From 7a4bc71e653d3dfe84bc2864f843cd8aeb9251a7 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 1 Jun 2023 08:23:48 +0200 Subject: [PATCH] Revert "idp/proxy: Match users by ID instead of name by default" This reverts commit 52951b42b0db11f652e3924ba73cec3b68666042. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of https://github.com/owncloud/ocis/issues/904 Fixes #6415 --- changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md | 7 +------ services/idp/pkg/config/config.go | 1 - services/idp/pkg/config/defaults/defaultconfig.go | 10 +++------- services/proxy/pkg/command/server.go | 6 ++---- services/proxy/pkg/config/defaults/defaultconfig.go | 4 ++-- 5 files changed, 8 insertions(+), 20 deletions(-) diff --git a/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md b/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md index da1d954e1a..8f2df658f8 100644 --- a/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md +++ b/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md @@ -7,12 +7,7 @@ use the user's unique id (`owncloudUUID` by default) for computing the `sub` claim. So that user's recreated with the same name will be treated as different users by the IDP. -This changed also the default values of the 'PROXY_USER_OIDC_CLAIM' and -'PROXY_USER_CS3_CLAIM' settings map the IDP users to CS3 user by the userid in -the default setup. The old behavior of matching by username can be achieved -byt setting 'PROXY_USER_OIDC_CLAIM=preferred_username' and -'PROXY_USER_CS3_CLAIM=username'. - https://github.com/owncloud/ocis/issues/904 https://github.com/owncloud/ocis/pull/6326 https://github.com/owncloud/ocis/pull/6338 +https://github.com/owncloud/ocis/pull/6420 diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go index 6439d2e8a8..1b18560fbf 100644 --- a/services/idp/pkg/config/config.go +++ b/services/idp/pkg/config/config.go @@ -61,7 +61,6 @@ type Client struct { ID string `yaml:"id"` Name string `yaml:"name"` Trusted bool `yaml:"trusted"` - ImplicitScopes []string `yaml:"implicit_scopes"` Secret string `yaml:"secret"` RedirectURIs []string `yaml:"redirect_uris"` Origins []string `yaml:"origins"` diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go index eb5f81db40..dc6f2ebede 100644 --- a/services/idp/pkg/config/defaults/defaultconfig.go +++ b/services/idp/pkg/config/defaults/defaultconfig.go @@ -71,10 +71,9 @@ func DefaultConfig() *config.Config { }, Clients: []config.Client{ { - ID: "web", - Name: "ownCloud Web app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, - Trusted: true, + ID: "web", + Name: "ownCloud Web app", + Trusted: true, RedirectURIs: []string{ "{{OCIS_URL}}/", "{{OCIS_URL}}/oidc-callback.html", @@ -88,7 +87,6 @@ func DefaultConfig() *config.Config { ID: "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", Secret: "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", Name: "ownCloud desktop app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, ApplicationType: "native", RedirectURIs: []string{ "http://127.0.0.1", @@ -99,7 +97,6 @@ func DefaultConfig() *config.Config { ID: "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", Secret: "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD", Name: "ownCloud Android app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, ApplicationType: "native", RedirectURIs: []string{ "oc://android.owncloud.com", @@ -109,7 +106,6 @@ func DefaultConfig() *config.Config { ID: "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", Secret: "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx", Name: "ownCloud iOS app", - ImplicitScopes: []string{"LibgreGraph.UUID"}, ApplicationType: "native", RedirectURIs: []string{ "oc://ios.owncloud.com", diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index e49317c172..11b18850d1 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -344,10 +344,8 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config, if cfg.EnableBasicAuth { logger.Warn().Msg("basic auth enabled, use only for testing or development") authenticators = append(authenticators, middleware.BasicAuthenticator{ - Logger: logger, - UserProvider: userProvider, - UserCS3Claim: cfg.UserCS3Claim, - UserOIDCClaim: cfg.UserOIDCClaim, + Logger: logger, + UserProvider: userProvider, }) } diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go index 9c21bbf2c0..16ee92d710 100644 --- a/services/proxy/pkg/config/defaults/defaultconfig.go +++ b/services/proxy/pkg/config/defaults/defaultconfig.go @@ -74,8 +74,8 @@ func DefaultConfig() *config.Config { Enabled: true, }, AccountBackend: "cs3", - UserOIDCClaim: "lg.uuid", - UserCS3Claim: "userid", + UserOIDCClaim: "preferred_username", + UserCS3Claim: "username", AutoprovisionAccounts: false, EnableBasicAuth: false, InsecureBackends: false,