[pve-devel] [PATCH access-control v3 1/1] fix #4234: add library functions for openid optional userinfo request

Thomas Skinner thomas at atskinner.net
Wed Mar 19 11:27:43 CET 2025 

On Mon, Mar 17, 2025 at 7:12 AM Fabian Grünbichler
<f.gruenbichler at proxmox.com> wrote:
>
> On March 6, 2025 4:20 pm, Mira Limbeck wrote:
> >
> >
> > On 2/8/25 06:42, Thomas Skinner wrote:
> >> Signed-off-by: Thomas Skinner <thomas at atskinner.net>
> >> ---
> >>  src/PVE/API2/OpenId.pm | 6 +++++-
> >>  src/PVE/Auth/OpenId.pm | 7 +++++++
> >>  2 files changed, 12 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> >> index 77410e6..456e96a 100644
> >> --- a/src/PVE/API2/OpenId.pm
> >> +++ b/src/PVE/API2/OpenId.pm
> >> @@ -170,7 +170,11 @@ __PACKAGE__->register_method ({
> >>
> >>          my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
> >>
> >> -        my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
> >> +        my $info = $openid->verify_authorization_code(
> >> +            $param->{code},
> >> +            $private_auth_state,
> >> +            $config->{'disable-userinfo'} // 0,
> >> +        );
> >>          my $subject = $info->{'sub'};
> >>
> >>          my $unique_name;
> >> diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
> >> index c8e4db9..6efa696 100755
> >> --- a/src/PVE/Auth/OpenId.pm
> >> +++ b/src/PVE/Auth/OpenId.pm
> >> @@ -63,6 +63,12 @@ sub properties {
> >>          pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
> >>          optional => 1,
> >>      },
> >> +    "disable-userinfo" => {
> >> +        description => "Prevents querying the userinfo endpoint for claims values.",
> >> +        type => 'boolean',
> >> +        default => 0,
> >> +        optional => 1,
> >> +    },
> > I would prefer `query-userinfo` (or similar) and a default of `1` over
> > `disable-userinfo` and a default of `0`.
>
> that probably makes sense..
>
> @Thomas - would you mind rebasing this and incorporating this last bit
> of feedback, I think this is otherwise ready to be applied :)
>

Yep, I'll submit by this weekend. Thanks!

More information about the pve-devel mailing list