From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 5540D1FF176
	for <inbox@lore.proxmox.com>; Fri, 24 Jan 2025 10:17:36 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id A67821B26E;
	Fri, 24 Jan 2025 10:17:31 +0100 (CET)
Date: Fri, 24 Jan 2025 10:17:25 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20241216041428.1184350-1-thomas@atskinner.net>
 <20241216041428.1184350-6-thomas@atskinner.net>
In-Reply-To: <20241216041428.1184350-6-thomas@atskinner.net>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1737709890.ic258nmg3w.astroid@yuna.none>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.051 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: Re: [pve-devel] [PATCH proxmox v2 5/5] fix #4234: openid: add
 library functions for optional userinfo endpoint
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Thomas Skinner <thomas@atskinner.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On December 16, 2024 5:14 am, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> ---
>  proxmox-openid/src/lib.rs | 30 +++++++++++++++++++++++++++++-
>  1 file changed, 29 insertions(+), 1 deletion(-)
> 
> diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
> index fe65fded..87be1c8a 100644
> --- a/proxmox-openid/src/lib.rs
> +++ b/proxmox-openid/src/lib.rs
> @@ -31,6 +31,7 @@ use openidconnect::{
>      PkceCodeVerifier,
>      RedirectUrl,
>      Scope,
> +    StandardClaims,
>      UserInfoClaims,
>  };
>  
> @@ -195,6 +196,15 @@ impl OpenIdAuthenticator {
>          &self,
>          code: &str,
>          private_auth_state: &PrivateAuthState,
> +    ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> {
> +        self.verify_authorization_code_userinfo(code, private_auth_state, true)

this default here is the wrong way round (to preserve the old behaviour,
we should pass in `false`).

> +    }
> +
> +    pub fn verify_authorization_code_userinfo(
> +        &self,
> +        code: &str,
> +        private_auth_state: &PrivateAuthState,
> +        disable_userinfo: bool,
>      ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> {
>          let code = AuthorizationCode::new(code.to_string());
>          // Exchange the code with a token.
> @@ -213,6 +223,14 @@ impl OpenIdAuthenticator {
>              .claims(&id_token_verifier, &private_auth_state.nonce)
>              .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
>  
> +        if disable_userinfo {
> +            let empty_userinfo_claims = UserInfoClaims::new(
> +                StandardClaims::new(id_token_claims.subject().clone()),
> +                GenericClaims(Value::Null),
> +            );
> +            return Ok((id_token_claims.clone(), empty_userinfo_claims));
> +        }
> +
>          let userinfo_claims: GenericUserInfoClaims = self
>              .client
>              .user_info(token_response.access_token().to_owned(), None)?
> @@ -227,9 +245,19 @@ impl OpenIdAuthenticator {
>          &self,
>          code: &str,
>          private_auth_state: &PrivateAuthState,
> +    ) -> Result<Value, Error> {
> +        self.verify_authorization_code_simple_userinfo(code, private_auth_state, true)

same here

> +    }
> +
> +    /// Like verify_authorization_code_simple_userinfo(), but returns claims as serde_json::Value
> +    pub fn verify_authorization_code_simple_userinfo(
> +        &self,
> +        code: &str,
> +        private_auth_state: &PrivateAuthState,
> +        disable_userinfo: bool,
>      ) -> Result<Value, Error> {
>          let (id_token_claims, userinfo_claims) =
> -            self.verify_authorization_code(code, private_auth_state)?;
> +            self.verify_authorization_code_userinfo(code, private_auth_state, disable_userinfo)?;
>  
>          let mut data = serde_json::to_value(id_token_claims)?;
>  
> -- 
> 2.39.5
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel