From c6797f7edc97407f4b9fc2be16fd822392ea31e7 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Wed, 17 May 2023 10:57:49 +0200
Subject: [PATCH] idp/proxy: Match users by ID instead of name by default

Reconfigure the oidc clients for lico, so that lico adds the "lg.uuid" to
tokens and userinfo by default. That claim will contain the userid. So
we can now use the userid for matching users when using the default
idm/idp configuration. This fixes further problems so that users being
recreated with the same name are correctly treated as differnt users.

Fixes: #904
---
 changelog/unreleased/fix-idp-sub-recreation.md      |  2 ++
 services/idp/pkg/config/config.go                   |  1 +
 services/idp/pkg/config/defaults/defaultconfig.go   | 10 +++++++---
 services/proxy/pkg/command/server.go                |  6 ++++--
 services/proxy/pkg/config/defaults/defaultconfig.go |  4 ++--
 5 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/changelog/unreleased/fix-idp-sub-recreation.md b/changelog/unreleased/fix-idp-sub-recreation.md
index af724c69eca..7ce6ad4fc56 100644
--- a/changelog/unreleased/fix-idp-sub-recreation.md
+++ b/changelog/unreleased/fix-idp-sub-recreation.md
@@ -8,3 +8,5 @@ claim. So that user's recreated with the same name will be treated as different
 users by the IDP.
 
 https://github.com/owncloud/ocis/issues/904
+https://github.com/owncloud/ocis/pull/6326
+https://github.com/owncloud/ocis/pull/6338
diff --git a/services/idp/pkg/config/config.go b/services/idp/pkg/config/config.go
index 1b18560fbfc..6439d2e8a8c 100644
--- a/services/idp/pkg/config/config.go
+++ b/services/idp/pkg/config/config.go
@@ -61,6 +61,7 @@ type Client struct {
 	ID              string   `yaml:"id"`
 	Name            string   `yaml:"name"`
 	Trusted         bool     `yaml:"trusted"`
+	ImplicitScopes  []string `yaml:"implicit_scopes"`
 	Secret          string   `yaml:"secret"`
 	RedirectURIs    []string `yaml:"redirect_uris"`
 	Origins         []string `yaml:"origins"`
diff --git a/services/idp/pkg/config/defaults/defaultconfig.go b/services/idp/pkg/config/defaults/defaultconfig.go
index dc6f2ebedea..eb5f81db404 100644
--- a/services/idp/pkg/config/defaults/defaultconfig.go
+++ b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -71,9 +71,10 @@ func DefaultConfig() *config.Config {
 		},
 		Clients: []config.Client{
 			{
-				ID:      "web",
-				Name:    "ownCloud Web app",
-				Trusted: true,
+				ID:             "web",
+				Name:           "ownCloud Web app",
+				ImplicitScopes: []string{"LibgreGraph.UUID"},
+				Trusted:        true,
 				RedirectURIs: []string{
 					"{{OCIS_URL}}/",
 					"{{OCIS_URL}}/oidc-callback.html",
@@ -87,6 +88,7 @@ func DefaultConfig() *config.Config {
 				ID:              "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
 				Secret:          "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
 				Name:            "ownCloud desktop app",
+				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"http://127.0.0.1",
@@ -97,6 +99,7 @@ func DefaultConfig() *config.Config {
 				ID:              "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
 				Secret:          "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
 				Name:            "ownCloud Android app",
+				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"oc://android.owncloud.com",
@@ -106,6 +109,7 @@ func DefaultConfig() *config.Config {
 				ID:              "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
 				Secret:          "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
 				Name:            "ownCloud iOS app",
+				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"oc://ios.owncloud.com",
diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
index 8e4cbbef3a6..3476662b010 100644
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -340,8 +340,10 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
 	if cfg.EnableBasicAuth {
 		logger.Warn().Msg("basic auth enabled, use only for testing or development")
 		authenticators = append(authenticators, middleware.BasicAuthenticator{
-			Logger:       logger,
-			UserProvider: userProvider,
+			Logger:        logger,
+			UserProvider:  userProvider,
+			UserCS3Claim:  cfg.UserCS3Claim,
+			UserOIDCClaim: cfg.UserOIDCClaim,
 		})
 	}
 
diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go
index 16ee92d710d..9c21bbf2c0b 100644
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -74,8 +74,8 @@ func DefaultConfig() *config.Config {
 			Enabled:            true,
 		},
 		AccountBackend:        "cs3",
-		UserOIDCClaim:         "preferred_username",
-		UserCS3Claim:          "username",
+		UserOIDCClaim:         "lg.uuid",
+		UserCS3Claim:          "userid",
 		AutoprovisionAccounts: false,
 		EnableBasicAuth:       false,
 		InsecureBackends:      false,