From cd17bdb5f73894e746fa1c02573e06d034dd364b Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 20 Sep 2022 14:54:10 -0700 Subject: [PATCH] POC of OIDCIdentityProvider.spec.claims.additionalClaimMappings Proof-of-concept implementation of a potential new Supervisor feature which allows arbitrary upstream ID token claims to be mapped into a new top-level claim in the ID tokens issued by the Supervisor. --- .../types_oidcidentityprovider.go.tmpl | 11 ++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.17/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.18/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.19/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.20/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.21/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.22/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.23/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.24/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ generated/1.25/README.adoc | 1 + .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- ...or.pinniped.dev_oidcidentityproviders.yaml | 16 ++++++++++++ .../v1alpha1/types_oidcidentityprovider.go | 11 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 9 ++++++- hack/prepare-supervisor-on-kind.sh | 8 ++++++ .../oidc_upstream_watcher.go | 1 + internal/oidc/auth/auth_handler.go | 6 +++-- internal/oidc/callback/callback_handler.go | 4 ++- .../downstreamsession/downstream_session.go | 25 +++++++++++++++++++ internal/oidc/login/post_login_handler.go | 2 +- .../provider/dynamic_upstream_idp_provider.go | 3 +++ internal/upstreamoidc/upstreamoidc.go | 5 ++++ 48 files changed, 420 insertions(+), 14 deletions(-) diff --git a/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl index 798275a9..5103ae4c 100644 --- a/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 57238ca5..717bc00b 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.17/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 698221e8..9721039d 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.18/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 1c3ee7e9..ac46d380 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.19/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 03683bf9..01a0c074 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.20/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.20/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 4332b524..89dc643d 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.21/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 2a4bf990..ffe7e3f4 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.22/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index 05a0fbe9..ecf4f15d 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.23/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index fc9c24c0..c1703f70 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 683593d3..aa0bcd5b 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -1387,6 +1387,7 @@ OIDCClaims provides a mapping from upstream claims into identities. | Field | Description | *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured. | *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token. +| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. |=== diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 2b91026a..0bc033cc 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -185,6 +185,22 @@ spec: description: Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. properties: + additionalClaimMappings: + additionalProperties: + type: string + description: AdditionalClaimMappings allows for additional arbitrary + upstream claim values to be mapped into the "additionalClaims" + claim of the ID tokens generated by the Supervisor. This should + be specified as a map of new claim names as the keys, and upstream + claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated + by the Supervisor when this OIDCIdentityProvider was used for + user authentication. This feature is not required for using + the Supervisor to provide authentication for Kubernetes clusters, + but can be used when using the Supervisor for other authentication + purposes. When this map is empty, the "additionalClaims" claim + will be excluded from the ID tokens generated by the Supervisor. + type: object groups: description: Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 798275a9..5103ae4c 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -138,6 +138,17 @@ type OIDCClaims struct { // the ID token. // +optional Username string `json:"username"` + + // AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other + // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID + // tokens generated by the Supervisor. + // +optional + AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } // OIDCClient contains information about an OIDC client (e.g., client ID and client diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index 5f5be6f3..a187b7ca 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { *out = *in + if in.AdditionalClaimMappings != nil { + in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } return } @@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) **out = **in } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) - out.Claims = in.Claims + in.Claims.DeepCopyInto(&out.Claims) out.Client = in.Client return } diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh index a56e5970..17dcf33b 100755 --- a/hack/prepare-supervisor-on-kind.sh +++ b/hack/prepare-supervisor-on-kind.sh @@ -156,6 +156,14 @@ spec: claims: username: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM" groups: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM" + # TODO: This is just an experiment. Don't really want to commit additionalClaimMappings in this file. + additionalClaimMappings: + upstream_sub: sub + upstream_email: email + upstream_email_verified: email_verified + upstream_name: name + upstream_exp: exp + upstream_does_not_exist: foobaz client: secretName: my-oidc-provider-client-secret EOF diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go index e8792c4b..f75aca7b 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go @@ -215,6 +215,7 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst GroupsClaim: upstream.Spec.Claims.Groups, AllowPasswordGrant: