proxy: Allow mapping from an external tenant id to the internal id

go.mod

@@ -105,7 +105,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.42.0
 	golang.org/x/crypto v0.49.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/image v0.36.0
+	golang.org/x/image v0.38.0
 	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
@@ -414,3 +414,7 @@ replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/opencloud-
 
 // to get the logger injection (https://github.com/pablodz/inotifywaitgo/pull/11)
 replace github.com/pablodz/inotifywaitgo v0.0.9 => github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9
+
+replace github.com/cs3org/go-cs3apis => github.com/rhafer/go-cs3apis v0.0.0-20260330151212-3b218454eb4c
+
+replace github.com/opencloud-eu/reva/v2 => github.com/rhafer/reva/v2 v2.0.0-20260402141022-ea2b4fa89d56

go.sum

@@ -265,8 +265,6 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
-github.com/cs3org/go-cs3apis v0.0.0-20260310080202-fb97596763d6 h1:Akwn9gHJugKd8M48LyV+WeIQ6yMXoxZdgZabR53I9q4=
-github.com/cs3org/go-cs3apis v0.0.0-20260310080202-fb97596763d6/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
 github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
@@ -959,8 +957,6 @@ github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIft
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d h1:JcqGDiyrcaQwVyV861TUyQgO7uEmsjkhfm7aQd84dOw=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.42.6 h1:GjGPa1lNrhpkBfj7No1vM9idcurG57Ax4qzf1dqnPTk=
-github.com/opencloud-eu/reva/v2 v2.42.6/go.mod h1:Ki3c/BKVg/5aHvAyOJIx+iZ50vvlhFvCf8wDZacF5qw=
 github.com/opencloud-eu/secure v0.0.0-20260312082735-b6f5cb2244e4 h1:l2oB/RctH+t8r7QBj5p8thfEHCM/jF35aAY3WQ3hADI=
 github.com/opencloud-eu/secure v0.0.0-20260312082735-b6f5cb2244e4/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -1072,6 +1068,10 @@ github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKc
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg=
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/rhafer/go-cs3apis v0.0.0-20260330151212-3b218454eb4c h1:jK8l9dA64T8EF9nciWULicMgV9AVov5iB+iF2rY16os=
+github.com/rhafer/go-cs3apis v0.0.0-20260330151212-3b218454eb4c/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
+github.com/rhafer/reva/v2 v2.0.0-20260402141022-ea2b4fa89d56 h1:s1695QJNiS2obwASSlbVuu7Lxha8yU3aqv6BFvMH6Ws=
+github.com/rhafer/reva/v2 v2.0.0-20260402141022-ea2b4fa89d56/go.mod h1:leFj1/kVMWGv649xi1gZVuYEja4gyV712Liu3zOQkS4=
 github.com/riandyrn/otelchi v0.12.2 h1:6QhGv0LVw/dwjtPd12mnNrl0oEQF4ZAlmHcnlTYbeAg=
 github.com/riandyrn/otelchi v0.12.2/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
@@ -1383,8 +1383,8 @@ golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.36.0 h1:Iknbfm1afbgtwPTmHnS2gTM/6PPZfH+z2EFuOkSbqwc=
-golang.org/x/image v0.36.0/go.mod h1:YsWD2TyyGKiIX1kZlu9QfKIsQ4nAAK9bdgdrIsE7xy4=
+golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
+golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

services/proxy/pkg/command/server.go

@@ -367,6 +367,9 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
 			middleware.UserCS3Claim(cfg.UserCS3Claim),
 			middleware.TenantOIDCClaim(cfg.TenantOIDCClaim),
+			middleware.TenantIDMappingEnabled(cfg.TenantIDMappingEnabled),
+			middleware.ServiceAccount(cfg.ServiceAccount),
+			middleware.WithRevaGatewaySelector(gatewaySelector),
 			middleware.AutoprovisionAccounts(cfg.AutoprovisionAccounts),
 			middleware.MultiTenantEnabled(cfg.Commons.MultiTenantEnabled),
 			middleware.EventsPublisher(publisher),

