Compare commits
7 Commits
main
...
jtc/test-c
Author | SHA1 | Date | |
---|---|---|---|
|
c6112ad3a9 | ||
|
bfe8dc11ce | ||
|
d7b5f4d4ea | ||
|
7b01c3ce18 | ||
|
87fe42e18d | ||
|
02ed2d9c95 | ||
|
cd17bdb5f7 |
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.17/README.adoc
generated
1
generated/1.17/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.18/README.adoc
generated
1
generated/1.18/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.19/README.adoc
generated
1
generated/1.19/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.20/README.adoc
generated
1
generated/1.20/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.21/README.adoc
generated
1
generated/1.21/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.22/README.adoc
generated
1
generated/1.22/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.23/README.adoc
generated
1
generated/1.23/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.24/README.adoc
generated
1
generated/1.24/README.adoc
generated
@ -1391,6 +1391,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
1
generated/1.25/README.adoc
generated
1
generated/1.25/README.adoc
generated
@ -1387,6 +1387,7 @@ OIDCClaims provides a mapping from upstream claims into identities.
|
||||
| Field | Description
|
||||
| *`groups`* __string__ | Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain the groups to which an identity belongs. By default, the identities will not include any group memberships when this setting is not configured.
|
||||
| *`username`* __string__ | Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain an identity's username. When not set, the username will be an automatically constructed unique string which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from the ID token.
|
||||
| *`additionalClaimMappings`* __object (keys:string, values:string)__ | AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of new claim names as the keys, and upstream claim names as the values. These new claim names will be nested under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
|===
|
||||
|
||||
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required for using the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty, the "additionalClaims" claim will be excluded from the ID
|
||||
// tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -185,6 +185,22 @@ spec:
|
||||
description: Claims provides the names of token claims that will be
|
||||
used when inspecting an identity from this OIDC identity provider.
|
||||
properties:
|
||||
additionalClaimMappings:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: AdditionalClaimMappings allows for additional arbitrary
|
||||
upstream claim values to be mapped into the "additionalClaims"
|
||||
claim of the ID tokens generated by the Supervisor. This should
|
||||
be specified as a map of new claim names as the keys, and upstream
|
||||
claim names as the values. These new claim names will be nested
|
||||
under the top-level "additionalClaims" claim in ID tokens generated
|
||||
by the Supervisor when this OIDCIdentityProvider was used for
|
||||
user authentication. This feature is not required for using
|
||||
the Supervisor to provide authentication for Kubernetes clusters,
|
||||
but can be used when using the Supervisor for other authentication
|
||||
purposes. When this map is empty, the "additionalClaims" claim
|
||||
will be excluded from the ID tokens generated by the Supervisor.
|
||||
type: object
|
||||
groups:
|
||||
description: Groups provides the name of the ID token claim or
|
||||
userinfo endpoint response claim that will be used to ascertain
|
||||
|
@ -138,6 +138,17 @@ type OIDCClaims struct {
|
||||
// the ID token.
|
||||
// +optional
|
||||
Username string `json:"username"`
|
||||
|
||||
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
|
||||
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
|
||||
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
|
||||
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
|
||||
// OIDCIdentityProvider was used for user authentication. This feature is not required to use the Supervisor to
|
||||
// provide authentication for Kubernetes clusters, but can be used when using the Supervisor for other
|
||||
// authentication purposes. When this map is empty or the upstream claims are not available, the "additionalClaims"
|
||||
// claim will be excluded from the ID tokens generated by the Supervisor.
