From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Cc: Thomas Skinner <thomas@atskinner.net>
Subject: [pve-devel] [PATCH access-control v4 1/1] fix #4234: add library functions for openid optional userinfo request
Date: Sun, 23 Mar 2025 22:37:35 -0500 [thread overview]
Message-ID: <20250324033737.1347963-4-thomas@atskinner.net> (raw)
In-Reply-To: <20250324033737.1347963-1-thomas@atskinner.net>
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
src/PVE/API2/OpenId.pm | 6 +++++-
src/PVE/Auth/OpenId.pm | 7 +++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 77410e6..f70d242 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -170,7 +170,11 @@ __PACKAGE__->register_method ({
my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
- my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
+ my $info = $openid->verify_authorization_code(
+ $param->{code},
+ $private_auth_state,
+ $config->{'query-userinfo'} // 1,
+ );
my $subject = $info->{'sub'};
my $unique_name;
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index c8e4db9..cf74229 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -63,6 +63,12 @@ sub properties {
pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
optional => 1,
},
+ "query-userinfo" => {
+ description => "Enables querying the userinfo endpoint for claims values.",
+ type => 'boolean',
+ default => 1,
+ optional => 1,
+ },
};
}
@@ -78,6 +84,7 @@ sub options {
"acr-values" => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
+ "query-userinfo" => { optional => 1 },
};
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-03-24 3:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-24 3:37 [pve-devel] [PATCH SERIES access-control/docs/manager/perl-rs/proxmox-openid v4] Make OIDC userinfo endpoint optional Thomas Skinner
2025-03-24 3:37 ` [pve-devel] [PATCH docs v4 1/1] fix #4234: add docs for openid optional userinfo request Thomas Skinner
2025-03-24 3:37 ` [pve-devel] [PATCH manager v4 1/1] fix #4234: add GUI option " Thomas Skinner
2025-03-24 3:37 ` Thomas Skinner [this message]
2025-03-24 3:37 ` [pve-devel] [PATCH proxmox-openid v4 1/1] fix #4234: openid: add library functions for optional userinfo endpoint Thomas Skinner
2025-03-24 3:37 ` [pve-devel] [PATCH perl-rs v4 1/1] fix #4234: openid: adjust openid verification function for userinfo option Thomas Skinner
2025-03-31 10:38 ` Mira Limbeck
2025-04-04 14:07 ` [pve-devel] [PATCH v4 perl-rs] " Mira Limbeck
2025-04-04 14:08 ` [pve-devel] [PATCH SERIES access-control/docs/manager/perl-rs/proxmox-openid v4] Make OIDC userinfo endpoint optional Mira Limbeck
2025-04-04 14:32 ` [pve-devel] applied-series: " Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250324033737.1347963-4-thomas@atskinner.net \
--to=thomas@atskinner.net \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal