[pve-devel] [PATCH access-control v2 1/5] fix #4234: add library functions for openid optional userinfo request
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Jan 24 10:17:16 CET 2025
On December 16, 2024 5:14 am, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas at atskinner.net>
> ---
> src/PVE/API2/OpenId.pm | 6 +++++-
> src/PVE/Auth/OpenId.pm | 7 +++++++
> 2 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> index 77410e6..ea1de16 100644
> --- a/src/PVE/API2/OpenId.pm
> +++ b/src/PVE/API2/OpenId.pm
> @@ -170,7 +170,11 @@ __PACKAGE__->register_method ({
>
> my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
>
> - my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
> + my $info = $openid->verify_authorization_code_userinfo(
> + $param->{code},
> + $private_auth_state,
> + $config->{'disable-userinfo'} // 0,
> + );
see comments on the libpve-rs-perl patch, but otherwise this LGTM!
> my $subject = $info->{'sub'};
>
> my $unique_name;
> diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
> index c8e4db9..6efa696 100755
> --- a/src/PVE/Auth/OpenId.pm
> +++ b/src/PVE/Auth/OpenId.pm
> @@ -63,6 +63,12 @@ sub properties {
> pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
> optional => 1,
> },
> + "disable-userinfo" => {
> + description => "Prevents querying the userinfo endpoint for claims values.",
> + type => 'boolean',
> + default => 0,
> + optional => 1,
> + },
> };
> }
>
> @@ -78,6 +84,7 @@ sub options {
> "acr-values" => { optional => 1 },
> default => { optional => 1 },
> comment => { optional => 1 },
> + "disable-userinfo" => { optional => 1 },
> };
> }
>
> --
> 2.39.5
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
More information about the pve-devel
mailing list