[pve-devel] [PATCH access-control v3 1/1] fix #4234: add library functions for openid optional userinfo request
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Mar 17 13:12:42 CET 2025
On March 6, 2025 4:20 pm, Mira Limbeck wrote:
>
>
> On 2/8/25 06:42, Thomas Skinner wrote:
>> Signed-off-by: Thomas Skinner <thomas at atskinner.net>
>> ---
>> src/PVE/API2/OpenId.pm | 6 +++++-
>> src/PVE/Auth/OpenId.pm | 7 +++++++
>> 2 files changed, 12 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
>> index 77410e6..456e96a 100644
>> --- a/src/PVE/API2/OpenId.pm
>> +++ b/src/PVE/API2/OpenId.pm
>> @@ -170,7 +170,11 @@ __PACKAGE__->register_method ({
>>
>> my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
>>
>> - my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
>> + my $info = $openid->verify_authorization_code(
>> + $param->{code},
>> + $private_auth_state,
>> + $config->{'disable-userinfo'} // 0,
>> + );
>> my $subject = $info->{'sub'};
>>
>> my $unique_name;
>> diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
>> index c8e4db9..6efa696 100755
>> --- a/src/PVE/Auth/OpenId.pm
>> +++ b/src/PVE/Auth/OpenId.pm
>> @@ -63,6 +63,12 @@ sub properties {
>> pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
>> optional => 1,
>> },
>> + "disable-userinfo" => {
>> + description => "Prevents querying the userinfo endpoint for claims values.",
>> + type => 'boolean',
>> + default => 0,
>> + optional => 1,
>> + },
> I would prefer `query-userinfo` (or similar) and a default of `1` over
> `disable-userinfo` and a default of `0`.
that probably makes sense..
@Thomas - would you mind rebasing this and incorporating this last bit
of feedback, I think this is otherwise ready to be applied :)
More information about the pve-devel
mailing list