From 6f90578c1ac617bc5151a59df23bd512e48a707d Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 1 Jun 2023 08:23:48 +0200 Subject: [PATCH] Revert "idp/proxy: Match users by ID instead of name by default" This reverts commit 52951b42b0db11f652e3924ba73cec3b68666042. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of https://github.com/owncloud/ocis/issues/904 Fixes #6415 --- changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md | 7 +------ services/idp/pkg/config/config.go | 1 - services/idp/pkg/config/defaults/defaultconfig.go | 10 +++------- services/proxy/pkg/command/server.go | 6 ++---- services/proxy/pkg/config/defaults/defaultconfig.go | 4 ++-- 5 files changed, 8 insertions(+), 20 deletions(-) diff --git a/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md b/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md index da1d954e1a0..8f2df658f8e 100644 --- a/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md +++ b/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md @@ -7,12 +7,7 @@ use the user's unique id (`owncloudUUID` by default) for computing the `sub` claim. So that user's recreated with the same name will be treated as different users by the IDP. -This changed also the default values of the 'PROXY_USER_OIDC_CLAIM' and -'PROXY_USER_CS3_CLAIM' settings map the IDP users to CS3 user by the userid in -the default setup. The old behavior of matching by username can be achieved -byt setting 'PROXY_USER_OIDC_CLAIM=preferred_username' and -'PROXY_USER_CS3_CLAIM=username'. - https://github.com/owncloud/ocis/issues/904 https://github.com/owncloud/ocis/pull/6326 https://github.com/owncloud/ocis/pull/6338 +https://github.com/owncloud/ocis/pull/6420 diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go index 6439d2e8a8c..1b18560fbfc 100644 --- a/services/idp/pkg/config/config.go +++ b/services/idp/pkg/config/config.go @@ -61,7 +61,6 @@ type Client struct { ID string `yaml:"id"` Name string `yaml:"name"` Trusted bool `yaml:"trusted"` - ImplicitScopes []string `yaml:"implicit_scopes"` Secret string `yaml:"secret"` RedirectURIs []string `yaml:"redirect_uris"` Origins []string `yaml:"origins"` diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go index eb5f81db404..dc6f2ebedea 100644 --- a/services/idp/pkg/config/defaults/defaultconfig.go +++ b/services/idp/pkg/config/defaults/defaultconfig.go @@ -71,10 +71,9 @@ func DefaultConfig() *config.Config { }, Clients: []config.Client{ { - ID: "web", - Name: "ownCloud Web app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, - Trusted: true, + ID: "web", + Name: "ownCloud Web app", + Trusted: true, RedirectURIs: []string{ "{{OCIS_URL}}/", "{{OCIS_URL}}/oidc-callback.html", @@ -88,7 +87,6 @@ func DefaultConfig() *config.Config { ID: "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", Secret: "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", Name: "ownCloud desktop app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, ApplicationType: "native", RedirectURIs: []string{ "http://127.0.0.1", @@ -99,7 +97,6 @@ func DefaultConfig() *config.Config { ID: "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", Secret: "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", Name: "ownCloud Android app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, ApplicationType: "native", RedirectURIs: []string{ "oc://android.owncloud.com", @@ -109,7 +106,6 @@ func DefaultConfig() *config.Config { ID: "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", Secret: "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", Name: "ownCloud iOS app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, ApplicationType: "native", RedirectURIs: []string{ "oc://ios.owncloud.com", diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index e49317c1722..11b18850d1e 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -344,10 +344,8 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config, if cfg.EnableBasicAuth { logger.Warn().Msg("basic auth enabled, use only for testing or development") authenticators = append(authenticators, middleware.BasicAuthenticator{ - Logger: logger, - UserProvider: userProvider, - UserCS3Claim: cfg.UserCS3Claim, - UserOIDCClaim: cfg.UserOIDCClaim, + Logger: logger, + UserProvider: userProvider, }) } diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 9c21bbf2c0b..16ee92d710d 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -74,8 +74,8 @@ func DefaultConfig() *config.Config { Enabled: true, }, AccountBackend: "cs3", - UserOIDCClaim: "lg.uuid", - UserCS3Claim: "userid", + UserOIDCClaim: "preferred_username", + UserCS3Claim: "username", AutoprovisionAccounts: false, EnableBasicAuth: false, InsecureBackends: false,