[pve-devel] [PATCH SERIES access-control/docs/manager/perl-rs/proxmox-openid v3] Make OIDC userinfo endpoint optional

[Mira Limbeck]

On 2/8/25 06:42, Thomas Skinner wrote:
> Continues work on adding an option to disable querying the userinfo endpoint for an
> OIDC provider.
> 
> Changes since v2:
> - Adjust verify_authorization_code in pve-rs to be backwards compatible
> - Fix defaults in wrapper functions
> 
> access-control:
> 
> Thomas Skinner (1):
>   fix #4234: add library functions for openid optional userinfo request
> 
>  src/PVE/API2/OpenId.pm | 6 +++++-
>  src/PVE/Auth/OpenId.pm | 7 +++++++
>  2 files changed, 12 insertions(+), 1 deletion(-)
> 
>  
> docs:
> 
> Thomas Skinner (1):
>   fix #4234: add docs for openid optional userinfo request
> 
>  pveum.adoc | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
>  
> manager:
> 
> Thomas Skinner (1):
>   fix #4234: add GUI option for openid optional userinfo request
> 
>  www/manager6/dc/AuthEditOpenId.js | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
>  
> perl-rs:
> 
> Thomas Skinner (1):
>   fix #4234: openid: adjust openid verification function for userinfo
>     option
> 
>  pve-rs/src/openid/mod.rs | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
>  
> proxmox-openid:
> 
> Thomas Skinner (1):
>   fix #4234: openid: add library functions for optional userinfo
>     endpoint
> 
>  proxmox-openid/src/lib.rs | 30 +++++++++++++++++++++++++++++-
>  1 file changed, 29 insertions(+), 1 deletion(-)
> 
>  

Thank you for the patch series!

I've tested it with Authentik, and checked with tcpdump to see if the
userinfo endpoint was queried. Works as I would expect.

I had to manually apply the pve-rs patch since code was moved around
since then. More information as reply to the patch itself.