.to_string());
>          // Exchange the code with a token.
>          let token_response = self
> @@ -213,11 +213,14 @@ impl OpenIdAuthenticator {
>              .claims(&id_token_verifier, &private_auth_state.nonce)
>              .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
>  
> -        let userinfo_claims: GenericUserInfoClaims = self
> +        let userinfo_claims: Option<GenericUserInfoClaims> = match self
>              .client
>              .user_info(token_response.access_token().to_owned(), None)?
>              .request(http_client)
> -            .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?;
> +        {
> +            Ok(claims) => Some(claims),
> +            Err(..) => None,

and like you said in the cover letter, this would hide errors..

I think it would be better to extend this (and the simple variant) with
a boolean parameter that decides whether to query the user_info at all -
if it is set, then failure to do so should still be a hard error..

and then calling sites can decide where/how to store this configuration
knob and whether to expose it..

> +        };
>  
>          Ok((id_token_claims.clone(), userinfo_claims))
>      }
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

[Fabian Grünbichler]

On August 31, 2024 12:34 am, Thomas Skinner wrote:
> In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the
> protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access 
> Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo
> endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support
> retrieving any additional claims in the UserInfo endpoint.
> 
> This patch changes the userinfo claims to be optional instead of required. If the claims can be
> retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims
> cannot be retrieved successfully, the claims are returned as None.
> 
> While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of
> the userinfo endpoint not providing claims properly.
> 
> It would be nice to have some log output when claims cannot be retrieved for troubleshooting
> purposes, but I'm not sure how the PVE team would prefer that be handled.
> 
> Thomas Skinner (1):
>   fix #4234: openid: make userinfo request optional
> 
>  proxmox-openid/src/lib.rs | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)

a heads-up for this patch here (the group series only needs to consider
this if the API changes, unless PBS gains group support in the meantime
;) - proxmox-openid is also used by PBS, not just by PVE, so there might
be changed needed on that side as well depending on how the API is
adapted..


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel