[pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional

[Fabian Grünbichler]

On August 31, 2024 12:34 am, Thomas Skinner wrote:
> In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the
> protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access 
> Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo
> endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support
> retrieving any additional claims in the UserInfo endpoint.
> 
> This patch changes the userinfo claims to be optional instead of required. If the claims can be
> retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims
> cannot be retrieved successfully, the claims are returned as None.
> 
> While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of
> the userinfo endpoint not providing claims properly.
> 
> It would be nice to have some log output when claims cannot be retrieved for troubleshooting
> purposes, but I'm not sure how the PVE team would prefer that be handled.
> 
> Thomas Skinner (1):
>   fix #4234: openid: make userinfo request optional
> 
>  proxmox-openid/src/lib.rs | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)

a heads-up for this patch here (the group series only needs to consider
this if the API changes, unless PBS gains group support in the meantime
;) - proxmox-openid is also used by PBS, not just by PVE, so there might
be changed needed on that side as well depending on how the API is
adapted..