Feat: Pull users' Profile Picture from the OIDC claims

services/proxy/pkg/command/server.go

@@ -3,8 +3,10 @@ package command
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
+	"os"
 	"os/signal"
 	"time"
 
@@ -276,6 +278,28 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 		Timeout: time.Second * 10,
 	}
 
+	backendTLSConfig := &tls.Config{
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: cfg.InsecureBackends, //nolint:gosec
+	}
+	if cfg.BackendHTTPSCACert != "" {
+		certs := x509.NewCertPool()
+		pemData, err := os.ReadFile(cfg.BackendHTTPSCACert)
+		if err != nil {
+			logger.Fatal().Err(err).Msg("Failed to read backend HTTPS CA certificate")
+		}
+		if !certs.AppendCertsFromPEM(pemData) {
+			logger.Fatal().Msg("Failed to append backend HTTPS CA certificate")
+		}
+		backendTLSConfig.RootCAs = certs
+	}
+	backendHTTPClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: backendTLSConfig,
+		},
+		Timeout: time.Second * 10,
+	}
+
 	var authenticators []middleware.Authenticator
 	if cfg.EnableBasicAuth {
 		logger.Warn().Msg("basic auth enabled, use only for testing or development")
@@ -363,6 +387,11 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 			middleware.TraceProvider(traceProvider),
 			middleware.UserProvider(userProvider),
 			middleware.UserRoleAssigner(roleAssigner),
+			middleware.HTTPClient(oidcHTTPClient),
+			middleware.BackendHTTPClient(backendHTTPClient),
+			middleware.OIDCIss(cfg.OIDC.Issuer),
+			middleware.ServiceSelector(serviceSelector),
+			middleware.OIDCProfilePicture(cfg.OIDCProfilePicture),
 			middleware.SkipUserInfo(cfg.OIDC.SkipUserInfo),
 			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
 			middleware.UserCS3Claim(cfg.UserCS3Claim),

services/proxy/pkg/config/config.go

@@ -39,6 +39,7 @@ type Config struct {
 	MachineAuthAPIKey             string              `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services." introductionVersion:"1.0.0" mask:"password"`
 	AutoprovisionAccounts         bool                `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS" desc:"Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running." introductionVersion:"1.0.0"`
 	AutoProvisionClaims           AutoProvisionClaims `yaml:"auto_provision_claims"`
+	OIDCProfilePicture            OIDCProfilePicture  `yaml:"oidc_profile_picture"`
 	EnableBasicAuth               bool                `yaml:"enable_basic_auth" env:"PROXY_ENABLE_BASIC_AUTH" desc:"Set this to true to enable 'basic authentication' (username/password)." introductionVersion:"1.0.0"`
 	InsecureBackends              bool                `yaml:"insecure_backends" env:"PROXY_INSECURE_BACKENDS" desc:"Disable TLS certificate validation for all HTTP backend connections." introductionVersion:"1.0.0"`
 	BackendHTTPSCACert            string              `yaml:"backend_https_cacert" env:"PROXY_HTTPS_CACERT" desc:"Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services." introductionVersion:"1.0.0"`
@@ -168,6 +169,12 @@ type AutoProvisionClaims struct {
 	Groups      string `yaml:"groups" env:"PROXY_AUTOPROVISION_CLAIM_GROUPS" desc:"The name of the OIDC claim that holds the groups." introductionVersion:"1.0.0"`
 }
 
+// OIDCProfilePicture configures profile picture sync for OIDC users.
+type OIDCProfilePicture struct {
+	Claim                string `yaml:"claim" env:"PROXY_OIDC_PROFILE_PICTURE_CLAIM" desc:"The name of the OIDC claim that holds a URL to the user's profile picture. When set, the profile picture will be synced on login."`
+	DisableLocalChanges  bool   `yaml:"disable_local_changes" env:"PROXY_OIDC_PROFILE_PICTURE_DISABLE_LOCAL_CHANGES" desc:"When set, users authenticated via OIDC cannot change their profile picture locally (PUT/PATCH/DELETE on /graph/v1.0/me/photo/$value)."`
+}
+
 // PolicySelector is the toplevel-configuration for different selectors
 type PolicySelector struct {
 	Static *StaticSelectorConf `yaml:"static"`

services/proxy/pkg/config/defaults/defaultconfig.go

@@ -92,6 +92,10 @@ func DefaultConfig() *config.Config {
 			DisplayName: "name",
 			Groups:      "groups",
 		},
+		OIDCProfilePicture: config.OIDCProfilePicture{
+			Claim:               "",
+			DisableLocalChanges: false,
+		},
 		EnableBasicAuth:               false,
 		InsecureBackends:              false,
 		CSPConfigFileLocation:         "",