POC of OIDCIdentityProvider.spec.claims.additionalClaimMappings
Proof-of-concept implementation of a potential new Supervisor feature which allows arbitrary upstream ID token claims to be mapped into a new top-level claim in the ID tokens issued by the Supervisor.
This commit is contained in:
parent
f691baec74
commit
cd17bdb5f7
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.17/README.adoc
generated
1
generated/1.17/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.18/README.adoc
generated
1
generated/1.18/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.19/README.adoc
generated
1
generated/1.19/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.20/README.adoc
generated
1
generated/1.20/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.21/README.adoc
generated
1
generated/1.21/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.22/README.adoc
generated
1
generated/1.22/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.23/README.adoc
generated
1
generated/1.23/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.24/README.adoc
generated
1
generated/1.24/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
1
generated/1.25/README.adoc
generated
1
generated/1.25/README.adoc
generated
@ -1387,6 +1387,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||||
|
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -185,6 +185,22 @@ spec:
|
|||||||
description: Claims provides the names of token claims that will be
|
description: Claims provides the names of token claims that will be
|
||||||
used when inspecting an identity from this OIDC identity provider.
|
used when inspecting an identity from this OIDC identity provider.
|
||||||
properties:
|
properties:
|
||||||
|
additionalClaimMappings:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: AdditionalClaimMappings allows for additional arbitrary
|
||||||
|
upstream claim values to be mapped into the "additionalClaims"
|
||||||
|
claim of the ID tokens generated by the Supervisor. This should
|
||||||
|
be specified as a map of new claim names as the keys, and upstream
|
||||||
|
claim names as the values. These new claim names will be nested
|
||||||
|
under the top-level "additionalClaims" claim in ID tokens generated
|
||||||
|
by the Supervisor when this OIDCIdentityProvider was used for
|
||||||
|
user authentication. This feature is not required for using
|
||||||
|
the Supervisor to provide authentication for Kubernetes clusters,
|
||||||
|
but can be used when using the Supervisor for other authentication
|
||||||
|
purposes. When this map is empty, the "additionalClaims" claim
|
||||||
|
will be excluded from the ID tokens generated by the Supervisor.
|
||||||
|
type: object
|
||||||
groups:
|
groups:
|
||||||
description: Groups provides the name of the ID token claim or
|
description: Groups provides the name of the ID token claim or
|
||||||
userinfo endpoint response claim that will be used to ascertain
|
userinfo endpoint response claim that will be used to ascertain
|
||||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
|||||||
// the ID token.
|
// the ID token.
|
||||||
// +optional
|
// +optional
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
|
|
||||||
|
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||||
|
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||||
|
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||||
|
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||||
|
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||||
|
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||||
|
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||||
|
// tokens generated by the Supervisor.
|
||||||
|
// +optional
|
||||||
|
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.AdditionalClaimMappings != nil {
|
||||||
|
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
|||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||||
out.Claims = in.Claims
|
in.Claims.DeepCopyInto(&out.Claims)
|
||||||
out.Client = in.Client
|
out.Client = in.Client
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -156,6 +156,14 @@ spec:
|
|||||||
claims:
|
claims:
|
||||||
username: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM"
|
username: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM"
|
||||||
groups: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM"
|
groups: "$PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_GROUPS_CLAIM"
|
||||||
|
# TODO: This is just an experiment. Don't really want to commit additionalClaimMappings in this file.
|
||||||
|
additionalClaimMappings:
|
||||||
|
upstream_sub: sub
|
||||||
|
upstream_email: email
|
||||||
|
upstream_email_verified: email_verified
|
||||||
|
upstream_name: name
|
||||||
|
upstream_exp: exp
|
||||||
|
upstream_does_not_exist: foobaz
|
||||||
client:
|
client:
|
||||||
secretName: my-oidc-provider-client-secret
|
secretName: my-oidc-provider-client-secret
|
||||||
EOF
|
EOF
|
||||||
|
@ -215,6 +215,7 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
|
|||||||
GroupsClaim: upstream.Spec.Claims.Groups,
|
GroupsClaim: upstream.Spec.Claims.Groups,
|
||||||
AllowPasswordGrant: authorizationConfig.AllowPasswordGrant,
|
AllowPasswordGrant: authorizationConfig.AllowPasswordGrant,
|
||||||
AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters,
|
AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters,
|
||||||
|
AdditionalClaimMappings: upstream.Spec.Claims.AdditionalClaimMappings,
|
||||||
ResourceUID: upstream.UID,
|
ResourceUID: upstream.UID,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -150,7 +150,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow(
|
|||||||
groups := authenticateResponse.User.GetGroups()
|
groups := authenticateResponse.User.GetGroups()
|
||||||
customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
|
customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
|
||||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
|
||||||
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)
|
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
@ -243,6 +243,8 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant(
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(oidcUpstream, token.IDToken.Claims)
|
||||||
|
|
||||||
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token, username)
