git.proxmox.com Git - pve-access-control.git/commit

author	Gabriel Goller <g.goller@proxmox.com>
	Tue, 6 Feb 2024 10:11:01 +0000 (11:11 +0100)
committer	Thomas Lamprecht <t.lamprecht@proxmox.com>
	Thu, 8 Feb 2024 17:17:04 +0000 (18:17 +0100)
commit	b543394c937049265bac20c2ddb1fde0662f6a73
tree	ea4c761d4383dc026405232255bda9ed098f3c51	tree
parent	744ec314269ed9707a9862173da9cfde1855b2d0	commit \| diff

oidc: enforce generic URI regex for the ACR value

Restrict the acr-value regex a little bit so as to align the behavior
with PBS. The openid documentation says that the acr-value *should* be
an URI [0]. Added a regex that loosely disallows some of the reserved
URI characters specified in the RFC [1].

Values like:
* "urn:mace:incommon:iap:silver"
* "urn:comsolve.nl:idp:contract:rba:location"
SHOULD work, but values like:
* "urn:#ace:incommon:iap:silver"
* "urn:"omsolve.nl:idp:contract:rba:location"
should NOT work.

This is related to the fix [2] for bug #5190 in PBS, but different as
there we had to make the verifier more flexible, whereas here we make
it stricter – mostly to have both projects aligned to avoid confusion.

[0]: https://openid.net/specs/openid-connect-core-1_0.html
[1]: https://www.rfc-editor.org/rfc/rfc2396.txt
[2]: https://git.proxmox.com/?p=proxmox-backup.git;a=commit;h=e0222ce83c28397d493c70825e873943c1223c67

Signed-off-by: Gabriel Goller <g.goller@proxmox.com>