idp/proxy: Match users by ID instead of name by default

Reconfigure the oidc clients for lico, so that lico adds the "lg.uuid" to tokens and userinfo by default. That claim will contain the userid. So we can now use the userid for matching users when using the default idm/idp configuration. This fixes further problems so that users being recreated with the same name are correctly treated as differnt users. Fixes: #904
owncloud · May 17, 2023 · c6797f7 · c6797f7
1 parent 4aad1db
commit c6797f7
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 7 deletions.
diff --git a/changelog/unreleased/fix-idp-sub-recreation.md b/changelog/unreleased/fix-idp-sub-recreation.md
@@ -8,3 +8,5 @@ claim. So that user's recreated with the same name will be treated as different
 users by the IDP.
 
 https://github.com/owncloud/ocis/issues/904
+https://github.com/owncloud/ocis/pull/6326
+https://github.com/owncloud/ocis/pull/6338
diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go
@@ -61,6 +61,7 @@ type Client struct {
  ID string `yaml:"id"`
  Name string `yaml:"name"`
  Trusted bool `yaml:"trusted"`
+ ImplicitScopes []string `yaml:"implicit_scopes"`
  Secret string `yaml:"secret"`
  RedirectURIs []string `yaml:"redirect_uris"`
  Origins []string `yaml:"origins"`

diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -71,9 +71,10 @@ func DefaultConfig() *config.Config {
  },
  Clients: []config.Client{
  {
- ID: "web",
- Name: "ownCloud Web app",
- Trusted: true,
+ ID: "web",
+ Name: "ownCloud Web app",
+ ImplicitScopes: []string{"LibgreGraph.UUID"},
+ Trusted: true,
  RedirectURIs: []string{
  "{{OCIS_URL}}/",
  "{{OCIS_URL}}/oidc-callback.html",
@@ -87,6 +88,7 @@ func DefaultConfig() *config.Config {
  ID: "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
  Secret: "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
  Name: "ownCloud desktop app",
+ ImplicitScopes: []string{"LibgreGraph.UUID"},
  ApplicationType: "native",
  RedirectURIs: []string{
  "http://127.0.0.1",
@@ -97,6 +99,7 @@ func DefaultConfig() *config.Config {
  ID: "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
  Secret: "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
  Name: "ownCloud Android app",
+ ImplicitScopes: []string{"LibgreGraph.UUID"},
  ApplicationType: "native",
  RedirectURIs: []string{
  "oc://android.owncloud.com",
@@ -106,6 +109,7 @@ func DefaultConfig() *config.Config {
  ID: "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
  Secret: "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
  Name: "ownCloud iOS app",
+ ImplicitScopes: []string{"LibgreGraph.UUID"},
  ApplicationType: "native",
  RedirectURIs: []string{
  "oc://ios.owncloud.com",

diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
@@ -340,8 +340,10 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
  if cfg.EnableBasicAuth {
  logger.Warn().Msg("basic auth enabled, use only for testing or development")
  authenticators = append(authenticators, middleware.BasicAuthenticator{
- Logger: logger,
- UserProvider: userProvider,
+ Logger: logger,
+ UserProvider: userProvider,
+ UserCS3Claim: cfg.UserCS3Claim,
+ UserOIDCClaim: cfg.UserOIDCClaim,
  })
  }
 

diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -74,8 +74,8 @@ func DefaultConfig() *config.Config {
  Enabled: true,
  },
  AccountBackend: "cs3",
- UserOIDCClaim: "preferred_username",
- UserCS3Claim: "username",
+ UserOIDCClaim: "lg.uuid",
+ UserCS3Claim: "userid",
  AutoprovisionAccounts: false,
  EnableBasicAuth: false,
  InsecureBackends: false,