From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional
Date: Wed, 2 Oct 2024 20:46:00 -0500 [thread overview]
Message-ID: <CALn9RMchFkVH=ey1tKDiG2LcpQp7sVjt5znK42zM469BkWdbqw@mail.gmail.com> (raw)
In-Reply-To: <20240830223430.237913-1-thomas@atskinner.net>
This is still applicable to the latest master for the referenced
repositories. Any movement?
On Fri, Aug 30, 2024, 5:34 PM Thomas Skinner <thomas@atskinner.net> wrote:
> In the OpenID Connect documentation (
> https://openid.net/specs/openid-connect-core-1_0.html), the
> protocol abstract defined in 1.3 states in step 4 that "The RP can send a
> request with the Access
> Token to the UserInfo Endpoint", which would imply that getting
> information from the UserInfo
> endpoint is not a requirement for the protocol. Some OpenID Providers
> (e.g. ADFS) do not support
> retrieving any additional claims in the UserInfo endpoint.
>
> This patch changes the userinfo claims to be optional instead of required.
> If the claims can be
> retrieved successfully from the userinfo endpoint, they are returned as
> retrieved. If the claims
> cannot be retrieved successfully, the claims are returned as None.
>
> While this patch does not explicitly add an option as requested in bug
> #4234, it does fix issue of
> the userinfo endpoint not providing claims properly.
>
> It would be nice to have some log output when claims cannot be retrieved
> for troubleshooting
> purposes, but I'm not sure how the PVE team would prefer that be handled.
>
> Thomas Skinner (1):
> fix #4234: openid: make userinfo request optional
>
> proxmox-openid/src/lib.rs | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> --
> 2.39.2
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2024-10-03 1:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-30 22:34 Thomas Skinner
2024-08-30 22:34 ` [pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional Thomas Skinner
2024-10-03 1:46 ` Thomas Skinner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALn9RMchFkVH=ey1tKDiG2LcpQp7sVjt5znK42zM469BkWdbqw@mail.gmail.com' \
--to=thomas@atskinner.net \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox