[pve-devel] [PATCH access-control v2 1/5] fix #4234: add library functions for openid optional userinfo request
Thomas Skinner
thomas at atskinner.net
Mon Dec 16 05:14:24 CET 2024
Signed-off-by: Thomas Skinner <thomas at atskinner.net>
---
src/PVE/API2/OpenId.pm | 6 +++++-
src/PVE/Auth/OpenId.pm | 7 +++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 77410e6..ea1de16 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -170,7 +170,11 @@ __PACKAGE__->register_method ({
my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
- my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
+ my $info = $openid->verify_authorization_code_userinfo(
+ $param->{code},
+ $private_auth_state,
+ $config->{'disable-userinfo'} // 0,
+ );
my $subject = $info->{'sub'};
my $unique_name;
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index c8e4db9..6efa696 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -63,6 +63,12 @@ sub properties {
pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
optional => 1,
},
+ "disable-userinfo" => {
+ description => "Prevents querying the userinfo endpoint for claims values.",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+ },
};
}
@@ -78,6 +84,7 @@ sub options {
"acr-values" => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
+ "disable-userinfo" => { optional => 1 },
};
}
--
2.39.5
More information about the pve-devel
mailing list