To enhance the security of our application and prevent Cross-Site Request Forgery (CSRF) attacks, we have updated the
SameSite attribute of the build in Identity Provider (IDP) cookies to Strict.
This revision introduces a new environment variable
`IDP_LOGIN_BACKGROUND_URL` that overrides the default background image
of the IDP login page when present.
For some reason LDAP_BIND_PASSWORD was forgotten when all the other global LDAP_
variables got renamed.
Also marks LDAP_BIND_PASSWORD and LDAP_USER_SCHEMA_ID_IS_OCTETSTRING for removal with 5.0.0
Partial: #7176
This reverts commit 52951b42b0.
The change broke authentication for at least the desktop client when
using the builtin idp. There seem to be issues in the IDP (lico) which
result in the implicit scoped not being added correctly in some case.
When that scope is missing the `lg.uuid` claim will not be present in
the userinfo and we can correctly match users by id.
This reverts back to the old behaviour of matching users by name. Which
also brings some aspects of https://github.com/owncloud/ocis/issues/904Fixes#6415
Reconfigure the oidc clients for lico, so that lico adds the "lg.uuid" to
tokens and userinfo by default. That claim will contain the userid. So
we can now use the userid for matching users when using the default
idm/idp configuration. This fixes further problems so that users being
recreated with the same name are correctly treated as differnt users.
Fixes: #904
Fixes: 5906
After clarification and renaming th envvar and post a discussion with @rhafer, we should align the yaml name to the envvar name. Note that the backend name (`Insecure`) is not changed.
* In the deployment examples, we use ennvars and no yaml
* ocis init does not use it
This adds support for configuring an LDAP Attribute that can be used as a flag
to disallow users to login. We currently default to 'ownCloudUserEnabled' as
used in the default configuration of the graph service.
Consolidate all services to use the Reva config struct for the shared package.
This works because all services (except 'notifications', 'thumbnails' and
'webdav') where using the same config keys and environment variables for
setting the reva gateway.
Juergen Weigert