[pve-devel] [PATCH openid 1/1] fix #4234: openid: make userinfo request optional

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Nov 13 13:11:28 CET 2024 

On August 31, 2024 12:34 am, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas at atskinner.net>
> ---
>  proxmox-openid/src/lib.rs | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
> index fe65fded..7cef06e0 100644
> --- a/proxmox-openid/src/lib.rs
> +++ b/proxmox-openid/src/lib.rs
> @@ -195,7 +195,7 @@ impl OpenIdAuthenticator {
>          &self,
>          code: &str,
>          private_auth_state: &PrivateAuthState,
> -    ) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> {
> +    ) -> Result<(CoreIdTokenClaims, Option<GenericUserInfoClaims>), Error> {

this is a breaking change anyway (even though it is masked by
verify_authentication_code_simple ;))

>          let code = AuthorizationCode::new(code.to_string());
>          // Exchange the code with a token.
>          let token_response = self
> @@ -213,11 +213,14 @@ impl OpenIdAuthenticator {
>              .claims(&id_token_verifier, &private_auth_state.nonce)
>              .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
>  
> -        let userinfo_claims: GenericUserInfoClaims = self
> +        let userinfo_claims: Option<GenericUserInfoClaims> = match self
>              .client
>              .user_info(token_response.access_token().to_owned(), None)?
>              .request(http_client)
> -            .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?;
> +        {
> +            Ok(claims) => Some(claims),
> +            Err(..) => None,

and like you said in the cover letter, this would hide errors..

I think it would be better to extend this (and the simple variant) with
a boolean parameter that decides whether to query the user_info at all -
if it is set, then failure to do so should still be a hard error..

and then calling sites can decide where/how to store this configuration
knob and whether to expose it..

> +        };
>  
>          Ok((id_token_claims.clone(), userinfo_claims))
>      }
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>

More information about the pve-devel mailing list