In the OpenID Connect documentation (https://openid.net/specs/openid-connect-core-1_0.html), the protocol abstract defined in 1.3 states in step 4 that "The RP can send a request with the Access Token to the UserInfo Endpoint", which would imply that getting information from the UserInfo endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. ADFS) do not support retrieving any additional claims in the UserInfo endpoint.
This patch changes the userinfo claims to be optional instead of required. If the claims can be retrieved successfully from the userinfo endpoint, they are returned as retrieved. If the claims cannot be retrieved successfully, the claims are returned as None. While this patch does not explicitly add an option as requested in bug #4234, it does fix issue of the userinfo endpoint not providing claims properly. It would be nice to have some log output when claims cannot be retrieved for troubleshooting purposes, but I'm not sure how the PVE team would prefer that be handled. Thomas Skinner (1): fix #4234: openid: make userinfo request optional proxmox-openid/src/lib.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel