Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no oCIS roles with LDAP user backend #2646

Closed
wkloucek opened this issue Oct 20, 2021 · 4 comments
Closed

no oCIS roles with LDAP user backend #2646

wkloucek opened this issue Oct 20, 2021 · 4 comments
Labels
Type:Bug

Comments

@wkloucek
Copy link
Contributor

Describe the bug

Since the we now use reva's Authenticate method to Mint Tokens, the tokens no longer contain the user's oCIS roles (at least when using the CS3 account backend). So thinks like ReadRoleIDsFromContext, which rely on the roleIDs being present in the token, no longer work.

Steps to reproduce

  1. Use the CS3 users deployment example
  2. Login as einstein
  3. Go to settings

Expected behavior

Settings are available

Actual behavior

image

Setup

CS3 users deployment example

Additional context
@wkloucek wkloucek mentioned this issue Oct 20, 2021
Closed
@rhafer
Copy link
Contributor

rhafer commented Oct 20, 2021
edited
Loading

@ishank011 Any idea how to bring back the ocis roles into the token? Could we somehow pass them down with the AuthenticateRequest in https://github.com/owncloud/ocis/blob/master/proxy/pkg/user/backend/cs3.go#L34? That would of course mean that we need to add another GetUserByClaim() call to lookup the user before that.

rhafer added a commit to rhafer/ocis that referenced this issue Feb 2, 2022
@rhafer
Add workaround for missing RoleIDs in Token
5775622 
This we use reva to mint tokes for users when using the CS3 backend
(owncloud#2528) the user's roles are no
longer part of the token.

This adds a workaround to the RequireSelfOrAdmin middleware to Request
the user's role id on demand from the settings service.

Partial Fix for owncloud#2646
@rhafer rhafer mentioned this issue Feb 2, 2022
Merged
5 tasks
rhafer added a commit to rhafer/ocis that referenced this issue Feb 2, 2022
@rhafer
Add workaround for missing RoleIDs in Token
f5fc993 
This we use reva to mint tokes for users when using the CS3 backend
(owncloud#2528) the user's roles are no
longer part of the token.

This adds a workaround to the RequireSelfOrAdmin middleware to Request
the user's role id on demand from the settings service.

Partial Fix for owncloud#2646
rhafer added a commit to rhafer/ocis that referenced this issue Feb 2, 2022
@rhafer
Add workaround for missing RoleIDs in Token
ada93a9 
This we use reva to mint tokes for users when using the CS3 backend
(owncloud#2528) the user's roles are no
longer part of the token.

This adds a workaround to the RequireSelfOrAdmin middleware to Request
the user's role id on demand from the settings service.

Partial Fix for owncloud#2646
@wkloucek
Copy link
Contributor Author

@rhafer do you know about the current state?

@rhafer
Copy link
Contributor

rhafer commented Nov 15, 2022

Basically the above mentioned workaround are still in place I think. We're adding the roleID to the context in the account_resolver middleware in the proxy as well nowadays IIRC.

@wkloucek
Copy link
Contributor Author

Ok, than I'm closing this for now, since the bug description is no longer valid.

Fixed by #3096

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhafer @wkloucek