diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5103ae4c..e9c56b4f 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -143,10 +143,10 @@ type OIDCClaims struct { // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this - // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // OIDCIdentityProvider was used for user authentication. This feature is not required to use the Supervisor to // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other - // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID - // tokens generated by the Supervisor. + // authentication purposes. When this map is empty or the upstream claims are not available, the "additionalClaims" + // claim will be excluded from the ID tokens generated by the Supervisor. // +optional AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 99a00eaa..fe36c36f 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -746,6 +746,34 @@ func TestAuthorizationEndpoint(t *testing.T) { "downstreamOtherClaim": "other claim value", }, }, + { + name: "OIDC upstream password grant happy path using GET with additional claim mappings, when upstream claims are not available", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder(). + WithAdditionalClaimMappings(map[string]string{ + "downstream": "upstream", + }). + WithIDTokenClaim("not-upstream", "value"). + Build()), + method: http.MethodGet, + path: happyGetRequestPath, + customUsernameHeader: pointer.String(oidcUpstreamUsername), + customPasswordHeader: pointer.String(oidcUpstreamPassword), + wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation, + wantStatus: http.StatusFound, + wantContentType: htmlContentType, + wantRedirectLocationRegexp: happyAuthcodeDownstreamRedirectLocationRegexp, + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamRequestedScopes: happyDownstreamScopesRequested, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: happyDownstreamScopesGranted, + wantDownstreamNonce: downstreamNonce, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantAdditionalClaims: nil, // downstream claims are empty + }, { name: "LDAP cli upstream happy path using GET", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),