Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom userOIDCClaim ignored when autoprovisioning users #8635

Closed
eforest opened this issue Mar 13, 2024 · 4 comments
Closed

Custom userOIDCClaim ignored when autoprovisioning users #8635

eforest opened this issue Mar 13, 2024 · 4 comments
Assignees
@rhafer
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug

Comments

@eforest
Copy link

eforest commented Mar 13, 2024

Describe the bug

Custom userOIDCClaim ignored when autoprovisioning users.
As a result account_resolver.go[94] queries users with value from custom claim, but cs3.go libregraphUserFromClaims [274] assignes username hardcoded to preferred_username.
As a result user cannot be found, autoprovisioning is retried again and again and user cannot login.

Steps to reproduce

  1. setup autoprovisioning
  2. setup external oidc-login
  3. configure env variable PROXY_USER_OIDC_CLAIM=ocis_user for proxy service
  4. login with oidc token where preferred_username != ocis_user
    (e.g. preferred_username=Domain/Testuser ocis_user=Domain-Testuser

Expected behavior

User should be able to login when custom userOIDCClaim was specified

Actual behavior

Login is not possible. OCIS shows message:

Nicht angemeldet
Das könnte aufgrund einer routinemäßigen Abmeldung aus Sicherheitsgründen geschehen sein oder Ihr Benutzerkonto ist inaktiv oder noch nicht freigeschaltet. Bitte versuchen Sie es nach einiger Zeit erneut oder wenden Sie sich an Ihre Administration.

ocis.log

Setup

  1. setup autoprovisioning
  2. setup external oidc-login
  3. configure env variable PROXY_USER_OIDC_CLAIM=ocis_user for proxy service

Additional context

If you could support "/" in preferred_username (e.g. "Domain/Testuser"), that would solve my issue as well.
@micbar
Copy link
Contributor

micbar commented Mar 13, 2024

@rhafer Does this make sense?

@eforest did you try to patch ocis to test your hypothesis?

@eforest
Copy link
Author

eforest commented Mar 14, 2024

Hi @micbar,
unfortunately I don't have an environment to build ocis (just used your helm charts to deploy it).
But that is what the logs tell me and also when taking a look into ldap I can see that preferred_username was used.

@rhafer
Copy link
Contributor

rhafer commented Mar 14, 2024

@micbar Yes, the bugreport is valid.

@eforest Thanks a lot for the detailed bugreport!

@rhafer
Copy link
Contributor

rhafer commented Apr 17, 2024

@micbar this is the issue we just talked about, I'll move it to Prio2, please adjust if you disagree.

@rhafer rhafer added the Priority:p2-high Escalation, on top of current planning, release blocker label Apr 17, 2024
@rhafer rhafer self-assigned this Apr 18, 2024
@micbar micbar mentioned this issue Apr 22, 2024
Open
@rhafer rhafer mentioned this issue Apr 24, 2024
Closed
rhafer added a commit to rhafer/ocis that referenced this issue Apr 24, 2024
@rhafer
enhancement(autoprovision): Allow to configure which claims to use fo…
db2c91f 
…r auto-provisioning user accounts

When auto-provisioning user accounts we used a fixed mapping for claims
for the userinfo response to user attributes. This change introduces
configuration options to defined which claims should be user for the
username, display name and email address of the auto-provisioned
accounts.

This also removes the automatic fallback to use the 'mail' claim as the
username when the 'preferred_username' claim does not exist.

Fixes: owncloud#8635
rhafer added a commit to rhafer/ocis that referenced this issue Apr 24, 2024
@rhafer
enhancement(autoprovision): Allow to configure which claims to use fo…
ba77904 
…r auto-provisioning user accounts

When auto-provisioning user accounts we used a fixed mapping for claims
for the userinfo response to user attributes. This change introduces
configuration options to defined which claims should be user for the
username, display name and email address of the auto-provisioned
accounts.

This also removes the automatic fallback to use the 'mail' claim as the
username when the 'preferred_username' claim does not exist.

Fixes: owncloud#8635
rhafer added a commit to rhafer/ocis that referenced this issue Apr 25, 2024
@rhafer
enhancement(autoprovision): Allow to configure which claims to use fo…
8ab60a7 
…r auto-provisioning user accounts

When auto-provisioning user accounts we used a fixed mapping for claims
for the userinfo response to user attributes. This change introduces
configuration options to defined which claims should be user for the
username, display name and email address of the auto-provisioned
accounts.

This also removes the automatic fallback to use the 'mail' claim as the
username when the 'preferred_username' claim does not exist.

Fixes: owncloud#8635
@micbar micbar closed this as completed in 741dce5 May 2, 2024
@rhafer rhafer mentioned this issue Jun 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhafer rhafer

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhafer @micbar @eforest