In the OpenID Connect documentation 
(https://openid.net/specs/openid-connect-core-1_0.html), the
protocol abstract defined in 1.3 states in step 4 that "The RP can send a 
request with the Access 
Token to the UserInfo Endpoint", which would imply that getting information 
from the UserInfo
endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. 
ADFS) do not support
retrieving any additional claims in the UserInfo endpoint.

This patch changes the userinfo claims to be optional instead of required. If 
the claims can be
retrieved successfully from the userinfo endpoint, they are returned as 
retrieved. If the claims
cannot be retrieved successfully, the claims are returned as None.

While this patch does not explicitly add an option as requested in bug #4234, 
it does fix issue of
the userinfo endpoint not providing claims properly.

It would be nice to have some log output when claims cannot be retrieved for 
troubleshooting
purposes, but I'm not sure how the PVE team would prefer that be handled.

Thomas Skinner (1):
  fix #4234: openid: make userinfo request optional

 proxmox-openid/src/lib.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to