fix basic auth with custom user claim

owncloud · Nov 11, 2021 · d05df2f · d05df2f
1 parent 45c3b07
commit d05df2f
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 0 deletions.
diff --git a/changelog/unreleased/fix-basic-auth-with-custom-user-claim b/changelog/unreleased/fix-basic-auth-with-custom-user-claim
@@ -0,0 +1,7 @@
+Bugfix: Fix basic auth with custom user claim
+
+We've fixed authentication with basic if oCIS is configured to use a non-standard claim
+as user claim (`PROXY_USER_OIDC_CLAIM`). Prior to this bugfix the authentication always
+failed and is now working.
+
+https://github.com/owncloud/ocis/pull/2755
diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go
@@ -220,6 +220,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 			middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 			middleware.UserProvider(userProvider),
 			middleware.OIDCIss(cfg.OIDC.Issuer),
+			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
 			middleware.CredentialsByUserAgent(cfg.Reva.Middleware.Auth.CredentialsByUserAgent),
 		),
 		middleware.SignedURLAuth(

diff --git a/proxy/pkg/middleware/authentication.go b/proxy/pkg/middleware/authentication.go
@@ -126,6 +126,7 @@ func newBasicAuth(options Options) func(http.Handler) http.Handler {
 		EnableBasicAuth(options.EnableBasicAuth),
 		AccountsClient(options.AccountsClient),
 		OIDCIss(options.OIDCIss),
+		UserOIDCClaim(options.UserOIDCClaim),
 		CredentialsByUserAgent(options.CredentialsByUserAgent),
 	)
 }
diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go
@@ -85,6 +85,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 				// fake oidc claims
 				claims := map[string]interface{}{
 					oidc.OwncloudUUID:      user.Id.OpaqueId,
+					options.UserOIDCClaim:  user.Id.OpaqueId,
 					oidc.Iss:               user.Id.Idp,
 					oidc.PreferredUsername: user.Username,
 					oidc.Email:             user.Mail,