fix #4234: add library functions for openid optional userinfo request

Signed-off-by: Thomas Skinner <thomas@atskinner.net>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>

src/PVE/API2/OpenId.pm

@@ -171,7 +171,11 @@ __PACKAGE__->register_method ({
 
 	    my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
 
-	    my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
+	    my $info = $openid->verify_authorization_code(
+		$param->{code},
+		$private_auth_state,
+		$config->{'query-userinfo'} // 1,
+	    );
 	    my $subject = $info->{'sub'};
 
 	    my $unique_name;

src/PVE/Auth/OpenId.pm

@@ -85,6 +85,12 @@ sub properties {
 	    pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
 	    optional => 1,
 	},
+	"query-userinfo" => {
+	    description => "Enables querying the userinfo endpoint for claims values.",
+	    type => 'boolean',
+	    default => 1,
+	    optional => 1,
+	},
    };
 }
 
@@ -103,6 +109,7 @@ sub options {
 	"acr-values" => { optional => 1 },
 	default => { optional => 1 },
 	comment => { optional => 1 },
+	"query-userinfo" => { optional => 1 },
     };
 }