Merge pull request #2755 from owncloud/fix-basic-auth-with-custom-use…

…r-claim fix basic auth with custom user claim
owncloud · Nov 15, 2021 · 117b2fe · 117b2fe
2 parents ac7faad + 62704ce
commit 117b2fe
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/changelog/unreleased/fix-basic-auth-with-custom-user-claim b/changelog/unreleased/fix-basic-auth-with-custom-user-claim
@@ -0,0 +1,7 @@
+Bugfix: Fix basic auth with custom user claim
+
+We've fixed authentication with basic if oCIS is configured to use a non-standard claim
+as user claim (`PROXY_USER_OIDC_CLAIM`). Prior to this bugfix the authentication always
+failed and is now working.
+
+https://github.com/owncloud/ocis/pull/2755
diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go
@@ -220,6 +220,8 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 			middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 			middleware.UserProvider(userProvider),
 			middleware.OIDCIss(cfg.OIDC.Issuer),
+			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
+			middleware.UserCS3Claim(cfg.UserCS3Claim),
 			middleware.CredentialsByUserAgent(cfg.Reva.Middleware.Auth.CredentialsByUserAgent),
 		),
 		middleware.SignedURLAuth(

diff --git a/proxy/pkg/middleware/authentication.go b/proxy/pkg/middleware/authentication.go
@@ -126,6 +126,8 @@ func newBasicAuth(options Options) func(http.Handler) http.Handler {
 		EnableBasicAuth(options.EnableBasicAuth),
 		AccountsClient(options.AccountsClient),
 		OIDCIss(options.OIDCIss),
+		UserOIDCClaim(options.UserOIDCClaim),
+		UserCS3Claim(options.UserCS3Claim),
 		CredentialsByUserAgent(options.CredentialsByUserAgent),
 	)
 }
diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go
@@ -84,10 +84,17 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 
 				// fake oidc claims
 				claims := map[string]interface{}{
-					oidc.OwncloudUUID:      user.Id.OpaqueId,
 					oidc.Iss:               user.Id.Idp,
 					oidc.PreferredUsername: user.Username,
 					oidc.Email:             user.Mail,
+					oidc.OwncloudUUID:      user.Id.OpaqueId,
+				}
+
+				if options.UserCS3Claim == "userid" {
+					// set the custom user claim only if users will be looked up by the userid on the CS3api
+					// OpaqueId contains the userid configured in STORAGE_LDAP_USER_SCHEMA_UID
+					claims[options.UserOIDCClaim] = user.Id.OpaqueId
+
 				}
 
 				next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims)))