Allow additional claims to map into an ID token issued by the supervisor

- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>

internal/upstreamoidc/upstreamoidc.go

@@ -43,6 +43,7 @@ type ProviderConfig struct {
 	Client                   *http.Client
 	AllowPasswordGrant       bool
 	AdditionalAuthcodeParams map[string]string
+	AdditionalClaimMappings  map[string]string
 	RevocationURL            *url.URL // will commonly be nil: many providers do not offer this
 	Provider                 interface {
 		Verifier(*coreosoidc.Config) *coreosoidc.IDTokenVerifier
@@ -78,6 +79,10 @@ func (p *ProviderConfig) GetAdditionalAuthcodeParams() map[string]string {
 	return p.AdditionalAuthcodeParams
 }
 
+func (p *ProviderConfig) GetAdditionalClaimMappings() map[string]string {
+	return p.AdditionalClaimMappings
+}
+
 func (p *ProviderConfig) GetName() string {
 	return p.Name
 }

internal/upstreamoidc/upstreamoidc_test.go

@@ -68,6 +68,16 @@ func TestProviderConfig(t *testing.T) {
 			rawClaims: []byte(`{`),
 		}
 		require.False(t, p.HasUserInfoURL())
+
+		// AdditionalAuthcodeParams defaults to empty
+		require.Empty(t, p.AdditionalAuthcodeParams)
+		p.AdditionalAuthcodeParams = map[string]string{"additional": "authcodeParams"}
+		require.Equal(t, p.GetAdditionalAuthcodeParams(), map[string]string{"additional": "authcodeParams"})
+
+		// AdditionalClaimMappings defaults to empty
+		require.Empty(t, p.AdditionalClaimMappings)
+		p.AdditionalClaimMappings = map[string]string{"additional": "claimMappings"}
+		require.Equal(t, p.GetAdditionalClaimMappings(), map[string]string{"additional": "claimMappings"})
 	})
 
 	const (