|
||||
// +optional
|
||||
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings"`
|
||||
}
|
||||
|
||||
// OIDCClient contains information about an OIDC client (e.g., client ID and client
|
||||
|
@ -438,6 +438,13 @@ func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig {
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) {
|
||||
*out = *in
|
||||
if in.AdditionalClaimMappings != nil {
|
||||
in, out := &in.AdditionalClaimMappings, &out.AdditionalClaimMappings
|
||||
*out = make(map[string]string, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@ -537,7 +544,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
|
||||
**out = **in
|
||||
}
|
||||
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
|
||||
out.Claims = in.Claims
|
||||
in.Claims.DeepCopyInto(&out.Claims)
|
||||
out.Client = in.Client
|
||||
return
|
||||
}
|
||||
|
@ -215,6 +215,7 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
|
||||
GroupsClaim: upstream.Spec.Claims.Groups,
|
||||
AllowPasswordGrant: authorizationConfig.AllowPasswordGrant,
|
||||
AdditionalAuthcodeParams: additionalAuthcodeAuthorizeParameters,
|
||||
AdditionalClaimMappings: upstream.Spec.Claims.AdditionalClaimMappings,
|
||||
ResourceUID: upstream.UID,
|
||||
}
|
||||
|
||||
|
@ -999,6 +999,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
GroupsClaim: testGroupsClaim,
|
||||
AllowPasswordGrant: true,
|
||||
AdditionalAuthcodeParams: map[string]string{},
|
||||
AdditionalClaimMappings: nil, // Does not default to empty map
|
||||
ResourceUID: testUID,
|
||||
},
|
||||
},
|
||||
@ -1054,6 +1055,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
GroupsClaim: testGroupsClaim,
|
||||
AllowPasswordGrant: false,
|
||||
AdditionalAuthcodeParams: map[string]string{},
|
||||
AdditionalClaimMappings: nil, // Does not default to empty map
|
||||
ResourceUID: testUID,
|
||||
},
|
||||
},
|
||||
@ -1109,6 +1111,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
GroupsClaim: testGroupsClaim,
|
||||
AllowPasswordGrant: false,
|
||||
AdditionalAuthcodeParams: map[string]string{},
|
||||
AdditionalClaimMappings: nil, // Does not default to empty map
|
||||
ResourceUID: testUID,
|
||||
},
|
||||
},
|
||||
@ -1167,6 +1170,7 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
GroupsClaim: testGroupsClaim,
|
||||
AllowPasswordGrant: false,
|
||||
AdditionalAuthcodeParams: map[string]string{},
|
||||
AdditionalClaimMappings: nil, // Does not default to empty map
|
||||
ResourceUID: testUID,
|
||||
},
|
||||
},
|
||||
@ -1195,7 +1199,13 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
AdditionalAuthorizeParameters: testAdditionalParams,
|
||||
AllowPasswordGrant: true,
|
||||
},
|
||||
Claims: v1alpha1.OIDCClaims{Groups: testGroupsClaim, Username: testUsernameClaim},
|
||||
Claims: v1alpha1.OIDCClaims{
|
||||
Groups: testGroupsClaim,
|
||||
Username: testUsernameClaim,
|
||||
AdditionalClaimMappings: map[string]string{
|
||||
"downstream": "upstream",
|
||||
},
|
||||
},
|
||||
},
|
||||
Status: v1alpha1.OIDCIdentityProviderStatus{
|
||||
Phase: "Ready",
|
||||
@ -1227,7 +1237,10 @@ Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nananananananana
|
||||
GroupsClaim: testGroupsClaim,
|
||||
AllowPasswordGrant: true,
|
||||
AdditionalAuthcodeParams: testExpectedAdditionalParams,
|
||||
ResourceUID: testUID,
|
||||
AdditionalClaimMappings: map[string]string{
|
||||
"downstream": "upstream",
|
||||
},
|
||||
ResourceUID: testUID,
|
||||
},
|
||||
},
|
||||
wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{
|
||||
@ -1442,6 +1455,7 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
|
||||
require.Equal(t, tt.wantResultingCache[i].GetGroupsClaim(), actualIDP.GetGroupsClaim())
|
||||
require.Equal(t, tt.wantResultingCache[i].AllowsPasswordGrant(), actualIDP.AllowsPasswordGrant())
|
||||
require.Equal(t, tt.wantResultingCache[i].GetAdditionalAuthcodeParams(), actualIDP.GetAdditionalAuthcodeParams())
|
||||
require.Equal(t, tt.wantResultingCache[i].GetAdditionalClaimMappings(), actualIDP.GetAdditionalClaimMappings())
|
||||
require.Equal(t, tt.wantResultingCache[i].GetResourceUID(), actualIDP.GetResourceUID())
|
||||
require.Equal(t, tt.wantResultingCache[i].GetRevocationURL(), actualIDP.GetRevocationURL())
|
||||
require.ElementsMatch(t, tt.wantResultingCache[i].GetScopes(), actualIDP.GetScopes())
|
||||
|
@ -88,6 +88,20 @@ func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetAdditionalAuthcodePa
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAdditionalAuthcodeParams", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetAdditionalAuthcodeParams))
|
||||
}
|
||||
|
||||
// GetAdditionalClaimMappings mocks base method.
