From 271bbc10e92c4b1cd7527fad699989d5c4a24487 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 18 Nov 2021 14:24:24 +0100 Subject: [PATCH] openid: allow arbitrary username-claims Signed-off-by: Thomas Lamprecht --- src/PVE/API2/OpenId.pm | 17 +++++++---------- src/PVE/Auth/OpenId.pm | 1 - 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm index 4fc0be8..c5bd736 100644 --- a/src/PVE/API2/OpenId.pm +++ b/src/PVE/API2/OpenId.pm @@ -165,22 +165,19 @@ __PACKAGE__->register_method ({ my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state); my $subject = $info->{'sub'}; - die "missing openid claim 'sub'\n" if !defined($subject); - - my $unique_name = $subject; # default + my $unique_name; if (defined(my $user_attr = $config->{'username-claim'})) { - if ($user_attr eq 'subject') { + if (defined($info->{$user_attr})) { + $unique_name = $info->{$user_attr}; + } elsif ($user_attr eq 'subject') { # stay compat with old versions $unique_name = $subject; - } elsif ($user_attr eq 'username') { + } elsif ($user_attr eq 'username') { # stay compat with old versions my $username = $info->{'preferred_username'}; die "missing claim 'preferred_username'\n" if !defined($username); $unique_name = $username; - } elsif ($user_attr eq 'email') { - my $email = $info->{'email'}; - die "missing claim 'email'\n" if !defined($email); - $unique_name = $email; } else { - die "got unexpected value for 'username-claim': '${user_attr}'\n"; + # neither the attr nor fallback are defined in info.. + die "missing configured claim '$user_attr'\n"; } } diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm index 515d2f4..5101010 100755 --- a/src/PVE/Auth/OpenId.pm +++ b/src/PVE/Auth/OpenId.pm @@ -40,7 +40,6 @@ sub properties { "username-claim" => { description => "OpenID claim used to generate the unique username.", type => 'string', - enum => ['subject', 'username', 'email'], optional => 1, }, }; -- 2.39.2