services/proxy/pkg/config/config.go

@@ -35,6 +35,7 @@ type Config struct {
 	UserOIDCClaim                 string              `yaml:"user_oidc_claim" env:"PROXY_USER_OIDC_CLAIM" desc:"The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim." introductionVersion:"1.0.0"`
 	UserCS3Claim                  string              `yaml:"user_cs3_claim" env:"PROXY_USER_CS3_CLAIM" desc:"The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'." introductionVersion:"1.0.0"`
 	TenantOIDCClaim               string              `yaml:"tenant_oidc_claim" env:"PROXY_TENANT_OIDC_CLAIM" desc:"JMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled." introductionVersion:"%%NEXT%%"`
+	TenantIDMappingEnabled        bool                `yaml:"tenant_id_mapping_enabled" env:"PROXY_TENANT_ID_MAPPING_ENABLED" desc:"When set to 'true', the proxy will resolve the internal tenant ID from the external tenant ID provided in the OIDC claims by calling the TenantAPI before verifying the tenant. Use this when the external tenant ID in the OIDC token differs from the internal tenant ID stored on the user. Requires 'tenant_oidc_claim' to be set. Only relevant when multi-tenancy is enabled." introductionVersion:"%%NEXT%%"`
 	MachineAuthAPIKey             string              `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services." introductionVersion:"1.0.0" mask:"password"`
 	AutoprovisionAccounts         bool                `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS" desc:"Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running." introductionVersion:"1.0.0"`
 	AutoProvisionClaims           AutoProvisionClaims `yaml:"auto_provision_claims"`

services/proxy/pkg/middleware/account_resolver.go

@@ -1,12 +1,16 @@
 package middleware
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"net/http"
 	"time"
 
 	"github.com/jellydator/ttlcache/v3"
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+	rpcpb "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/router"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/user/backend"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/userroles"
@@ -16,8 +20,10 @@ import (
 	cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/pkg/oidc"
+	"github.com/opencloud-eu/opencloud/services/proxy/pkg/config"
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
 	"github.com/opencloud-eu/reva/v2/pkg/events"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/opencloud-eu/reva/v2/pkg/utils"
 )
 
@@ -34,40 +40,55 @@ func AccountResolver(optionSetters ...Option) func(next http.Handler) http.Handl
 	)
 	go lastGroupSyncCache.Start()
 
+	tenantIDCache := ttlcache.New(
+		ttlcache.WithTTL[string, string](10*time.Minute),
+		ttlcache.WithDisableTouchOnHit[string, string](),
+	)
+	go tenantIDCache.Start()
+
 	return func(next http.Handler) http.Handler {
 		return &accountResolver{
-			next:                  next,
-			logger:                logger,
-			tracer:                tracer,
-			userProvider:          options.UserProvider,
-			userOIDCClaim:         options.UserOIDCClaim,
-			userCS3Claim:          options.UserCS3Claim,
-			tenantOIDCClaim:       options.TenantOIDCClaim,
-			userRoleAssigner:      options.UserRoleAssigner,
-			autoProvisionAccounts: options.AutoprovisionAccounts,
-			multiTenantEnabled:    options.MultiTenantEnabled,
-			lastGroupSyncCache:    lastGroupSyncCache,
-			eventsPublisher:       options.EventsPublisher,
+			next:                   next,
+			logger:                 logger,
+			tracer:                 tracer,
+			userProvider:           options.UserProvider,
+			userOIDCClaim:          options.UserOIDCClaim,
+			userCS3Claim:           options.UserCS3Claim,
+			tenantOIDCClaim:        options.TenantOIDCClaim,
+			tenantIDMappingEnabled: options.TenantIDMappingEnabled,
+			gatewaySelector:        options.RevaGatewaySelector,
+			serviceAccount:         options.ServiceAccount,
+			userRoleAssigner:       options.UserRoleAssigner,
+			autoProvisionAccounts:  options.AutoprovisionAccounts,
+			multiTenantEnabled:     options.MultiTenantEnabled,
+			lastGroupSyncCache:     lastGroupSyncCache,
+			tenantIDCache:          tenantIDCache,
+			eventsPublisher:        options.EventsPublisher,
 		}
 	}
 }
 