|
||||
func (m *MockUpstreamOIDCIdentityProviderI) GetAdditionalClaimMappings() map[string]string {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "GetAdditionalClaimMappings")
|
||||
ret0, _ := ret[0].(map[string]string)
|
||||
return ret0
|
||||
}
|
||||
|
||||
// GetAdditionalClaimMappings indicates an expected call of GetAdditionalClaimMappings.
|
||||
func (mr *MockUpstreamOIDCIdentityProviderIMockRecorder) GetAdditionalClaimMappings() *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAdditionalClaimMappings", reflect.TypeOf((*MockUpstreamOIDCIdentityProviderI)(nil).GetAdditionalClaimMappings))
|
||||
}
|
||||
|
||||
// GetAuthorizationURL mocks base method.
|
||||
func (m *MockUpstreamOIDCIdentityProviderI) GetAuthorizationURL() *url.URL {
|
||||
m.ctrl.T.Helper()
|
||||
|
@ -150,7 +150,7 @@ func handleAuthRequestForLDAPUpstreamCLIFlow(
|
||||
groups := authenticateResponse.User.GetGroups()
|
||||
customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
|
||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
|
||||
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)
|
||||
|
||||
return nil
|
||||
@ -243,6 +243,8 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant(
|
||||
return nil
|
||||
}
|
||||
|
||||
additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(oidcUpstream, token.IDToken.Claims)
|
||||
|
||||
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(oidcUpstream, token, username)
|
||||
if err != nil {
|
||||
oidc.WriteAuthorizeError(r, w, oauthHelper, authorizeRequester,
|
||||
@ -252,7 +254,7 @@ func handleAuthRequestForOIDCUpstreamPasswordGrant(
|
||||
}
|
||||
|
||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims)
|
||||
|
||||
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, true)
|
||||
|
||||
|
@ -582,6 +582,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
||||
wantUnnecessaryStoredRecords int
|
||||
wantPasswordGrantCall *expectedPasswordGrant
|
||||
wantDownstreamCustomSessionData *psession.CustomSessionData
|
||||
wantAdditionalClaims map[string]interface{}
|
||||
}
|
||||
tests := []testCase{
|
||||
{
|
||||
@ -711,6 +712,68 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
||||
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
|
||||
wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession,
|
||||
},
|
||||
{
|
||||
name: "OIDC upstream password grant happy path using GET with additional claim mappings",
|
||||
idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().
|
||||
WithAdditionalClaimMappings(map[string]string{
|
||||
"downstreamCustomClaim": "upstreamCustomClaim",
|
||||
"downstreamOtherClaim": "upstreamOtherClaim",
|
||||
"downstreamMissingClaim": "upstreamMissingClaim",
|
||||
}).
|
||||
WithIDTokenClaim("upstreamCustomClaim", "i am a claim value").
|
||||
WithIDTokenClaim("upstreamOtherClaim", "other claim value").
|
||||
Build()),
|
||||
method: http.MethodGet,
|
||||
path: happyGetRequestPath,
|
||||
customUsernameHeader: pointer.String(oidcUpstreamUsername),
|
||||
customPasswordHeader: pointer.String(oidcUpstreamPassword),
|
||||
wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
|
||||
wantStatus: http.StatusFound,
|
||||
wantContentType: htmlContentType,
|
||||
wantRedirectLocationRegexp: happyAuthcodeDownstreamRedirectLocationRegexp,
|
||||
wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped,
|
||||
wantDownstreamIDTokenUsername: oidcUpstreamUsername,
|
||||
wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership,
|
||||
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
|
||||
wantDownstreamRedirectURI: downstreamRedirectURI,
|
||||
wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
|
||||
wantDownstreamNonce: downstreamNonce,
|
||||
wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
|
||||
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
|
||||
wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession,
|
||||
wantAdditionalClaims: map[string]interface{}{
|
||||
"downstreamCustomClaim": "i am a claim value",
|
||||
"downstreamOtherClaim": "other claim value",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "OIDC upstream password grant happy path using GET with additional claim mappings, when upstream claims are not available",
|
||||
idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(passwordGrantUpstreamOIDCIdentityProviderBuilder().
