From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 8009C1FF174 for ; Mon, 2 Sep 2024 10:05:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4F0B9367F4; Mon, 2 Sep 2024 10:05:48 +0200 (CEST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725058710; x=1725663510; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WpexGWtkvi9hErI0kZxQ36XjNIygoZx2hPkZIU4cKF4=; b=Q8D1k6R2nf2ukZ5pyPTQK2g7KOA1Z2wsu2l1r5vAYQLukcFh66bF2B5StWKpkKCDG5 UGR16/5SpMWo2L8v+r34TCOd1NhX9jI7zSQr/6nTlelzr/6VrMFPjJHBsFKwPP9kmQRe k+c31U1VB3GKUfsN0BC/3+zPBa3QZBl+nF/+U8zM3CS2g7SoMaUCkRDrXWYA0gxSwdb3 /wLl2WoJaQ066TZhsYV/Txgp9Nc4Hz9xZnNWrK0B0Lei57TkkwJVlP92PxU8EC4EzIGO CwtO5PBWzfhSAAitsnTKAbfHCIAlfm/M8XFnGa0h4JATIMrwE1WUPEVITBshat0+7fbb +aHg== X-Gm-Message-State: AOJu0YxGTHXP8OHM1TQ0eXLTLl45GbIbb6LhpKMXrcpNWfxSqZvzi6Wn s2C294prXAjaIasXVxde8v7x9E1iVNCMJYAPNcARU2MumDL9rHxTOqfcug== X-Google-Smtp-Source: AGHT+IGQRqkzCSv2+bWrPr71qquH2yhRzaP1rszBVRLjrm8e1TsiHTRtEesw6kLqKoPvE/JdJHPiXA== X-Received: by 2002:a05:690c:9e:b0:6b2:28c3:b706 with SMTP id 00721157ae682-6d40f81e4e0mr44386127b3.34.1725057299223; Fri, 30 Aug 2024 15:34:59 -0700 (PDT) From: Thomas Skinner To: pve-devel@lists.proxmox.com Date: Fri, 30 Aug 2024 17:34:29 -0500 Message-Id: <20240830223430.237913-1-thomas@atskinner.net> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom freemail headers are different FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H3 0.001 Good reputation (+3) RCVD_IN_MSPIKE_WL 0.001 Mailspike good senders RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [lib.rs, openid.net] X-Mailman-Approved-At: Mon, 02 Sep 2024 10:05:47 +0200 Subject: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Thomas Skinner Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support retrieving any additional claims in the UserInfo endpoint. This patch changes the userinfo claims to be optional instead of required. If the claims can be retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims cannot be retrieved successfully, the claims are returned as None. While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of the userinfo endpoint not providing claims properly. It would be nice to have some log output when claims cannot be retrieved for troubleshooting purposes, but I'm not sure how the PVE team would prefer that be handled. Thomas Skinner (1): fix #4234: openid: make userinfo request optional proxmox-openid/src/lib.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel