From 019b35205b091b15d472f567ad016e6a3bbbe144 Mon Sep 17 00:00:00 2001 From: Gianmaria Del Monte <39946305+gmgigi96@users.noreply.github.com> Date: Mon, 23 Jan 2023 16:14:40 +0100 Subject: [PATCH] Use subject from oidc userinfo when quering the user provider (#3613) * Use subject from oidc userinfo when quering the use provider * add changelog --- changelog/unreleased/fix-lw-oidc.md | 3 +++ docs/content/en/docs/changelog/_index.md | 8 -------- pkg/auth/manager/oidc/oidc.go | 10 +++++----- 3 files changed, 8 insertions(+), 13 deletions(-) create mode 100644 changelog/unreleased/fix-lw-oidc.md delete mode 100644 docs/content/en/docs/changelog/_index.md diff --git a/changelog/unreleased/fix-lw-oidc.md b/changelog/unreleased/fix-lw-oidc.md new file mode 100644 index 0000000000..0bf26a2437 --- /dev/null +++ b/changelog/unreleased/fix-lw-oidc.md @@ -0,0 +1,3 @@ +Bugfix: Use subject from oidc userinfo when quering the user provider + +https://github.com/cs3org/reva/pull/3613 diff --git a/docs/content/en/docs/changelog/_index.md b/docs/content/en/docs/changelog/_index.md deleted file mode 100644 index 5a6b3b6d92..0000000000 --- a/docs/content/en/docs/changelog/_index.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -title: "Changelog" -linkTitle: "Changelog" -weight: 40 -description: > - Changelog of Reva releases ---- - diff --git a/pkg/auth/manager/oidc/oidc.go b/pkg/auth/manager/oidc/oidc.go index ed8cf32005..6d8169e118 100644 --- a/pkg/auth/manager/oidc/oidc.go +++ b/pkg/auth/manager/oidc/oidc.go @@ -147,7 +147,7 @@ func (am *mgr) Configure(m map[string]interface{}) error { // The clientID would be empty as we only need to validate the clientSecret variable // which contains the access token that we can use to contact the UserInfo endpoint // and get the user claims. -func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) (*user.User, map[string]*authpb.Scope, error) { +func (am *mgr) Authenticate(ctx context.Context, _, clientSecret string) (*user.User, map[string]*authpb.Scope, error) { ctx = am.getOAuthCtx(ctx) log := appctx.GetLogger(ctx) @@ -199,7 +199,7 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) return nil, nil, fmt.Errorf("no \"email\" attribute found in userinfo: maybe the client did not request the oidc \"email\"-scope") } - err = am.resolveUser(ctx, claims, clientID) + err = am.resolveUser(ctx, claims, userInfo.Subject) if err != nil { return nil, nil, errors.Wrapf(err, "oidc: error resolving username for external user '%v'", claims["email"]) } @@ -302,7 +302,7 @@ func (am *mgr) getOIDCProvider(ctx context.Context) (*oidc.Provider, error) { return am.provider, nil } -func (am *mgr) resolveUser(ctx context.Context, claims map[string]interface{}, clientID string) error { +func (am *mgr) resolveUser(ctx context.Context, claims map[string]interface{}, subject string) error { var ( value string resolve bool @@ -340,7 +340,7 @@ func (am *mgr) resolveUser(ctx context.Context, claims map[string]interface{}, c } resolve = true } else if uid == 0 || gid == 0 { - value = clientID + value = subject resolve = true } @@ -371,7 +371,7 @@ func (am *mgr) resolveUser(ctx context.Context, claims map[string]interface{}, c claims[am.c.GIDClaim] = getUserByClaimResp.GetUser().GidNumber log := appctx.GetLogger(ctx).Debug().Str("username", value).Interface("claims", claims) if uid == 0 || gid == 0 { - log.Msgf("resolveUser: claims overridden from '%s'", clientID) + log.Msgf("resolveUser: claims overridden from '%s'", subject) } else { log.Msg("resolveUser: claims overridden from mapped user") }