|
||||
WithAdditionalClaimMappings(map[string]string{
|
||||
"downstream": "upstream",
|
||||
}).
|
||||
WithIDTokenClaim("not-upstream", "value").
|
||||
Build()),
|
||||
method: http.MethodGet,
|
||||
path: happyGetRequestPath,
|
||||
customUsernameHeader: pointer.String(oidcUpstreamUsername),
|
||||
customPasswordHeader: pointer.String(oidcUpstreamPassword),
|
||||
wantPasswordGrantCall: happyUpstreamPasswordGrantMockExpectation,
|
||||
wantStatus: http.StatusFound,
|
||||
wantContentType: htmlContentType,
|
||||
wantRedirectLocationRegexp: happyAuthcodeDownstreamRedirectLocationRegexp,
|
||||
wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped,
|
||||
wantDownstreamIDTokenUsername: oidcUpstreamUsername,
|
||||
wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership,
|
||||
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
|
||||
wantDownstreamRedirectURI: downstreamRedirectURI,
|
||||
wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
|
||||
wantDownstreamNonce: downstreamNonce,
|
||||
wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
|
||||
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
|
||||
wantDownstreamCustomSessionData: expectedHappyOIDCPasswordGrantCustomSession,
|
||||
wantAdditionalClaims: nil, // downstream claims are empty
|
||||
},
|
||||
{
|
||||
name: "LDAP cli upstream happy path using GET",
|
||||
idps: oidctestutil.NewUpstreamIDPListerBuilder().WithLDAP(&upstreamLDAPIdentityProvider),
|
||||
@ -3126,6 +3189,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
||||
test.wantDownstreamClientID,
|
||||
test.wantDownstreamRedirectURI,
|
||||
test.wantDownstreamCustomSessionData,
|
||||
test.wantAdditionalClaims,
|
||||
)
|
||||
default:
|
||||
require.Empty(t, rsp.Header().Values("Location"))
|
||||
@ -3176,9 +3240,15 @@ func TestAuthorizationEndpoint(t *testing.T) {
|
||||
oidcClientsClient := supervisorClient.ConfigV1alpha1().OIDCClients("some-namespace")
|
||||
oauthHelperWithRealStorage, kubeOauthStore := createOauthHelperWithRealStorage(secretsClient, oidcClientsClient)
|
||||
oauthHelperWithNullStorage, _ := createOauthHelperWithNullStorage(secretsClient, oidcClientsClient)
|
||||
|
||||
idps := test.idps.Build()
|
||||
if len(test.wantAdditionalClaims) > 0 {
|
||||
require.True(t, len(idps.GetOIDCIdentityProviders()) > 0, "wantAdditionalClaims requires at least one OIDC IDP")
|
||||
}
|
||||
|
||||
subject := NewHandler(
|
||||
downstreamIssuer,
|
||||
test.idps.Build(),
|
||||
idps,
|
||||
oauthHelperWithNullStorage, oauthHelperWithRealStorage,
|
||||
test.generateCSRF, test.generatePKCE, test.generateNonce,
|
||||
test.stateEncoder, test.cookieEncoder,
|
||||
|
@ -74,13 +74,15 @@ func NewHandler(
|
||||
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
||||
}
|
||||
|
||||
additionalClaims := downstreamsession.MapAdditionalClaimsFromUpstreamIDToken(upstreamIDPConfig, token.IDToken.Claims)
|
||||
|
||||
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token, username)
|
||||
if err != nil {
|
||||
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
||||
}
|
||||
|
||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, additionalClaims)
|
||||
|
||||
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
|
||||
if err != nil {
|
||||
|
@ -189,6 +189,7 @@ func TestCallbackEndpoint(t *testing.T) {
|
||||
wantDownstreamPKCEChallenge string
|
||||
wantDownstreamPKCEChallengeMethod string
|
||||
wantDownstreamCustomSessionData *psession.CustomSessionData
|
||||
wantAdditionalClaims map[string]interface{}
|
||||
|
||||
wantAuthcodeExchangeCall *expectedAuthcodeExchange
|
||||
}{
|
||||
@ -223,6 +224,49 @@ func TestCallbackEndpoint(t *testing.T) {
|
||||
args: happyExchangeAndValidateTokensArgs,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "GET with good state and cookie with additional params",
|
||||
idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().
