[pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

Thomas Skinner thomas at atskinner.net
Sat Aug 31 00:34:29 CEST 2024


In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the
protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access 
Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo
endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support
retrieving any additional claims in the UserInfo endpoint.

This patch changes the userinfo claims to be optional instead of required. If the claims can be
retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims
cannot be retrieved successfully, the claims are returned as None.

While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of
the userinfo endpoint not providing claims properly.

It would be nice to have some log output when claims cannot be retrieved for troubleshooting
purposes, but I'm not sure how the PVE team would prefer that be handled.

Thomas Skinner (1):
  fix #4234: openid: make userinfo request optional

 proxmox-openid/src/lib.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

-- 
2.39.2




More information about the pve-devel mailing list