Clarify godoc for AdditionalClaimMappings to indicate that missing upstream claims will not show up in the downstream token

generated/latest/apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go

@@ -143,10 +143,10 @@ type OIDCClaims struct {
 	// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
 	// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
 	// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
-	// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
+	// OIDCIdentityProvider was used for user authentication. This feature is not required to use the Supervisor to
 	// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
-	// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
+	// authentication purposes. When this map is empty or the upstream claims are not available, the "additionalClaims"
-	// tokens generated by the Supervisor.
+	// claim will be excluded from the ID tokens generated by the Supervisor.
 	// +optional
 	AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
 }

internal/oidc/auth/auth_handler_test.go

@@ -746,6 +746,34 @@ func TestAuthorizationEndpoint(t *testing.T) {
 				"downstreamOtherClaim":  "other claim value",
 			},
 		},
+		{
+			name: "OIDC upstream password grant happy path using GET with additional claim mappings, when upstream claims are not available",
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().
+				WithAdditionalClaimMappings(map[string]string{
+					"downstream": "upstream",
+				}).
+				WithIDTokenClaim("not-upstream", "value").
+				Build()),
+			method:                            http.MethodGet,
+			path:                              happyGetRequestPath,
+			customUsernameHeader:              pointer.String(oidcUpstreamUsername),
+			customPasswordHeader:              pointer.String(oidcUpstreamPassword),
+			wantPasswordGrantCall:             happyUpstreamPasswordGrantMockExpectation,
+			wantStatus:                        http.StatusFound,
+			wantContentType:                   htmlContentType,
+			wantRedirectLocationRegexp:        happyAuthcodeDownstreamRedirectLocationRegexp,
+			wantDownstreamIDTokenSubject:      oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped,
+			wantDownstreamIDTokenUsername:     oidcUpstreamUsername,
+			wantDownstreamIDTokenGroups:       oidcUpstreamGroupMembership,
+			wantDownstreamRequestedScopes:     happyDownstreamScopesRequested,
+			wantDownstreamRedirectURI:         downstreamRedirectURI,
+			wantDownstreamGrantedScopes:       happyDownstreamScopesGranted,
+			wantDownstreamNonce:               downstreamNonce,
+			wantDownstreamPKCEChallenge:       downstreamPKCEChallenge,
+			wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
+			wantDownstreamCustomSessionData:   expectedHappyOIDCPasswordGrantCustomSession,
+			wantAdditionalClaims:              nil, // downstream claims are empty
+		},
 		{
 			name:                              "LDAP cli upstream happy path using GET",
 			idps:                              oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),