From 0da7eccd1d69b53240a8fdc9236567bc5e53318b Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Wed, 24 Apr 2024 15:51:55 +0200
Subject: [PATCH] fix(autoprovision): make email optional

The mail address is not a required attrbute for our users. So we can auto-provision users without it.

Fixes: #6909
---
 .../unreleased/config-autoprovision-claims.md     | 15 +++++++++++++++
 services/proxy/pkg/user/backend/cs3.go            |  9 ++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 changelog/unreleased/config-autoprovision-claims.md

diff --git a/changelog/unreleased/config-autoprovision-claims.md b/changelog/unreleased/config-autoprovision-claims.md
new file mode 100644
index 000000000..d4a0fb7dc
--- /dev/null
+++ b/changelog/unreleased/config-autoprovision-claims.md
@@ -0,0 +1,15 @@
+Enhancement: Configurable claims for auto-provisioning user accounts
+
+We introduce the new environment variables
+"PROXY_AUTOPROVISION_CLAIM_USERNAME", "PROXY_AUTOPROVISION_CLAIM_EMAIL", and
+"PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME" which can be used to configure the
+OIDC claims that should be used for auto-provisioning user accounts.
+
+The automatic fallback to use the 'email' claim value as the username when
+the 'preferred_username' claim is not set, has been removed.
+
+Also it is now possible to autoprovision users without an email address.
+
+https://github.com/owncloud/ocis/pull/8952
+https://github.com/owncloud/ocis/issues/8635
+https://github.com/owncloud/ocis/issues/6909
diff --git a/services/proxy/pkg/user/backend/cs3.go b/services/proxy/pkg/user/backend/cs3.go
index 79aa736d8..7644ffa17 100644
--- a/services/proxy/pkg/user/backend/cs3.go
+++ b/services/proxy/pkg/user/backend/cs3.go
@@ -274,16 +274,15 @@ func (c cs3backend) libregraphUserFromClaims(ctx context.Context, claims map[str
 	} else {
 		return user, fmt.Errorf("Missing claim '%s' (displayName)", c.autoProvisionClaims.DisplayName)
 	}
-	if mail, ok := claims[c.autoProvisionClaims.Email].(string); ok {
-		user.SetMail(mail)
-	} else {
-		return user, fmt.Errorf("Missing claim '%s' (mail)", c.autoProvisionClaims.Email)
-	}
 	if username, ok := claims[c.autoProvisionClaims.Username].(string); ok {
 		user.SetOnPremisesSamAccountName(username)
 	} else {
 		return user, fmt.Errorf("Missing claim '%s' (username)", c.autoProvisionClaims.Username)
 	}
+	// Email is optional so we don't need an 'else' here
+	if mail, ok := claims[c.autoProvisionClaims.Email].(string); ok {
+		user.SetMail(mail)
+	}
 	return user, nil
 }