A field for OIDC audiences was added, logic to handle these audiences,
and the audiences supplied by an OIDC IDP are validated against
the audiences a user saves in their realm domains
configuration.
Signed-off-by: Alexander Abraham <a.abra...@proxmox.com>
---
proxmox-openid/src/lib.rs | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index fe65fded..fa22638a 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -53,6 +53,8 @@ pub struct OpenIdConfig {
pub prompt: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub acr_values: Option<Vec<String>>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub audiences: Option<Vec<String>>,
}
pub struct OpenIdAuthenticator {
@@ -205,12 +207,26 @@ impl OpenIdAuthenticator {
.request(http_client)
.map_err(|err| format_err!("Failed to contact token endpoint: {}",
err))?;
- let id_token_verifier: CoreIdTokenVerifier =
self.client.id_token_verifier();
let id_token_claims: &CoreIdTokenClaims = token_response
.extra_fields()
.id_token()
.expect("Server did not return an ID token")
- .claims(&id_token_verifier, &private_auth_state.nonce)
+ .claims(
+ &((self.client.id_token_verifier())
+ .require_audience_match(true)
+ .set_other_audience_verifier_fn(|aud| {
+ let curr_aud: &String = aud;
+ if &self.config.client_id == curr_aud {
+ true
+ } else {
+ match self.config.audiences.as_ref() {
+ Some(confd_auds) =>
confd_auds.contains(curr_aud),
+ None => false,
+ }
+ }
+ })),
+ &private_auth_state.nonce,
+ )
.map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
let userinfo_claims: GenericUserInfoClaims = self
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