|
||||
WithAdditionalClaimMappings(map[string]string{
|
||||
"downstreamCustomClaim": "upstreamCustomClaim",
|
||||
"downstreamOtherClaim": "upstreamOtherClaim",
|
||||
"downstreamMissingClaim": "upstreamMissingClaim",
|
||||
}).
|
||||
WithIDTokenClaim("upstreamCustomClaim", "i am a claim value").
|
||||
WithIDTokenClaim("upstreamOtherClaim", "other claim value").
|
||||
Build()),
|
||||
method: http.MethodGet,
|
||||
path: newRequestPath().WithState(
|
||||
happyUpstreamStateParam().WithAuthorizeRequestParams(
|
||||
shallowCopyAndModifyQuery(
|
||||
happyDownstreamRequestParamsQuery,
|
||||
map[string]string{"response_mode": "form_post"},
|
||||
).Encode(),
|
||||
).Build(t, happyStateCodec),
|
||||
).String(),
|
||||
csrfCookie: happyCSRFCookie,
|
||||
wantStatus: http.StatusOK,
|
||||
wantContentType: "text/html;charset=UTF-8",
|
||||
wantBodyFormResponseRegexp: `<code id="manual-auth-code">(.+)</code>`,
|
||||
wantDownstreamIDTokenSubject: oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped,
|
||||
wantDownstreamIDTokenUsername: oidcUpstreamUsername,
|
||||
wantDownstreamIDTokenGroups: oidcUpstreamGroupMembership,
|
||||
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
|
||||
wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
|
||||
wantDownstreamNonce: downstreamNonce,
|
||||
wantDownstreamClientID: downstreamPinnipedClientID,
|
||||
wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
|
||||
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
|
||||
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData,
|
||||
wantAuthcodeExchangeCall: &expectedAuthcodeExchange{
|
||||
performedByUpstreamName: happyUpstreamIDPName,
|
||||
args: happyExchangeAndValidateTokensArgs,
|
||||
},
|
||||
wantAdditionalClaims: map[string]interface{}{
|
||||
"downstreamCustomClaim": "i am a claim value",
|
||||
"downstreamOtherClaim": "other claim value",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "GET with good state and cookie and successful upstream token exchange returns 303 to downstream client callback with its state and code",
|
||||
idps: oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyUpstream().Build()),
|
||||
@ -1463,6 +1507,7 @@ func TestCallbackEndpoint(t *testing.T) {
|
||||
test.wantDownstreamClientID,
|
||||
downstreamRedirectURI,
|
||||
test.wantDownstreamCustomSessionData,
|
||||
test.wantAdditionalClaims,
|
||||
)
|
||||
|
||||
// Otherwise, expect an empty response body.
|
||||
@ -1490,6 +1535,7 @@ func TestCallbackEndpoint(t *testing.T) {
|
||||
test.wantDownstreamClientID,
|
||||
downstreamRedirectURI,
|
||||
test.wantDownstreamCustomSessionData,
|
||||
test.wantAdditionalClaims,
|
||||
)
|
||||
}
|
||||
})
|
||||
|
@ -48,6 +48,7 @@ func MakeDownstreamSession(
|
||||
grantedScopes []string,
|
||||
clientID string,
|
||||
custom *psession.CustomSessionData,
|
||||
additionalClaims map[string]interface{},
|
||||
) *psession.PinnipedSession {
|
||||
now := time.Now().UTC()
|
||||
openIDSession := &psession.PinnipedSession{
|
||||
@ -72,6 +73,10 @@ func MakeDownstreamSession(
|
||||
if slices.Contains(grantedScopes, oidcapi.ScopeGroups) {
|
||||
extras[oidcapi.IDTokenClaimGroups] = groups
|
||||
}
|
||||
if len(additionalClaims) > 0 {
|
||||
// TODO: make "additionalClaims" a string constant, possibly in oidcapi?
