proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-05-29 18:48:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #4411: openid: add library code for generic id token claim support

Browse Source 
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Reviewed-by: Mira Limbeck <m.limbeck@proxmox.com>
This commit is contained in:
Thomas Skinner 2025-03-26 20:50:00 -05:00 committed by Fabian Grünbichler
parent c057adcfed
commit 1c25b76c5d
1 changed files with 47 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
proxmox-openid/src/lib.rs
View File

@ -15,8 +15,11 @@ pub use auth_state::*;
use openidconnect::{ use openidconnect::{
//curl::http_client, //curl::http_client,
core::{ core::{
CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreClient, CoreGenderClaim, CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreErrorResponseType,
CoreIdTokenClaims, CoreIdTokenVerifier, CoreProviderMetadata, CoreGenderClaim, CoreIdTokenVerifier, CoreJsonWebKey, CoreJsonWebKeyType,
CoreJsonWebKeyUse, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm,
CoreProviderMetadata, CoreRevocableToken, CoreRevocationErrorResponse,
CoreTokenIntrospectionResponse, CoreTokenType,
}, },
AdditionalClaims, AdditionalClaims,
AuthenticationContextClass, AuthenticationContextClass,
@ -24,6 +27,9 @@ use openidconnect::{
ClientId, ClientId,
ClientSecret, ClientSecret,
CsrfToken, CsrfToken,
EmptyExtraTokenFields,
IdTokenClaims,
IdTokenFields,
IssuerUrl, IssuerUrl,
Nonce, Nonce,
OAuth2TokenResponse, OAuth2TokenResponse,
@ -31,15 +37,47 @@ use openidconnect::{
PkceCodeVerifier, PkceCodeVerifier,
RedirectUrl, RedirectUrl,
Scope, Scope,
StandardErrorResponse,
StandardTokenResponse,
UserInfoClaims, UserInfoClaims,
}; };
/// Stores Additional Claims into a serde_json::Value; /// Stores Additional Claims into a serde_json::Value;
#[derive(Debug, Deserialize, Serialize)] #[derive(Clone, Debug, Default, Deserialize, PartialEq, Serialize)]
pub struct GenericClaims(Value); pub struct GenericClaims(Value);
impl AdditionalClaims for GenericClaims {} impl AdditionalClaims for GenericClaims {}
pub type GenericUserInfoClaims = UserInfoClaims<GenericClaims, CoreGenderClaim>; pub type GenericUserInfoClaims = UserInfoClaims<GenericClaims, CoreGenderClaim>;
pub type GenericIdTokenClaims = IdTokenClaims<GenericClaims, CoreGenderClaim>;
pub type GenericIdTokenFields = IdTokenFields<
GenericClaims,
EmptyExtraTokenFields,
CoreGenderClaim,
CoreJweContentEncryptionAlgorithm,
CoreJwsSigningAlgorithm,
CoreJsonWebKeyType,
>;
pub type GenericTokenResponse = StandardTokenResponse<GenericIdTokenFields, CoreTokenType>;
pub type GenericClient = openidconnect::Client<
GenericClaims,
CoreAuthDisplay,
CoreGenderClaim,
CoreJweContentEncryptionAlgorithm,
CoreJwsSigningAlgorithm,
CoreJsonWebKeyType,
CoreJsonWebKeyUse,
CoreJsonWebKey,
CoreAuthPrompt,
StandardErrorResponse<CoreErrorResponseType>,
GenericTokenResponse,
CoreTokenType,
CoreTokenIntrospectionResponse,
CoreRevocableToken,
CoreRevocationErrorResponse,
>;
#[derive(Debug, Deserialize, Serialize, Clone)] #[derive(Debug, Deserialize, Serialize, Clone)]
pub struct OpenIdConfig { pub struct OpenIdConfig {
@ -56,7 +94,7 @@ pub struct OpenIdConfig {
} }
pub struct OpenIdAuthenticator { pub struct OpenIdAuthenticator {
client: CoreClient, client: GenericClient,
config: OpenIdConfig, config: OpenIdConfig,
} }
@ -120,8 +158,9 @@ impl OpenIdAuthenticator {
let provider_metadata = CoreProviderMetadata::discover(&issuer_url, http_client)?; let provider_metadata = CoreProviderMetadata::discover(&issuer_url, http_client)?;
let client = CoreClient::from_provider_metadata(provider_metadata, client_id, client_key) let client =
.set_redirect_uri(RedirectUrl::new(String::from(redirect_url))?); GenericClient::from_provider_metadata(provider_metadata, client_id, client_key)
.set_redirect_uri(RedirectUrl::new(String::from(redirect_url))?);
Ok(Self { Ok(Self {
client, client,
@ -195,7 +234,7 @@ impl OpenIdAuthenticator {
&self, &self,
code: &str, code: &str,
private_auth_state: &PrivateAuthState, private_auth_state: &PrivateAuthState,
) -> Result<(CoreIdTokenClaims, GenericUserInfoClaims), Error> { ) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> {
let code = AuthorizationCode::new(code.to_string()); let code = AuthorizationCode::new(code.to_string());
// Exchange the code with a token. // Exchange the code with a token.
let token_response = self let token_response = self
@ -206,7 +245,7 @@ impl OpenIdAuthenticator {
.map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?; .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier(); let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
let id_token_claims: &CoreIdTokenClaims = token_response let id_token_claims: &GenericIdTokenClaims = token_response
.extra_fields() .extra_fields()
.id_token() .id_token()
.expect("Server did not return an ID token") .expect("Server did not return an ID token")