diff --git a/changelog/unreleased/oidc-fix.md b/changelog/unreleased/oidc-fix.md index 9dad64910b..93bdbd3a9e 100644 --- a/changelog/unreleased/oidc-fix.md +++ b/changelog/unreleased/oidc-fix.md @@ -1,7 +1,8 @@ Bugfix: made uid, gid claims parsing more robust in OIDC auth provider -This fix makes sure the uid and gid claims are defined at init time and that -a proper error is returned in case they would be missing or invalid (i.e. not int64) -when authenticating users. +This fix makes sure the uid and gid claims are defined at init time, and that +the necessary typecasts are performed correctly when authenticating users. +A comment was added that in case the uid/gid claims are missing AND that no +mapping takes place, a user entity is returned with uid = gid = 0. https://github.com/cs3org/reva/pull/2759 diff --git a/pkg/auth/manager/oidc/oidc.go b/pkg/auth/manager/oidc/oidc.go index c0cd274831..ae48d984ff 100644 --- a/pkg/auth/manager/oidc/oidc.go +++ b/pkg/auth/manager/oidc/oidc.go @@ -198,16 +198,12 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) if claims["email"] == nil { return nil, nil, fmt.Errorf("no \"email\" attribute found in userinfo: maybe the client did not request the oidc \"email\"-scope") } - if uid, ok := claims[am.c.UIDClaim].(float64); ok { - claims[am.c.UIDClaim] = int64(uid) - } else { - return nil, nil, fmt.Errorf("malformed or missing uid claim in userinfo: '%v'", claims[am.c.UIDClaim]) - } - if gid, ok := claims[am.c.GIDClaim].(float64); ok { - claims[am.c.GIDClaim] = int64(gid) - } else { - return nil, nil, fmt.Errorf("malformed or missing gid claim in userinfo: '%v'", claims[am.c.GIDClaim]) - } + + uid, _ := claims[am.c.UIDClaim].(float64) + claims[am.c.UIDClaim] = int64(uid) // in case the uid claim is missing and a mapping is to be performed, resolveUser() will populate it + // Note that if not, will silently carry a user with 0 uid, potentially problematic with storage providers + gid, _ := claims[am.c.GIDClaim].(float64) + claims[am.c.GIDClaim] = int64(gid) err = am.resolveUser(ctx, claims) if err != nil {