fix #4234: openid: add library functions for optional userinfo endpoint

Signed-off-by: Thomas Skinner <thomas@atskinner.net> FG: rebased Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-04-28 18:48:09 +00:00 · 2025-03-23 22:37:36 -05:00 · 2025-03-23 22:37:36 -05:00 · 6f5fefecc0
commit 6f5fefecc0
parent 1c25b76c5d
1 changed files with 29 additions and 1 deletions
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@ -37,6 +37,7 @@ use openidconnect::{
    PkceCodeVerifier,
    RedirectUrl,
    Scope,
+    StandardClaims,
    StandardErrorResponse,
    StandardTokenResponse,
    UserInfoClaims,
@ -234,6 +235,15 @@ impl OpenIdAuthenticator {
        &self,
        code: &str,
        private_auth_state: &PrivateAuthState,
+    ) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> {
+        self.verify_authorization_code_userinfo(code, private_auth_state, true)
+    }
+
+    pub fn verify_authorization_code_userinfo(
+        &self,
+        code: &str,
+        private_auth_state: &PrivateAuthState,
+        query_userinfo: bool,
    ) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> {
        let code = AuthorizationCode::new(code.to_string());
        // Exchange the code with a token.
@ -252,6 +262,14 @@ impl OpenIdAuthenticator {
            .claims(&id_token_verifier, &private_auth_state.nonce)
            .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;

+        if !query_userinfo {
+            let empty_userinfo_claims = UserInfoClaims::new(
+                StandardClaims::new(id_token_claims.subject().clone()),
+                GenericClaims(Value::Null),
+            );
+            return Ok((id_token_claims.clone(), empty_userinfo_claims));
+        }
+
        let userinfo_claims: GenericUserInfoClaims = self
            .client
            .user_info(token_response.access_token().to_owned(), None)?
@ -266,9 +284,19 @@ impl OpenIdAuthenticator {
        &self,
        code: &str,
        private_auth_state: &PrivateAuthState,
+    ) -> Result<Value, Error> {
+        self.verify_authorization_code_simple_userinfo(code, private_auth_state, true)
+    }
+
+    /// Like verify_authorization_code_simple_userinfo(), but returns claims as serde_json::Value
+    pub fn verify_authorization_code_simple_userinfo(
+        &self,
+        code: &str,
+        private_auth_state: &PrivateAuthState,
+        query_userinfo: bool,
    ) -> Result<Value, Error> {
        let (id_token_claims, userinfo_claims) =
-            self.verify_authorization_code(code, private_auth_state)?;
+            self.verify_authorization_code_userinfo(code, private_auth_state, query_userinfo)?;

        let mut data = serde_json::to_value(id_token_claims)?;