proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-06-15 11:02:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #4234: openid: add library functions for optional userinfo endpoint

Browse Source 
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
FG: rebased
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Thomas Skinner 2025-03-23 22:37:36 -05:00 committed by Fabian Grünbichler
parent 1c25b76c5d
commit 6f5fefecc0
1 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
proxmox-openid/src/lib.rs
View File

@ -37,6 +37,7 @@ use openidconnect::{
PkceCodeVerifier, PkceCodeVerifier,
RedirectUrl, RedirectUrl,
Scope, Scope,
StandardClaims,
StandardErrorResponse, StandardErrorResponse,
StandardTokenResponse, StandardTokenResponse,
UserInfoClaims, UserInfoClaims,
@ -234,6 +235,15 @@ impl OpenIdAuthenticator {
&self, &self,
code: &str, code: &str,
private_auth_state: &PrivateAuthState, private_auth_state: &PrivateAuthState,
) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> {
self.verify_authorization_code_userinfo(code, private_auth_state, true)
}
pub fn verify_authorization_code_userinfo(
&self,
code: &str,
private_auth_state: &PrivateAuthState,
query_userinfo: bool,
) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> { ) -> Result<(GenericIdTokenClaims, GenericUserInfoClaims), Error> {
let code = AuthorizationCode::new(code.to_string()); let code = AuthorizationCode::new(code.to_string());
// Exchange the code with a token. // Exchange the code with a token.
@ -252,6 +262,14 @@ impl OpenIdAuthenticator {
.claims(&id_token_verifier, &private_auth_state.nonce) .claims(&id_token_verifier, &private_auth_state.nonce)
.map_err(|err| format_err!("Failed to verify ID token: {}", err))?; .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
if !query_userinfo {
let empty_userinfo_claims = UserInfoClaims::new(
StandardClaims::new(id_token_claims.subject().clone()),
GenericClaims(Value::Null),
);
return Ok((id_token_claims.clone(), empty_userinfo_claims));
}
let userinfo_claims: GenericUserInfoClaims = self let userinfo_claims: GenericUserInfoClaims = self
.client .client
.user_info(token_response.access_token().to_owned(), None)? .user_info(token_response.access_token().to_owned(), None)?
@ -266,9 +284,19 @@ impl OpenIdAuthenticator {
&self, &self,
code: &str, code: &str,
private_auth_state: &PrivateAuthState, private_auth_state: &PrivateAuthState,
) -> Result<Value, Error> {
self.verify_authorization_code_simple_userinfo(code, private_auth_state, true)
}
/// Like verify_authorization_code_simple_userinfo(), but returns claims as serde_json::Value
pub fn verify_authorization_code_simple_userinfo(
&self,
code: &str,
private_auth_state: &PrivateAuthState,
query_userinfo: bool,
) -> Result<Value, Error> { ) -> Result<Value, Error> {
let (id_token_claims, userinfo_claims) = let (id_token_claims, userinfo_claims) =
self.verify_authorization_code(code, private_auth_state)?; self.verify_authorization_code_userinfo(code, private_auth_state, query_userinfo)?;
let mut data = serde_json::to_value(id_token_claims)?; let mut data = serde_json::to_value(id_token_claims)?;