[pve-devel] [PATCH access-control v3 1/1] fix #4234: add library functions for openid optional userinfo request

Mira Limbeck m.limbeck at proxmox.com
Thu Mar 6 16:20:02 CET 2025



On 2/8/25 06:42, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas at atskinner.net>
> ---
>  src/PVE/API2/OpenId.pm | 6 +++++-
>  src/PVE/Auth/OpenId.pm | 7 +++++++
>  2 files changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> index 77410e6..456e96a 100644
> --- a/src/PVE/API2/OpenId.pm
> +++ b/src/PVE/API2/OpenId.pm
> @@ -170,7 +170,11 @@ __PACKAGE__->register_method ({
>  
>  	    my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
>  
> -	    my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
> +	    my $info = $openid->verify_authorization_code(
> +		$param->{code},
> +		$private_auth_state,
> +		$config->{'disable-userinfo'} // 0,
> +	    );
>  	    my $subject = $info->{'sub'};
>  
>  	    my $unique_name;
> diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
> index c8e4db9..6efa696 100755
> --- a/src/PVE/Auth/OpenId.pm
> +++ b/src/PVE/Auth/OpenId.pm
> @@ -63,6 +63,12 @@ sub properties {
>  	    pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
>  	    optional => 1,
>  	},
> +	"disable-userinfo" => {
> +	    description => "Prevents querying the userinfo endpoint for claims values.",
> +	    type => 'boolean',
> +	    default => 0,
> +	    optional => 1,
> +	},
I would prefer `query-userinfo` (or similar) and a default of `1` over
`disable-userinfo` and a default of `0`.

>     };
>  }
>  
> @@ -78,6 +84,7 @@ sub options {
>  	"acr-values" => { optional => 1 },
>  	default => { optional => 1 },
>  	comment => { optional => 1 },
> +	"disable-userinfo" => { optional => 1 },
>      };
>  }
>  





More information about the pve-devel mailing list