owncloud · butonic · Jul 26, 2021 · May 28, 2021 · C0rby · May 31, 2021
diff --git a/changelog/unreleased/oidc-token-basic-auth.md b/changelog/unreleased/oidc-token-basic-auth.md
@@ -0,0 +1,6 @@
+Bugfix: forward basic auth to OpenID connect token authentication endpoint
+
+When using `PROXY_ENABLE_BASIC_AUTH=true` we now forward request to the idp instead of trying to authenticate the request ourself.
+
+https://github.com/owncloud/ocis/issues/2095
+https://github.com/owncloud/ocis/issues/2094
diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go
@@ -31,7 +31,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(
 			func(w http.ResponseWriter, req *http.Request) {
-				if h.isPublicLink(req) || !h.isBasicAuth(req) {
+				if h.isPublicLink(req) || !h.isBasicAuth(req) || h.isOIDCTokenAuth(req) {
 					if !h.isPublicLink(req) {
 						userAgentAuthenticateLockIn(w, req, options.CredentialsByUserAgent, "basic")
 					}
@@ -107,6 +107,12 @@ func (m basicAuth) isPublicLink(req *http.Request) bool {
 	return ok && login == "public" && strings.HasPrefix(req.URL.Path, publicFilesEndpoint)
 }
 
+// The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest
+// > The Client MUST authenticate to the Token Endpoint using the HTTP Basic method, as described in 2.3.1 of OAuth 2.0.
+func (m basicAuth) isOIDCTokenAuth(req *http.Request) bool {
+	return req.URL.Path == "/konnect/v1/token"
+}
+
 func (m basicAuth) isBasicAuth(req *http.Request) bool {
 	_, _, ok := req.BasicAuth()
 	return m.enabled && ok