* [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional
@ 2024-08-30 22:34 Thomas Skinner
2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Thomas Skinner @ 2024-08-30 22:34 UTC (permalink / raw)
To: pve-devel; +Cc: Thomas Skinner
In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the
protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access
Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo
endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support
retrieving any additional claims in the UserInfo endpoint.
This patch changes the userinfo claims to be optional instead of required. If the claims can be
retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims
cannot be retrieved successfully, the claims are returned as None.
While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of
the userinfo endpoint not providing claims properly.
It would be nice to have some log output when claims cannot be retrieved for troubleshooting
purposes, but I'm not sure how the PVE team would prefer that be handled.
Thomas Skinner (1):
fix #4234: openid: make userinfo request optional
proxmox-openid/src/lib.rs | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread* [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional 2024-08-30 22:34 [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner @ 2024-08-30 22:34 ` Thomas Skinner 2024-11-13 12:11 ` Fabian Grünbichler 2024-10-03 1:46 ` [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner 2024-11-13 12:55 ` Fabian Grünbichler 2 siblings, 1 reply; 5+ messages in thread From: Thomas Skinner @ 2024-08-30 22:34 UTC (permalink / raw) To: pve-devel; +Cc: Thomas Skinner Signed-off-by: Thomas Skinner <thomas@atskinner.net> --- proxmox-openid/src/lib.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs index fe65fded..7cef06e0 100644 --- a/proxmox-openid/src/lib.rs +++ b/proxmox-openid/src/lib.rs @@ -195,7 +195,7 @@ impl OpenIdAuthenticator { &self, code: &str, private_auth_state: &PrivateAuthState, - ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> { + ) -> Result<(CoreIdTokenClaims, Option<GenericUserInfoClaims>), Error> { let code = AuthorizationCode::new(code.to_string()); // Exchange the code with a token. let token_response = self @@ -213,11 +213,14 @@ impl OpenIdAuthenticator { .claims(&id_token_verifier, &private_auth_state.nonce) .map_err(|err| format_err!("Failed to verify ID token: {}", err))?; - let userinfo_claims: GenericUserInfoClaims = self + let userinfo_claims: Option<GenericUserInfoClaims> = match self .client .user_info(token_response.access_token().to_owned(), None)? .request(http_client) - .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?; + { + Ok(claims) => Some(claims), + Err(..) => None, + }; Ok((id_token_claims.clone(), userinfo_claims)) } -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional 2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner @ 2024-11-13 12:11 ` Fabian Grünbichler 0 siblings, 0 replies; 5+ messages in thread From: Fabian Grünbichler @ 2024-11-13 12:11 UTC (permalink / raw) To: Proxmox VE development discussion; +Cc: Thomas Skinner On August 31, 2024 12:34 am, Thomas Skinner wrote: > Signed-off-by: Thomas Skinner <thomas@atskinner.net> > --- > proxmox-openid/src/lib.rs | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs > index fe65fded..7cef06e0 100644 > --- a/proxmox-openid/src/lib.rs > +++ b/proxmox-openid/src/lib.rs > @@ -195,7 +195,7 @@ impl OpenIdAuthenticator { > &self, > code: &str, > private_auth_state: &PrivateAuthState, > - ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> { > + ) -> Result<(CoreIdTokenClaims, Option<GenericUserInfoClaims>), Error> { this is a breaking change anyway (even though it is masked by verify_authentication_code_simple ;)) > let code = AuthorizationCode::new(code.to_string()); > // Exchange the code with a token. > let token_response = self > @@ -213,11 +213,14 @@ impl OpenIdAuthenticator { > .claims(&id_token_verifier, &private_auth_state.nonce) > .map_err(|err| format_err!("Failed to verify ID token: {}", err))?; > > - let userinfo_claims: GenericUserInfoClaims = self > + let userinfo_claims: Option<GenericUserInfoClaims> = match self > .client > .user_info(token_response.access_token().to_owned(), None)? > .request(http_client) > - .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?; > + { > + Ok(claims) => Some(claims), > + Err(..) => None, and like you said in the cover letter, this would hide errors.. I think it would be better to extend this (and the simple variant) with a boolean parameter that decides whether to query the user_info at all - if it is set, then failure to do so should still be a hard error.. and then calling sites can decide where/how to store this configuration knob and whether to expose it.. > + }; > > Ok((id_token_claims.clone(), userinfo_claims)) > } > -- > 2.39.2 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional 2024-08-30 22:34 [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner 2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner @ 2024-10-03 1:46 ` Thomas Skinner 2024-11-13 12:55 ` Fabian Grünbichler 2 siblings, 0 replies; 5+ messages in thread From: Thomas Skinner @ 2024-10-03 1:46 UTC (permalink / raw) To: pve-devel This is still applicable to the latest master for the referenced repositories. Any movement? On Fri, Aug 30, 2024, 5:34 PM Thomas Skinner <thomas@atskinner.net> wrote: > In the OpenID Connect documentation ( > https://openid.net/specs/openid-connect-core-1_0.html), the > protocol abstract defined in 1.3 states in step 4 that "The RP can send a > request with the Access > Token to the UserInfo Endpoint", which would imply that getting > information from the UserInfo > endpoint is not a requirement for the protocol. Some OpenID Providers > (e.g. ADFS) do not support > retrieving any additional claims in the UserInfo endpoint. > > This patch changes the userinfo claims to be optional instead of required. > If the claims can be > retrieved successfully from the userinfo endpoint, they are returned as > retrieved. If the claims > cannot be retrieved successfully, the claims are returned as None. > > While this patch does not explicitly add an option as requested in bug > #4234, it does fix issue of > the userinfo endpoint not providing claims properly. > > It would be nice to have some log output when claims cannot be retrieved > for troubleshooting > purposes, but I'm not sure how the PVE team would prefer that be handled. > > Thomas Skinner (1): > fix #4234: openid: make userinfo request optional > > proxmox-openid/src/lib.rs | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > -- > 2.39.2 > > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional 2024-08-30 22:34 [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner 2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner 2024-10-03 1:46 ` [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner @ 2024-11-13 12:55 ` Fabian Grünbichler 2 siblings, 0 replies; 5+ messages in thread From: Fabian Grünbichler @ 2024-11-13 12:55 UTC (permalink / raw) To: Proxmox VE development discussion; +Cc: Thomas Skinner On August 31, 2024 12:34 am, Thomas Skinner wrote: > In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the > protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access > Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo > endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support > retrieving any additional claims in the UserInfo endpoint. > > This patch changes the userinfo claims to be optional instead of required. If the claims can be > retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims > cannot be retrieved successfully, the claims are returned as None. > > While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of > the userinfo endpoint not providing claims properly. > > It would be nice to have some log output when claims cannot be retrieved for troubleshooting > purposes, but I'm not sure how the PVE team would prefer that be handled. > > Thomas Skinner (1): > fix #4234: openid: make userinfo request optional > > proxmox-openid/src/lib.rs | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) a heads-up for this patch here (the group series only needs to consider this if the API changes, unless PBS gains group support in the meantime ;) - proxmox-openid is also used by PBS, not just by PVE, so there might be changed needed on that side as well depending on how the API is adapted.. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-11-13 12:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-08-30 22:34 [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner 2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner 2024-11-13 12:11 ` Fabian Grünbichler 2024-10-03 1:46 ` [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional Thomas Skinner 2024-11-13 12:55 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox