Allow the app-auth announce www-authenticate: basic header.

Author: 2403905

changelog/unreleased/fix-app-auth.md

@@ -0,0 +1,6 @@
+Bugfix: Fix app-auth
+
+Allow the app-auth announce `www-authenticate: basic` header.
+
+https://github.com/owncloud/ocis/pull/11123
+https://github.com/owncloud/ocis/issues/11113

services/proxy/pkg/command/server.go

@@ -353,6 +353,7 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 			middleware.Logger(logger),
 			middleware.OIDCIss(cfg.OIDC.Issuer),
 			middleware.EnableBasicAuth(cfg.EnableBasicAuth),
+			middleware.AllowAppAuth(cfg.AuthMiddleware.AllowAppAuth),
 			middleware.TraceProvider(traceProvider),
 		),
 		middleware.AccountResolver(

services/proxy/pkg/middleware/authentication.go

@@ -146,7 +146,7 @@ func configureSupportedChallenges(options Options) {
 		SupportedAuthStrategies = append(SupportedAuthStrategies, "bearer")
 	}
 
-	if options.EnableBasicAuth {
+	if options.EnableBasicAuth || options.AllowAppAuth {
 		SupportedAuthStrategies = append(SupportedAuthStrategies, "basic")
 	}
 }

services/proxy/pkg/middleware/options.go

@@ -53,6 +53,8 @@ type Options struct {
 	AutoprovisionAccounts bool
 	// EnableBasicAuth to allow basic auth
 	EnableBasicAuth bool
+	// AllowAppAuth specifies whether authentication using application tokens is permitted.
+	AllowAppAuth bool
 	// DefaultAccessTokenTTL is used to calculate the expiration when an access token has no expiration set
 	DefaultAccessTokenTTL time.Duration
 	// UserInfoCache sets the access token cache store
@@ -183,6 +185,13 @@ func EnableBasicAuth(enableBasicAuth bool) Option {
 	}
 }
 
+// AllowAppAuth provides a function to set the AllowAppAuth config
+func AllowAppAuth(allowAppAuth bool) Option {
+	return func(o *Options) {
+		o.AllowAppAuth = allowAppAuth
+	}
+}
+
 // DefaultAccessTokenTTL provides a function to set the DefaultAccessTokenTTL
 func DefaultAccessTokenTTL(ttl time.Duration) Option {
 	return func(o *Options) {