public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional
Date: Wed, 2 Oct 2024 20:46:00 -0500	[thread overview]
Message-ID: <CALn9RMchFkVH=ey1tKDiG2LcpQp7sVjt5znK42zM469BkWdbqw@mail.gmail.com> (raw)
In-Reply-To: <20240830223430.237913-1-thomas@atskinner.net>

This is still applicable to the latest master for the referenced
repositories. Any movement?

On Fri, Aug 30, 2024, 5:34 PM Thomas Skinner <thomas@atskinner.net> wrote:

> In the OpenID Connect documentation (
> https://openid.net/specs/openid-connect-core-1_0.html), the
> protocol abstract defined in 1.3 states in step 4 that "The RP can send a
> request with the Access
> Token to the UserInfo Endpoint", which would imply that getting
> information from the UserInfo
> endpoint is not a requirement for the protocol. Some OpenID Providers
> (e.g. ADFS) do not support
> retrieving any additional claims in the UserInfo endpoint.
>
> This patch changes the userinfo claims to be optional instead of required.
> If the claims can be
> retrieved successfully from the userinfo endpoint, they are returned as
> retrieved. If the claims
> cannot be retrieved successfully, the claims are returned as None.
>
> While this patch does not explicitly add an option as requested in bug
> #4234, it does fix issue of
> the userinfo endpoint not providing claims properly.
>
> It would be nice to have some log output when claims cannot be retrieved
> for troubleshooting
> purposes, but I'm not sure how the PVE team would prefer that be handled.
>
> Thomas Skinner (1):
>   fix #4234: openid: make userinfo request optional
>
>  proxmox-openid/src/lib.rs | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> --
> 2.39.2
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

      parent reply	other threads:[~2024-10-03  1:46 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-30 22:34 Thomas Skinner
2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner
2024-10-03  1:46 ` Thomas Skinner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALn9RMchFkVH=ey1tKDiG2LcpQp7sVjt5znK42zM469BkWdbqw@mail.gmail.com' \
    --to=thomas@atskinner.net \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal