POC of OIDCIdentityProvider.spec.claims.additionalClaimMappings

Proof-of-concept implementation of a potential new Supervisor feature which allows arbitrary upstream ID token claims to be mapped into a new top-level claim in the ID tokens issued by the Supervisor.
2022-09-20 14:54:10 -07:00 · 2022-09-20 14:54:10 -07:00 · cd17bdb5f7
commit cd17bdb5f7
parent f691baec74
48 changed files with 420 additions and 14 deletions
--- a/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl
+++ b/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.17/README.adoc
+++ b/generated/1.17/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.18/README.adoc
+++ b/generated/1.18/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.19/README.adoc
+++ b/generated/1.19/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.20/README.adoc
+++ b/generated/1.20/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.21/README.adoc
+++ b/generated/1.21/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.21/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.22/README.adoc
+++ b/generated/1.22/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.22/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.23/README.adoc
+++ b/generated/1.23/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.23/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.24/README.adoc
+++ b/generated/1.24/README.adoc
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.24/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/1.25/README.adoc
+++ b/generated/1.25/README.adoc
@ -1387,6 +1387,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
 | Field | Description
 | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
 | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
+| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
 |===


--- a/generated/1.25/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@ -185,6 +185,22 @@ spec:
                description: Claims provides the names of token claims that will be
                  used when inspecting an identity from this OIDC identity provider.
                properties:
+                  additionalClaimMappings:
+                    additionalProperties:
+                      type: string
+                    description: AdditionalClaimMappings allows for additional arbitrary
+                      upstream claim values to be mapped into the "additionalClaims"
+                      claim of the ID tokens generated by the Supervisor. This should
+                      be specified as a map of new claim names as the keys, and upstream
+                      claim names as the values. These new claim names will be nested
+                      under the top-level "additionalClaims" claim in ID tokens generated
+                      by the Supervisor when this OIDCIdentityProvider was used for
+                      user authentication. This feature is not required for using
+                      the Supervisor to provide authentication for Kubernetes clusters,
+                      but can be used when using the Supervisor for other authentication
+                      purposes. When this map is empty, the "additionalClaims" claim
+                      will be excluded from the ID tokens generated by the Supervisor.
+                    type: object
                  groups:
                    description: Groups provides the name of the ID token claim or
                      userinfo endpoint response claim that will be used to ascertain
--- a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
+++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go
@ -138,6 +138,17 @@ type OIDCClaims struct {
 	// the ID token.
 	// +optional
 	Username string `json:"username"`
+
+	// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
+	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
+	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
+	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
+	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
+	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// tokens generated by the Supervisor.
+	// +optional
+	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

 // OIDCClient contains information about an OIDC client (e.g., client ID and client
--- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
+++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
 	*out = *in
+	if in.AdditionalClaimMappings != nil {
+		in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }

@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
 		**out = **in
 	}
 	in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
-	out.Claims = in.Claims
+	in.Claims.DeepCopyInto(&out.Claims)
 	out.Client = in.Client
 	return
 }
--- a/hack/prepare-supervisor-on-kind.sh
+++ b/hack/prepare-supervisor-on-kind.sh
@ -156,6 +156,14 @@ spec:
  claims:
    username: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM"
    groups: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM"
+    # TODO: This is just an experiment. Don't really want to commit additionalClaimMappings in this file.
+    additionalClaimMappings:
+      upstream_sub: sub
+      upstream_email: email
+      upstream_email_verified: email_verified
+      upstream_name: name
+      upstream_exp: exp
+      upstream_does_not_exist: foobaz
  client:
    secretName: my-oidc-provider-client-secret
 EOF
--- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
+++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
@ -215,6 +215,7 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
 		GroupsClaim:              upstream.Spec.Claims.Groups,
 		AllowPasswordGrant:       authorizationConfig.AllowPasswordGrant,
 		AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters,
+		AdditionalClaimMappings:  upstream.Spec.Claims.AdditionalClaimMappings,
 		ResourceUID:              upstream.UID,
 	}

--- a/internal/oidc/auth/auth_handler.go
+++ b/internal/oidc/auth/auth_handler.go
@ -150,7 +150,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow(
 	groups := authenticateResponse.User.GetGroups()
 	customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
 	openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
-		authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
+		authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
 	oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)

 	return nil
@ -243,6 +243,8 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant(
 		return nil
 	}

