From 97795a004386f4b03f8598252f3ed2d8e17f7e76 Mon Sep 17 00:00:00 2001
From: Thomas Skinner <thomas@atskinner.net>
Date: Sun, 23 Mar 2025 22:37:35 -0500
Subject: [PATCH] fix #4234: add library functions for openid optional userinfo
 request

Signed-off-by: Thomas Skinner <thomas@atskinner.net>
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
---
 src/PVE/API2/OpenId.pm | 6 +++++-
 src/PVE/Auth/OpenId.pm | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index dfe069c..519b93d 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -171,7 +171,11 @@ __PACKAGE__->register_method ({
 
 	    my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
 
-	    my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
+	    my $info = $openid->verify_authorization_code(
+		$param->{code},
+		$private_auth_state,
+		$config->{'query-userinfo'} // 1,
+	    );
 	    my $subject = $info->{'sub'};
 
 	    my $unique_name;
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 7becd91..4e496f0 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -85,6 +85,12 @@ sub properties {
 	    pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
 	    optional => 1,
 	},
+	"query-userinfo" => {
+	    description => "Enables querying the userinfo endpoint for claims values.",
+	    type => 'boolean',
+	    default => 1,
+	    optional => 1,
+	},
    };
 }
 
@@ -103,6 +109,7 @@ sub options {
 	"acr-values" => { optional => 1 },
 	default => { optional => 1 },
 	comment => { optional => 1 },
+	"query-userinfo" => { optional => 1 },
     };
 }