On August 31, 2024 12:34 am, Thomas Skinner wrote: > In the OpenID Connect documentation > (https://openid.net/specs/openid-connect-core-1_0.html), the > protocol abstract defined in 1.3 states in step 4 that "The RP can send a > request with the Access > Token to the UserInfo Endpoint", which would imply that getting information > from the UserInfo > endpoint is not a requirement for the protocol. Some OpenID Providers (e.g. > ADFS) do not support > retrieving any additional claims in the UserInfo endpoint. > > This patch changes the userinfo claims to be optional instead of required. If > the claims can be > retrieved successfully from the userinfo endpoint, they are returned as > retrieved. If the claims > cannot be retrieved successfully, the claims are returned as None. > > While this patch does not explicitly add an option as requested in bug #4234, > it does fix issue of > the userinfo endpoint not providing claims properly. > > It would be nice to have some log output when claims cannot be retrieved for > troubleshooting > purposes, but I'm not sure how the PVE team would prefer that be handled. > > Thomas Skinner (1): > fix #4234: openid: make userinfo request optional > > proxmox-openid/src/lib.rs | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-)
a heads-up for this patch here (the group series only needs to consider this if the API changes, unless PBS gains group support in the meantime ;) - proxmox-openid is also used by PBS, not just by PVE, so there might be changed needed on that side as well depending on how the API is adapted.. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
