Revert "idp/proxy: Match users by ID instead of name by default"

This reverts commit 52951b42b0. The change broke authentication for at least the desktop client when using the builtin idp. There seem to be issues in the IDP (lico) which result in the implicit scoped not being added correctly in some case. When that scope is missing the `lg.uuid` claim will not be present in the userinfo and we can correctly match users by id. This reverts back to the old behaviour of matching users by name. Which also brings some aspects of https://github.com/owncloud/ocis/issues/904 Fixes #6415
2026-04-08 09:28:09 -04:00 · 2023-06-01 08:23:48 +02:00
parent 067bc9618c
commit 7a4bc71e65
5 changed files with 8 additions and 20 deletions
--- a/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md
+++ b/changelog/3.0.0_2023-05-22/fix-idp-sub-recreation.md
@@ -7,12 +7,7 @@ use the user's unique id (`owncloudUUID` by default) for computing the `sub`
 claim. So that user's recreated with the same name will be treated as different
 users by the IDP.

-This changed also the default values of the 'PROXY_USER_OIDC_CLAIM' and
-'PROXY_USER_CS3_CLAIM' settings map the IDP users to CS3 user by the userid in
-the default setup. The old behavior of matching by username can be achieved
-byt setting 'PROXY_USER_OIDC_CLAIM=preferred_username' and
-'PROXY_USER_CS3_CLAIM=username'.
-
 https://github.com/owncloud/ocis/issues/904
 https://github.com/owncloud/ocis/pull/6326
 https://github.com/owncloud/ocis/pull/6338
+https://github.com/owncloud/ocis/pull/6420
--- a/services/idp/pkg/config/config.go
+++ b/services/idp/pkg/config/config.go
@@ -61,7 +61,6 @@ type Client struct {
 	ID              string   `yaml:"id"`
 	Name            string   `yaml:"name"`
 	Trusted         bool     `yaml:"trusted"`
-	ImplicitScopes  []string `yaml:"implicit_scopes"`
 	Secret          string   `yaml:"secret"`
 	RedirectURIs    []string `yaml:"redirect_uris"`
 	Origins         []string `yaml:"origins"`
--- a/services/idp/pkg/config/defaults/defaultconfig.go
+++ b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -71,10 +71,9 @@ func DefaultConfig() *config.Config {
 		},
 		Clients: []config.Client{
 			{
-				ID:             "web",
-				Name:           "ownCloud Web app",
-				ImplicitScopes: []string{"LibgreGraph.UUID"},
-				Trusted:        true,
+				ID:      "web",
+				Name:    "ownCloud Web app",
+				Trusted: true,
 				RedirectURIs: []string{
 					"{{OCIS_URL}}/",
 					"{{OCIS_URL}}/oidc-callback.html",
@@ -88,7 +87,6 @@ func DefaultConfig() *config.Config {
 				ID:              "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
 				Secret:          "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
 				Name:            "ownCloud desktop app",
-				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"http://127.0.0.1",
@@ -99,7 +97,6 @@ func DefaultConfig() *config.Config {
 				ID:              "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
 				Secret:          "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD",
 				Name:            "ownCloud Android app",
-				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"oc://android.owncloud.com",
@@ -109,7 +106,6 @@ func DefaultConfig() *config.Config {
 				ID:              "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
 				Secret:          "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx",
 				Name:            "ownCloud iOS app",
-				ImplicitScopes:  []string{"LibgreGraph.UUID"},
 				ApplicationType: "native",
 				RedirectURIs: []string{
 					"oc://ios.owncloud.com",
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -344,10 +344,8 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
 	if cfg.EnableBasicAuth {
 		logger.Warn().Msg("basic auth enabled, use only for testing or development")
 		authenticators = append(authenticators, middleware.BasicAuthenticator{
-			Logger:        logger,
-			UserProvider:  userProvider,
-			UserCS3Claim:  cfg.UserCS3Claim,
-			UserOIDCClaim: cfg.UserOIDCClaim,
+			Logger:       logger,
+			UserProvider: userProvider,
 		})
 	}

--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -74,8 +74,8 @@ func DefaultConfig() *config.Config {
 			Enabled:            true,
 		},
 		AccountBackend:        "cs3",
-		UserOIDCClaim:         "lg.uuid",
-		UserCS3Claim:          "userid",
+		UserOIDCClaim:         "preferred_username",
+		UserCS3Claim:          "username",
 		AutoprovisionAccounts: false,
 		EnableBasicAuth:       false,
 		InsecureBackends:      false,