[pve-devel] [PATCH openid 0/1] Make OIDC userinfo endpoint optional
Thomas Skinner
thomas at atskinner.net
Thu Oct 3 03:46:00 CEST 2024
This is still applicable to the latest master for the referenced
repositories. Any movement?
On Fri, Aug 30, 2024, 5:34 PM Thomas Skinner <thomas at atskinner.net> wrote:
> In the OpenID Connect documentation (
> https://openid.net/specs/openid-connect-core-1_0.html), the
> protocol abstract defined in 1.3 states in step 4 that "The RP can send a
> request with the Access
> Token to the UserInfo Endpoint", which would imply that getting
> information from the UserInfo
> endpoint is not a requirement for the protocol. Some OpenID Providers
> (e.g. ADFS) do not support
> retrieving any additional claims in the UserInfo endpoint.
>
> This patch changes the userinfo claims to be optional instead of required.
> If the claims can be
> retrieved successfully from the userinfo endpoint, they are returned as
> retrieved. If the claims
> cannot be retrieved successfully, the claims are returned as None.
>
> While this patch does not explicitly add an option as requested in bug
> #4234, it does fix issue of
> the userinfo endpoint not providing claims properly.
>
> It would be nice to have some log output when claims cannot be retrieved
> for troubleshooting
> purposes, but I'm not sure how the PVE team would prefer that be handled.
>
> Thomas Skinner (1):
> fix #4234: openid: make userinfo request optional
>
> proxmox-openid/src/lib.rs | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> --
> 2.39.2
>
>
More information about the pve-devel
mailing list