set only user oidc claim only if cs3 claim is userid

proxy/pkg/command/server.go

@@ -221,6 +221,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 			middleware.UserProvider(userProvider),
 			middleware.OIDCIss(cfg.OIDC.Issuer),
 			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
+			middleware.UserCS3Claim(cfg.UserCS3Claim),
 			middleware.CredentialsByUserAgent(cfg.Reva.Middleware.Auth.CredentialsByUserAgent),
 		),
 		middleware.SignedURLAuth(

proxy/pkg/middleware/authentication.go

@@ -127,6 +127,7 @@ func newBasicAuth(options Options) func(http.Handler) http.Handler {
 		AccountsClient(options.AccountsClient),
 		OIDCIss(options.OIDCIss),
 		UserOIDCClaim(options.UserOIDCClaim),
+		UserCS3Claim(options.UserCS3Claim),
 		CredentialsByUserAgent(options.CredentialsByUserAgent),
 	)
 }

proxy/pkg/middleware/basic_auth.go

@@ -84,11 +84,17 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 
 				// fake oidc claims
 				claims := map[string]interface{}{
-					oidc.OwncloudUUID:      user.Id.OpaqueId,
-					options.UserOIDCClaim:  user.Id.OpaqueId,
 					oidc.Iss:               user.Id.Idp,
 					oidc.PreferredUsername: user.Username,
 					oidc.Email:             user.Mail,
+					oidc.OwncloudUUID:      user.Id.OpaqueId,
+				}
+
+				if options.UserCS3Claim == "userid" {
+					// set the custom user claim only if users will be looked up by the the userid on the CS3api
+					// OpaqueId contains the userid configured in STORAGE_LDAP_USER_SCHEMA_UID
+					claims[options.UserOIDCClaim] = user.Id.OpaqueId
+
 				}
 
 				next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims)))