Align default login attribute across services

Up to now the builtin lico was using the "username" as the login
attribute, while the proxy (and to some extend the auth-basic) service
tried to uniquely identify users by mail address. This aligns the
default configuration of the services to use the username everywhere.

Fixes: #4039

changelog/unreleased/fix-align-login-attr.md

@@ -0,0 +1,6 @@
+Bugfix: Logging in on the wrong account when an email address is not unique
+
+The default configuration to use the same logon attribute for all services. Also,
+if the configured logon attribute is not unique access to ocis is denied.
+
+https://github.com/owncloud/ocis/issues/4039

services/auth-basic/pkg/config/defaults/defaultconfig.go

@@ -43,7 +43,7 @@ func DefaultConfig() *config.Config {
 				GroupBaseDN:      "ou=groups,o=libregraph-idm",
 				UserScope:        "sub",
 				GroupScope:       "sub",
-				LoginAttributes:  []string{"uid", "mail"},
+				LoginAttributes:  []string{"uid"},
 				UserFilter:       "",
 				GroupFilter:      "",
 				UserObjectClass:  "inetOrgPerson",

services/proxy/pkg/config/defaults/defaultconfig.go

@@ -50,8 +50,8 @@ func DefaultConfig() *config.Config {
 			Enabled:            true,
 		},
 		AccountBackend:        "cs3",
-		UserOIDCClaim:         "email",
-		UserCS3Claim:          "mail",
+		UserOIDCClaim:         "preferred_username",
+		UserCS3Claim:          "username",
 		AutoprovisionAccounts: false,
 		EnableBasicAuth:       false,
 		InsecureBackends:      false,