 type accountResolver struct {
-	next                  http.Handler
-	logger                log.Logger
-	tracer                trace.Tracer
-	userProvider          backend.UserBackend
-	userRoleAssigner      userroles.UserRoleAssigner
-	autoProvisionAccounts bool
-	multiTenantEnabled    bool
-	userOIDCClaim         string
-	userCS3Claim          string
-	tenantOIDCClaim       string
+	next                   http.Handler
+	logger                 log.Logger
+	tracer                 trace.Tracer
+	userProvider           backend.UserBackend
+	userRoleAssigner       userroles.UserRoleAssigner
+	autoProvisionAccounts  bool
+	multiTenantEnabled     bool
+	tenantIDMappingEnabled bool
+	gatewaySelector        pool.Selectable[gateway.GatewayAPIClient]
+	serviceAccount         config.ServiceAccount
+	userOIDCClaim          string
+	userCS3Claim           string
+	tenantOIDCClaim        string
 	// lastGroupSyncCache is used to keep track of when the last sync of group
 	// memberships was done for a specific user. This is used to trigger a sync
 	// with every single request.
 	lastGroupSyncCache *ttlcache.Cache[string, struct{}]
-	eventsPublisher    events.Publisher
+	// tenantIDCache maps external tenant IDs (from OIDC claims) to internal tenant IDs.
+	tenantIDCache   *ttlcache.Cache[string, string]
+	eventsPublisher events.Publisher
 }
 
 func readStringClaim(path string, claims map[string]interface{}) (string, error) {
@@ -173,7 +194,7 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 		// if a tenant claim is configured, verify it matches the tenant id on the resolved user
 		if m.tenantOIDCClaim != "" {
-			if err = m.verifyTenantClaim(user.GetId().GetTenantId(), claims); err != nil {
+			if err = m.verifyTenantClaim(req.Context(), user.GetId().GetTenantId(), claims); err != nil {
 				m.logger.Error().Err(err).Str("userid", user.GetId().GetOpaqueId()).Msg("Tenant claim mismatch")
 				w.WriteHeader(http.StatusUnauthorized)
 				return
@@ -260,13 +281,55 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	m.next.ServeHTTP(w, req)
 }
 
-func (m accountResolver) verifyTenantClaim(userTenantID string, claims map[string]interface{}) error {
+func (m accountResolver) verifyTenantClaim(ctx context.Context, userTenantID string, claims map[string]interface{}) error {
 	claimTenantID, err := readStringClaim(m.tenantOIDCClaim, claims)
 	if err != nil {
 		return fmt.Errorf("could not read tenant claim: %w", err)
 	}
-	if claimTenantID != userTenantID {
+
+	internalTenantID := claimTenantID
+	if m.tenantIDMappingEnabled {
+		internalTenantID, err = m.resolveInternalTenantID(ctx, claimTenantID)
+		if err != nil {
+			return fmt.Errorf("could not resolve internal tenant id for external tenant id %q: %w", claimTenantID, err)
+		}
+	}
+
+	if internalTenantID != userTenantID {
 		return fmt.Errorf("tenant id from claim %q does not match user tenant id %q", claimTenantID, userTenantID)
 	}
 	return nil
 }
+
+// resolveInternalTenantID maps an external tenant ID (as it appears in OIDC claims) to the
+// internal tenant ID stored on the user object by calling the gateway's TenantAPI.
+// Results are cached for 10 minutes to avoid repeated lookups on every request.
+// The call is authenticated using the configured service account.
+func (m accountResolver) resolveInternalTenantID(ctx context.Context, externalTenantID string) (string, error) {
+	if item := m.tenantIDCache.Get(externalTenantID); item != nil {
+		return item.Value(), nil
+	}
+
+	gwc, err := m.gatewaySelector.Next()
+	if err != nil {
+		return "", fmt.Errorf("could not get gateway client: %w", err)
+	}
+	authCtx, err := utils.GetServiceUserContextWithContext(ctx, gwc, m.serviceAccount.ServiceAccountID, m.serviceAccount.ServiceAccountSecret)
+	if err != nil {
+		return "", fmt.Errorf("could not authenticate service account: %w", err)
+	}
+	resp, err := gwc.GetTenantByClaim(authCtx, &tenantpb.GetTenantByClaimRequest{
+		Claim: "externalid",
+		Value: externalTenantID,
+	})
+	if err != nil {
+		return "", err
+	}
+	if resp.GetStatus().GetCode() != rpcpb.Code_CODE_OK {
+		return "", fmt.Errorf("TenantAPI returned status %s: %s", resp.GetStatus().GetCode(), resp.GetStatus().GetMessage())
+	}
+
+	internalID := resp.GetTenant().GetId()
+	m.tenantIDCache.Set(externalTenantID, internalID, ttlcache.DefaultTTL)
+	return internalID, nil
+}