+	additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(oidcUpstream, token.IDToken.Claims)
+
 	customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token, username)
 	if err != nil {
 		oidc.WriteAuthorizeError(r, w, oauthHelper, authorizeRequester,
@ -252,7 +254,7 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant(
 	}

 	openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
-		authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
+		authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims)

 	oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)

--- a/internal/oidc/callback/callback_handler.go
+++ b/internal/oidc/callback/callback_handler.go
@ -74,13 +74,15 @@ func NewHandler(
 			return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
 		}

+		additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(upstreamIDPConfig, token.IDToken.Claims)
+
 		customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token, username)
 		if err != nil {
 			return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
 		}

 		openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
-			authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
+			authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims)

 		authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
 		if err != nil {
--- a/internal/oidc/downstreamsession/downstream_session.go
+++ b/internal/oidc/downstreamsession/downstream_session.go
@ -48,6 +48,7 @@ func MakeDownstreamSession(
 	grantedScopes []string,
 	clientID string,
 	custom *psession.CustomSessionData,
+	additionalClaims map[string]interface{},
 ) *psession.PinnipedSession {
 	now := time.Now().UTC()
 	openIDSession := &psession.PinnipedSession{
@ -72,6 +73,9 @@ func MakeDownstreamSession(
 	if slices.Contains(grantedScopes, oidcapi.ScopeGroups) {
 		extras[oidcapi.IDTokenClaimGroups] = groups
 	}
+	if len(additionalClaims) > 0 {
+		extras["additionalClaims"] = additionalClaims
+	}
 	openIDSession.IDTokenClaims().Extra = extras

 	return openIDSession
@ -212,6 +216,27 @@ func GetDownstreamIdentityFromUpstreamIDToken(
 	return subject, username, groups, err
 }

+// MapAdditionalClaimsFromUpstreamIDToken returns the additionalClaims mapped from the upstream token, if any.
+func MapAdditionalClaimsFromUpstreamIDToken(
+	upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
+	idTokenClaims map[string]interface{},
+) map[string]interface{} {
+	mapped := make(map[string]interface{}, len(upstreamIDPConfig.GetAdditionalClaimMappings()))
+	for downstreamClaimName, upstreamClaimName := range upstreamIDPConfig.GetAdditionalClaimMappings() {
+		upstreamClaimValue, ok := idTokenClaims[upstreamClaimName]
+		if !ok {
+			plog.Warning(
+				"additionalClaims mapping claim in upstream ID token missing",
+				"upstreamName", upstreamIDPConfig.GetName(),
+				"claimName", upstreamClaimName,
+			)
+		} else {
+			mapped[downstreamClaimName] = upstreamClaimValue
+		}
+	}
+	return mapped
+}
+
 func getSubjectAndUsernameFromUpstreamIDToken(
 	upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
 	idTokenClaims map[string]interface{},
--- a/internal/oidc/login/post_login_handler.go
+++ b/internal/oidc/login/post_login_handler.go
@ -84,7 +84,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider
 		groups := authenticateResponse.User.GetGroups()
 		customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
 		openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
-			authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
+			authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
 		oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false)

 		return nil
--- a/internal/oidc/provider/dynamic_upstream_idp_provider.go
+++ b/internal/oidc/provider/dynamic_upstream_idp_provider.go
@ -61,6 +61,9 @@ type UpstreamOIDCIdentityProviderI interface {
 	// GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests.
 	GetAdditionalAuthcodeParams() map[string]string

+	// GetAdditionalClaimMappings returns additional claims to be mapped from the upstream ID token.
+	GetAdditionalClaimMappings() map[string]string
+
 	// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
 	// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
 	PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)
--- a/internal/upstreamoidc/upstreamoidc.go
+++ b/internal/upstreamoidc/upstreamoidc.go
@ -43,6 +43,7 @@ type ProviderConfig struct {
 	Client                   *http.Client
 	AllowPasswordGrant       bool
 	AdditionalAuthcodeParams map[string]string
+	AdditionalClaimMappings  map[string]string
 	RevocationURL            *url.URL // will commonly be nil: many providers do not offer this
 	Provider                 interface {
 		Verifier(*coreosoidc.Config) *coreosoidc.IDTokenVerifier
@ -78,6 +79,10 @@ func (p *ProviderConfig) GetAdditionalAuthcodeParams() map[string]string {
 	return p.AdditionalAuthcodeParams
 }

+func (p *ProviderConfig) GetAdditionalClaimMappings() map[string]string {
+	return p.AdditionalClaimMappings
+}
+
 func (p *ProviderConfig) GetName() string {
 	return p.Name
 }