From d7b5f4d4eaf3d2ac10785018b74d5445c1f638a5 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Wed, 11 Jan 2023 12:55:37 -0600 Subject: [PATCH] Clarify godoc for AdditionalClaimMappings to indicate that missing upstream claims will not show up in the downstream token --- .../v1alpha1/types_oidcidentityprovider.go | 6 ++-- internal/oidc/auth/auth_handler_test.go | 28 +++++++++++++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go index 5103ae4c..e9c56b4f 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go @@ -143,10 +143,10 @@ type OIDCClaims struct { // "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of // new claim names as the keys, and upstream claim names as the values. These new claim names will be nested // under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this - // OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to + // OIDCIdentityProvider was used for user authentication. This feature is not required to use the Supervisor to // provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other - // authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID - // tokens generated by the Supervisor. + // authentication purposes. When this map is empty or the upstream claims are not available, the "additionalClaims" + // claim will be excluded from the ID tokens generated by the Supervisor. // +optional AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"` } diff --git a/internal/oidc/auth/auth_handler_test.go b/internal/oidc/auth/auth_handler_test.go index 99a00eaa..fe36c36f 100644 --- a/internal/oidc/auth/auth_handler_test.go +++ b/internal/oidc/auth/auth_handler_test.go @@ -746,6 +746,34 @@ func TestAuthorizationEndpoint(t *testing.T) { "downstreamOtherClaim": "other claim value", }, }, + { + name: "OIDC upstream password grant happy path using GET with additional claim mappings, when upstream claims are not available", + idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder(). + WithAdditionalClaimMappings(map[string]string{ + "downstream": "upstream", + }). + WithIDTokenClaim("not-upstream", "value"). + Build()), + method: http.MethodGet, + path: happyGetRequestPath, + customUsernameHeader: pointer.String(oidcUpstreamUsername), + customPasswordHeader: pointer.String(oidcUpstreamPassword), + wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation, + wantStatus: http.StatusFound, + wantContentType: htmlContentType, + wantRedirectLocationRegexp: happyAuthcodeDownstreamRedirectLocationRegexp, + wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped, + wantDownstreamIDTokenUsername: oidcUpstreamUsername, + wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership, + wantDownstreamRequestedScopes: happyDownstreamScopesRequested, + wantDownstreamRedirectURI: downstreamRedirectURI, + wantDownstreamGrantedScopes: happyDownstreamScopesGranted, + wantDownstreamNonce: downstreamNonce, + wantDownstreamPKCEChallenge: downstreamPKCEChallenge, + wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, + wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession, + wantAdditionalClaims: nil, // downstream claims are empty + }, { name: "LDAP cli upstream happy path using GET", idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),