idp/proxy: Match users by ID instead of name by default

Reconfigure the oidc clients for lico, so that lico adds the "lg.uuid" to
tokens and userinfo by default. That claim will contain the userid. So
we can now use the userid for matching users when using the default
idm/idp configuration. This fixes further problems so that users being
recreated with the same name are correctly treated as differnt users.

Fixes: #904

changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md

@@ -8,3 +8,5 @@ claim. So that user's recreated with the same name will be treated as different
 users by the IDP.
 
 https://github.com/owncloud/ocis/issues/904
+https://github.com/owncloud/ocis/pull/6326
+https://github.com/owncloud/ocis/pull/6338

services/idp/pkg/config/config.go

@@ -61,6 +61,7 @@ type Client struct {
 	ID              string   `yaml:"id"`
 	Name            string   `yaml:"name"`
 	Trusted         bool     `yaml:"trusted"`
+	ImplicitScopes  []string `yaml:"implicit_scopes"`
 	Secret          string   `yaml:"secret"`
 	RedirectURIs    []string `yaml:"redirect_uris"`
 	Origins         []string `yaml:"origins"`

services/idp/pkg/config/defaults/defaultconfig.go

@@ -71,9 +71,10 @@ func DefaultConfig() *config.Config {
 		},
 		Clients: []config.Client{
 			{
-				ID:      "web",
-				Name:    "ownCloud Web app",
-				Trusted: true,
+				ID:             "web",
+				Name:           "ownCloud Web app",
+				ImplicitScopes: []string{"LibgreGraph.UUID"},
+				Trusted:        true,
 				RedirectURIs: []string{
 					"{{OCIS_URL}}/",
 					"{{OCIS_URL}}/oidc-callback.html",
@@ -87,6 +88,7 @@ func DefaultConfig() *config.Config {
 				ID:              "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
 				Secret:          "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
 				Name:            "ownCloud desktop app",
+				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"http://127.0.0.1",
@@ -97,6 +99,7 @@ func DefaultConfig() *config.Config {
 				ID:              "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
 				Secret:          "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
 				Name:            "ownCloud Android app",
+				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"oc://android.owncloud.com",
@@ -106,6 +109,7 @@ func DefaultConfig() *config.Config {
 				ID:              "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
 				Secret:          "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
 				Name:            "ownCloud iOS app",
+				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"oc://ios.owncloud.com",

services/proxy/pkg/command/server.go

@@ -340,8 +340,10 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
 	if cfg.EnableBasicAuth {
 		logger.Warn().Msg("basic auth enabled, use only for testing or development")
 		authenticators = append(authenticators, middleware.BasicAuthenticator{
-			Logger:       logger,
-			UserProvider: userProvider,
+			Logger:        logger,
+			UserProvider:  userProvider,
+			UserCS3Claim:  cfg.UserCS3Claim,
+			UserOIDCClaim: cfg.UserOIDCClaim,
 		})
 	}
 

services/proxy/pkg/config/defaults/defaultconfig.go

@@ -74,8 +74,8 @@ func DefaultConfig() *config.Config {
 			Enabled:            true,
 		},
 		AccountBackend:        "cs3",
-		UserOIDCClaim:         "preferred_username",
-		UserCS3Claim:          "username",
+		UserOIDCClaim:         "lg.uuid",
+		UserCS3Claim:          "userid",
 		AutoprovisionAccounts: false,
 		EnableBasicAuth:       false,
 		InsecureBackends:      false,