Align default login attribute across services

Up to now the builtin lico was using the "username" as the login attribute, while the proxy (and to some extend the auth-basic) service tried to uniquely identify users by mail address. This aligns the default configuration of the services to use the username everywhere. Fixes: #4039
owncloud · Jul 14, 2022 · 0f257af · 0f257af
1 parent d09819d
commit 0f257af
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/changelog/unreleased/fix-align-login-attr.md b/changelog/unreleased/fix-align-login-attr.md
@@ -0,0 +1,6 @@
+Bugfix: Logging in on the wrong account when an email address is not unique
+
+The default configuration to use the same logon attribute for all services. Also,
+if the configured logon attribute is not unique access to ocis is denied.
+
+https://github.com/owncloud/ocis/issues/4039
diff --git a/services/auth-basic/pkg/config/defaults/defaultconfig.go b/services/auth-basic/pkg/config/defaults/defaultconfig.go
@@ -43,7 +43,7 @@ func DefaultConfig() *config.Config {
  GroupBaseDN: "ou=groups,o=libregraph-idm",
  UserScope: "sub",
  GroupScope: "sub",
- LoginAttributes: []string{"uid", "mail"},
+ LoginAttributes: []string{"uid"},
  UserFilter: "",
  GroupFilter: "",
  UserObjectClass: "inetOrgPerson",

diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -50,8 +50,8 @@ func DefaultConfig() *config.Config {
  Enabled: true,
  },
  AccountBackend: "cs3",
- UserOIDCClaim: "email",
- UserCS3Claim: "mail",
+ UserOIDCClaim: "preferred_username",
+ UserCS3Claim: "username",
  AutoprovisionAccounts: false,
  EnableBasicAuth: false,
  InsecureBackends: false,