|
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token, username)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
oidc.WriteAuthorizeError(r, w, oauthHelper, authorizeRequester,
|
oidc.WriteAuthorizeError(r, w, oauthHelper, authorizeRequester,
|
||||||
@ -252,7 +254,7 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant(
|
|||||||
}
|
}
|
||||||
|
|
||||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims)
|
||||||
|
|
||||||
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)
|
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)
|
||||||
|
|
||||||
|
@ -74,13 +74,15 @@ func NewHandler(
|
|||||||
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(upstreamIDPConfig, token.IDToken.Claims)
|
||||||
|
|
||||||
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token, username)
|
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token, username)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
||||||
}
|
}
|
||||||
|
|
||||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims)
|
||||||
|
|
||||||
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
|
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -48,6 +48,7 @@ func MakeDownstreamSession(
|
|||||||
grantedScopes []string,
|
grantedScopes []string,
|
||||||
clientID string,
|
clientID string,
|
||||||
custom *psession.CustomSessionData,
|
custom *psession.CustomSessionData,
|
||||||
|
additionalClaims map[string]interface{},
|
||||||
) *psession.PinnipedSession {
|
) *psession.PinnipedSession {
|
||||||
now := time.Now().UTC()
|
now := time.Now().UTC()
|
||||||
openIDSession := &psession.PinnipedSession{
|
openIDSession := &psession.PinnipedSession{
|
||||||
@ -72,6 +73,9 @@ func MakeDownstreamSession(
|
|||||||
if slices.Contains(grantedScopes, oidcapi.ScopeGroups) {
|
if slices.Contains(grantedScopes, oidcapi.ScopeGroups) {
|
||||||
extras[oidcapi.IDTokenClaimGroups] = groups
|
extras[oidcapi.IDTokenClaimGroups] = groups
|
||||||
}
|
}
|
||||||
|
if len(additionalClaims) > 0 {
|
||||||
|
extras["additionalClaims"] = additionalClaims
|
||||||
|
}
|
||||||
openIDSession.IDTokenClaims().Extra = extras
|
openIDSession.IDTokenClaims().Extra = extras
|
||||||
|
|
||||||
return openIDSession
|
return openIDSession
|
||||||
@ -212,6 +216,27 @@ func GetDownstreamIdentityFromUpstreamIDToken(
|
|||||||
return subject, username, groups, err
|
return subject, username, groups, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// MapAdditionalClaimsFromUpstreamIDToken returns the additionalClaims mapped from the upstream token, if any.
|
||||||
|
func MapAdditionalClaimsFromUpstreamIDToken(
|
||||||
|
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||||
|
idTokenClaims map[string]interface{},
|
||||||
|
) map[string]interface{} {
|
||||||
|
mapped := make(map[string]interface{}, len(upstreamIDPConfig.GetAdditionalClaimMappings()))
|
||||||
|
for downstreamClaimName, upstreamClaimName := range upstreamIDPConfig.GetAdditionalClaimMappings() {
|
||||||
|
upstreamClaimValue, ok := idTokenClaims[upstreamClaimName]
|
||||||
|
if !ok {
|
||||||
|
plog.Warning(
|
||||||
|
"additionalClaims mapping claim in upstream ID token missing",
|
||||||
|
"upstreamName", upstreamIDPConfig.GetName(),
|
||||||
|
"claimName", upstreamClaimName,
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
mapped[downstreamClaimName] = upstreamClaimValue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return mapped
|
||||||
|
}
|
||||||
|
|
||||||
func getSubjectAndUsernameFromUpstreamIDToken(
|
func getSubjectAndUsernameFromUpstreamIDToken(
|
||||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||||
idTokenClaims map[string]interface{},
|
idTokenClaims map[string]interface{},
|
||||||
|
@ -84,7 +84,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider
|
|||||||
groups := authenticateResponse.User.GetGroups()
|
groups := authenticateResponse.User.GetGroups()
|
||||||
customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
|
customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
|
||||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
|
||||||
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false)
|
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -61,6 +61,9 @@ type UpstreamOIDCIdentityProviderI interface {
|
|||||||
// GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests.
|
// GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests.
|
||||||
GetAdditionalAuthcodeParams() map[string]string
|
GetAdditionalAuthcodeParams() map[string]string
|
||||||
|
|
||||||
|
// GetAdditionalClaimMappings returns additional claims to be mapped from the upstream ID token.
|
||||||
|
GetAdditionalClaimMappings() map[string]string
|
||||||
|
|
||||||
// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
|
// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
|
||||||
// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
|
// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
|
||||||
PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)
|
PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)
|
||||||
|
@ -43,6 +43,7 @@ type ProviderConfig struct {
|
|||||||
Client *http.Client
|
Client *http.Client
|
||||||
AllowPasswordGrant bool
|
AllowPasswordGrant bool
|
||||||
AdditionalAuthcodeParams map[string]string
|
AdditionalAuthcodeParams map[string]string
|
||||||
|
AdditionalClaimMappings map[string]string
|
||||||
RevocationURL *url.URL // will commonly be nil: many providers do not offer this
|
RevocationURL *url.URL // will commonly be nil: many providers do not offer this
|
||||||
Provider interface {
|
Provider interface {
|
||||||
Verifier(*coreosoidc.Config) *coreosoidc.IDTokenVerifier
|
Verifier(*coreosoidc.Config) *coreosoidc.IDTokenVerifier
|
||||||
@ -78,6 +79,10 @@ func (p *ProviderConfig) GetAdditionalAuthcodeParams() map[string]string {
|
|||||||
return p.AdditionalAuthcodeParams
|
return p.AdditionalAuthcodeParams
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *ProviderConfig) GetAdditionalClaimMappings() map[string]string {
|
||||||
|
return p.AdditionalClaimMappings
|
||||||
|
}
|
||||||
|
|
||||||
func (p *ProviderConfig) GetName() string {
|
func (p *ProviderConfig) GetName() string {
|
||||||
return p.Name
|
return p.Name
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user