From d05df2f85e22f71daeefce5d92683c7256b35c7b Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 11 Nov 2021 11:43:10 +0100 Subject: [PATCH 1/3] fix basic auth with custom user claim --- changelog/unreleased/fix-basic-auth-with-custom-user-claim | 7 +++++++ proxy/pkg/command/server.go | 1 + proxy/pkg/middleware/authentication.go | 1 + proxy/pkg/middleware/basic_auth.go | 1 + 4 files changed, 10 insertions(+) create mode 100644 changelog/unreleased/fix-basic-auth-with-custom-user-claim diff --git a/changelog/unreleased/fix-basic-auth-with-custom-user-claim b/changelog/unreleased/fix-basic-auth-with-custom-user-claim new file mode 100644 index 0000000000..2729e67e33 --- /dev/null +++ b/changelog/unreleased/fix-basic-auth-with-custom-user-claim @@ -0,0 +1,7 @@ +Bugfix: Fix basic auth with custom user claim + +We've fixed authentication with basic if oCIS is configured to use a non-standard claim +as user claim (`PROXY_USER_OIDC_CLAIM`). Prior to this bugfix the authentication always +failed and is now working. + +https://github.com/owncloud/ocis/pull/2755 diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index 8b43411034..40ec611a85 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -220,6 +220,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) middleware.EnableBasicAuth(cfg.EnableBasicAuth), middleware.UserProvider(userProvider), middleware.OIDCIss(cfg.OIDC.Issuer), + middleware.UserOIDCClaim(cfg.UserOIDCClaim), middleware.CredentialsByUserAgent(cfg.Reva.Middleware.Auth.CredentialsByUserAgent), ), middleware.SignedURLAuth( diff --git a/proxy/pkg/middleware/authentication.go b/proxy/pkg/middleware/authentication.go index 2e0f0f5dcc..79a6746f47 100644 --- a/proxy/pkg/middleware/authentication.go +++ b/proxy/pkg/middleware/authentication.go @@ -126,6 +126,7 @@ func newBasicAuth(options Options) func(http.Handler) http.Handler { EnableBasicAuth(options.EnableBasicAuth), AccountsClient(options.AccountsClient), OIDCIss(options.OIDCIss), + UserOIDCClaim(options.UserOIDCClaim), CredentialsByUserAgent(options.CredentialsByUserAgent), ) } diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go index b778c092c8..14e4ef59d6 100644 --- a/proxy/pkg/middleware/basic_auth.go +++ b/proxy/pkg/middleware/basic_auth.go @@ -85,6 +85,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { // fake oidc claims claims := map[string]interface{}{ oidc.OwncloudUUID: user.Id.OpaqueId, + options.UserOIDCClaim: user.Id.OpaqueId, oidc.Iss: user.Id.Idp, oidc.PreferredUsername: user.Username, oidc.Email: user.Mail, From 7dca7b4fae1eea751cc45d685bb5978719381555 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Mon, 15 Nov 2021 10:21:39 +0100 Subject: [PATCH 2/3] set only user oidc claim only if cs3 claim is userid --- proxy/pkg/command/server.go | 1 + proxy/pkg/middleware/authentication.go | 1 + proxy/pkg/middleware/basic_auth.go | 10 ++++++++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index 40ec611a85..50376b362c 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -221,6 +221,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config) middleware.UserProvider(userProvider), middleware.OIDCIss(cfg.OIDC.Issuer), middleware.UserOIDCClaim(cfg.UserOIDCClaim), + middleware.UserCS3Claim(cfg.UserCS3Claim), middleware.CredentialsByUserAgent(cfg.Reva.Middleware.Auth.CredentialsByUserAgent), ), middleware.SignedURLAuth( diff --git a/proxy/pkg/middleware/authentication.go b/proxy/pkg/middleware/authentication.go index 79a6746f47..b2b63c45fa 100644 --- a/proxy/pkg/middleware/authentication.go +++ b/proxy/pkg/middleware/authentication.go @@ -127,6 +127,7 @@ func newBasicAuth(options Options) func(http.Handler) http.Handler { AccountsClient(options.AccountsClient), OIDCIss(options.OIDCIss), UserOIDCClaim(options.UserOIDCClaim), + UserCS3Claim(options.UserCS3Claim), CredentialsByUserAgent(options.CredentialsByUserAgent), ) } diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go index 14e4ef59d6..c74c8a509a 100644 --- a/proxy/pkg/middleware/basic_auth.go +++ b/proxy/pkg/middleware/basic_auth.go @@ -84,11 +84,17 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { // fake oidc claims claims := map[string]interface{}{ - oidc.OwncloudUUID: user.Id.OpaqueId, - options.UserOIDCClaim: user.Id.OpaqueId, oidc.Iss: user.Id.Idp, oidc.PreferredUsername: user.Username, oidc.Email: user.Mail, + oidc.OwncloudUUID: user.Id.OpaqueId, + } + + if options.UserCS3Claim == "userid" { + // set the custom user claim only if users will be looked up by the the userid on the CS3api + // OpaqueId contains the userid configured in STORAGE_LDAP_USER_SCHEMA_UID + claims[options.UserOIDCClaim] = user.Id.OpaqueId + } next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims))) From 62704ceb2e4e58315ecb41e900d867f554baa4c9 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Mon, 15 Nov 2021 13:24:26 +0100 Subject: [PATCH 3/3] fix double "the" --- proxy/pkg/middleware/basic_auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go index c74c8a509a..6b26dbd0ce 100644 --- a/proxy/pkg/middleware/basic_auth.go +++ b/proxy/pkg/middleware/basic_auth.go @@ -91,7 +91,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { } if options.UserCS3Claim == "userid" { - // set the custom user claim only if users will be looked up by the the userid on the CS3api + // set the custom user claim only if users will be looked up by the userid on the CS3api // OpaqueId contains the userid configured in STORAGE_LDAP_USER_SCHEMA_UID claims[options.UserOIDCClaim] = user.Id.OpaqueId