Allow additional claims to map into an ID token issued by the supervisor

- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2026-01-07 14:05:50 +00:00 · 2022-09-20 14:54:10 -07:00
parent f4c9202f49
commit 8ff6ef32e9
70 changed files with 1084 additions and 94 deletions
--- a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
+	// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
+	// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
+	// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/latest/apis/supervisor/oidc/types_supervisor_oidc.go
+++ b/generated/latest/apis/supervisor/oidc/types_supervisor_oidc.go
@@ -40,6 +40,10 @@ const (
 	// group names which were mapped from the upstream identity provider.
 	IDTokenClaimGroups = "groups"

+	// IDTokenClaimAdditionalClaims is the top level claim used to hold additional claims in the downstream ID
+	// token, if any claims are present.
+	IDTokenClaimAdditionalClaims = "additionalClaims"
+
 	// GrantTypeAuthorizationCode is the name of the grant type for authorization code flows defined by the OIDC spec.
 	GrantTypeAuthorizationCode = "authorization_code"