authorizationConfig.AllowPasswordGrant, AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters, + AdditionalClaimMappings: upstream.Spec.Claims.AdditionalClaimMappings, ResourceUID: upstream.UID, } diff --git a/internal/oidc/auth/auth_handler.go b/internal/oidc/auth/auth_handler.go index 614e8b68..c1fcc35f 100644 --- a/internal/oidc/auth/auth_handler.go +++ b/internal/oidc/auth/auth_handler.go @@ -150,7 +150,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow( groups := authenticateResponse.User.GetGroups() customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username) openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, - authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{}) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) return nil @@ -243,6 +243,8 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant( return nil } + additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(oidcUpstream, token.IDToken.Claims) + customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token, username) if err != nil { oidc.WriteAuthorizeError(r, w, oauthHelper, authorizeRequester, @@ -252,7 +254,7 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant( } openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, - authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true) diff --git a/internal/oidc/callback/callback_handler.go b/internal/oidc/callback/callback_handler.go index d1896bc2..ccededb4 100644 --- a/internal/oidc/callback/callback_handler.go +++ b/internal/oidc/callback/callback_handler.go @@ -74,13 +74,15 @@ func NewHandler( return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err) } + additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(upstreamIDPConfig, token.IDToken.Claims) + customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token, username) if err != nil { return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err) } openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, - authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims) authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession) if err != nil { diff --git a/internal/oidc/downstreamsession/downstream_session.go b/internal/oidc/downstreamsession/downstream_session.go index 809a48f4..aeef120a 100644 --- a/internal/oidc/downstreamsession/downstream_session.go +++ b/internal/oidc/downstreamsession/downstream_session.go @@ -48,6 +48,7 @@ func MakeDownstreamSession( grantedScopes []string, clientID string, custom *psession.CustomSessionData, + additionalClaims map[string]interface{}, ) *psession.PinnipedSession { now := time.Now().UTC() openIDSession := &psession.PinnipedSession{ @@ -72,6 +73,9 @@ func MakeDownstreamSession( if slices.Contains(grantedScopes, oidcapi.ScopeGroups) { extras[oidcapi.IDTokenClaimGroups] = groups } + if len(additionalClaims) > 0 { + extras["additionalClaims"] = additionalClaims + } openIDSession.IDTokenClaims().Extra = extras return openIDSession @@ -212,6 +216,27 @@ func GetDownstreamIdentityFromUpstreamIDToken( return subject, username, groups, err } +// MapAdditionalClaimsFromUpstreamIDToken returns the additionalClaims mapped from the upstream token, if any. +func MapAdditionalClaimsFromUpstreamIDToken( + upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI, + idTokenClaims map[string]interface{}, +) map[string]interface{} { + mapped := make(map[string]interface{}, len(upstreamIDPConfig.GetAdditionalClaimMappings())) + for downstreamClaimName, upstreamClaimName := range upstreamIDPConfig.GetAdditionalClaimMappings() { + upstreamClaimValue, ok := idTokenClaims[upstreamClaimName] + if !ok { + plog.Warning( + "additionalClaims mapping claim in upstream ID token missing", + "upstreamName", upstreamIDPConfig.GetName(), + "claimName", upstreamClaimName, + ) + } else { + mapped[downstreamClaimName] = upstreamClaimValue + } + } + return mapped +} + func getSubjectAndUsernameFromUpstreamIDToken( upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI, idTokenClaims map[string]interface{}, diff --git a/internal/oidc/login/post_login_handler.go b/internal/oidc/login/post_login_handler.go index a5a2d04e..fa8ebb39 100644 --- a/internal/oidc/login/post_login_handler.go +++ b/internal/oidc/login/post_login_handler.go @@ -84,7 +84,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider groups := authenticateResponse.User.GetGroups() customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username) openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, - authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData) + authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{}) oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false) return nil diff --git a/internal/oidc/provider/dynamic_upstream_idp_provider.go b/internal/oidc/provider/dynamic_upstream_idp_provider.go index a5eabea5..6b0c40cb 100644 --- a/internal/oidc/provider/dynamic_upstream_idp_provider.go +++ b/internal/oidc/provider/dynamic_upstream_idp_provider.go @@ -61,6 +61,9 @@ type UpstreamOIDCIdentityProviderI interface { // GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests. GetAdditionalAuthcodeParams() map[string]string + // GetAdditionalClaimMappings returns additional claims to be mapped from the upstream ID token. + GetAdditionalClaimMappings() map[string]string + // PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and // token validation. Returns the validated raw tokens as well as the parsed claims of the ID token. PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error) diff --git a/internal/upstreamoidc/upstreamoidc.go b/internal/upstreamoidc/upstreamoidc.go index dfe31137..af5c682c 100644 --- a/internal/upstreamoidc/upstreamoidc.go +++ b/internal/upstreamoidc/upstreamoidc.go @@ -43,6 +43,7 @@ type ProviderConfig struct { Client *http.Client AllowPasswordGrant bool AdditionalAuthcodeParams map[string]string + AdditionalClaimMappings map[string]string RevocationURL *url.URL // will commonly be nil: many providers do not offer this Provider interface { Verifier(*coreosoidc.Config) *coreosoidc.IDTokenVerifier @@ -78,6 +79,10 @@ func (p *ProviderConfig) GetAdditionalAuthcodeParams() map[string]string { return p.AdditionalAuthcodeParams } +func (p *ProviderConfig) GetAdditionalClaimMappings() map[string]string { + return p.AdditionalClaimMappings +} + func (p *ProviderConfig) GetName() string { return p.Name }