Logging in on the wrong account when an email address is not unique

[wlohman-surfsara]

Description

On a free trial instance of the oCIS beta program

When two accounts have the same email address, logging in with the username/password of the second account logs you in to the first account

Steps to reproduce

1. Log in as admin
2. Create a user
   username: user1
   displayname: User One
   email: notunique@example.com
   password: somethingrandom
3. Create a second user
   username: user2
   displayname: User Two
   email: notunique@example.com
   password: differentpassword
4. Create a space user1_is_viewer
5. Assign user1 as viewer to this space
6. Create a space user2_is_viewer
7. Assign user2 as viewer to this space
8. Log out as admin
9. Log in with user2/differentpassword

Expected behavior

I expect to be logged in with user2, I expect to have access to the space user2_is_viewer

Actual behavior

I am logged in as user1, I have access to the space user1_is_viewer

When I log back in as admin and change one of the email addresses the issue goes away

The JWT token contains the correct username (user2).

Setup

This is tested on my free trial instance of the oCIS beta program with Firefox and Chrome

[rhafer]

@wlohman-surfsara Thanks, a lot for the report!

Indeed we currently to require the mail address to be unique (I guess we might want to reconsider this)

@wkloucek Additionally I think we should consider switching our defaults for PROXY_USER_OIDC_CLAIM and PROXY_USER_CS3_CLAIM away from the email address and use the username there instead. What do you think?

[phil-davis]

Note: for business users IMO the email address that goes with each cloud storage user will be unique. (I am struggling to think of when a business would not do that)

For family cloud storage, it may still be "relatively common"/"happen" that multiple members of the family share an email account, but they have an account each on the cloud storage. I found this from way back in 2014 https://www.salon.com/2014/02/12/couples_get_your_own_email_accounts/ - I have no idea what the percentage is these days of couples that still use a shared email account.

So I don't really know if in "the modern internet" nowadays, apps/web sites/... would just insist that there can only be one username/account per email address.

[wkloucek]

Indeed we currently to require the mail address to be unique (I guess we might want to reconsider this)

We require it but do not enforce it (which is bad). If we want to enable login with email address, we would need to enforce the uniqueness of email addresses, too #2572.

@wkloucek Additionally I think we should consider switching our defaults for PROXY_USER_OIDC_CLAIM and PROXY_USER_CS3_CLAIM away from the email address and use the username there instead. What do you think?

We should do this. It works with the builtin IDP and IDM, because the IDM does not allow duplicate usernames.

For external IDM / IDP configuration probably needs to be adapted. External IDPs also have further challenges in that direction #3866

@micbar can you assign a priority?

[rhafer]

While it should be possible to mitigate this issue with a configuration change, as outlined above, I just realized that there is also a bug in libregraph/idm (libregraph/idm#72) that made the problem worse ;-(

[rhafer]

Partial fix: libregraph/idm#73 Note: with that neither of users sharing the same mail address, will be able to login. (Working on the ocis side fix now)