|
||||
extras["additionalClaims"] = additionalClaims
|
||||
}
|
||||
openIDSession.IDTokenClaims().Extra = extras
|
||||
|
||||
return openIDSession
|
||||
@ -212,6 +217,27 @@ func GetDownstreamIdentityFromUpstreamIDToken(
|
||||
return subject, username, groups, err
|
||||
}
|
||||
|
||||
// MapAdditionalClaimsFromUpstreamIDToken returns the additionalClaims mapped from the upstream token, if any.
|
||||
func MapAdditionalClaimsFromUpstreamIDToken(
|
||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||
idTokenClaims map[string]interface{},
|
||||
) map[string]interface{} {
|
||||
mapped := make(map[string]interface{}, len(upstreamIDPConfig.GetAdditionalClaimMappings()))
|
||||
for downstreamClaimName, upstreamClaimName := range upstreamIDPConfig.GetAdditionalClaimMappings() {
|
||||
upstreamClaimValue, ok := idTokenClaims[upstreamClaimName]
|
||||
if !ok {
|
||||
plog.Warning(
|
||||
"additionalClaims mapping claim in upstream ID token missing",
|
||||
"upstreamName", upstreamIDPConfig.GetName(),
|
||||
"claimName", upstreamClaimName,
|
||||
)
|
||||
} else {
|
||||
mapped[downstreamClaimName] = upstreamClaimValue
|
||||
}
|
||||
}
|
||||
return mapped
|
||||
}
|
||||
|
||||
func getSubjectAndUsernameFromUpstreamIDToken(
|
||||
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
||||
idTokenClaims map[string]interface{},
|
||||
|
68
internal/oidc/downstreamsession/downstream_session_test.go
Normal file
68
internal/oidc/downstreamsession/downstream_session_test.go
Normal file
@ -0,0 +1,68 @@
|
||||
package downstreamsession
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.pinniped.dev/internal/testutil/oidctestutil"
|
||||
)
|
||||
|
||||
func TestMapAdditionalClaimsFromUpstreamIDToken(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
additionalClaimMappings map[string]string
|
||||
upstreamClaims map[string]interface{}
|
||||
wantClaims map[string]interface{}
|
||||
}{
|
||||
{
|
||||
name: "happy path",
|
||||
additionalClaimMappings: map[string]string{
|
||||
"email": "notification_email",
|
||||
},
|
||||
upstreamClaims: map[string]interface{}{
|
||||
"notification_email": "test@example.com",
|
||||
},
|
||||
wantClaims: map[string]interface{}{
|
||||
"email": "test@example.com",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "missing",
|
||||
additionalClaimMappings: map[string]string{
|
||||
"email": "email",
|
||||
},
|
||||
upstreamClaims: map[string]interface{}{},
|
||||
wantClaims: map[string]interface{}{},
|
||||
},
|
||||
{
|
||||
name: "complex",
|
||||
additionalClaimMappings: map[string]string{
|
||||
"complex": "complex",
|
||||
},
|
||||
upstreamClaims: map[string]interface{}{
|
||||
"complex": map[string]string{
|
||||
"subClaim": "subValue",
|
||||
},
|
||||
},
|
||||
wantClaims: map[string]interface{}{
|
||||
"complex": map[string]string{
|
||||
"subClaim": "subValue",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
test := test
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
idp := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
||||
WithAdditionalClaimMappings(test.additionalClaimMappings).
|
||||
Build()
|
||||
actual := MapAdditionalClaimsFromUpstreamIDToken(idp, test.upstreamClaims)
|
||||
|
||||
require.Equal(t, test.wantClaims, actual)
|
||||
})
|
||||
}
|
||||
}
|
@ -84,7 +84,7 @@ func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvider
|
||||
groups := authenticateResponse.User.GetGroups()
|
||||
customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
|
||||
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData)
|
||||
authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
|
||||
oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false)
|
||||
|
||||
return nil
|
||||
|
@ -1027,6 +1027,7 @@ func TestPostLoginEndpoint(t *testing.T) {
|
||||
tt.wantDownstreamClient,
|
||||
tt.wantDownstreamRedirectURI,
|
||||
tt.wantDownstreamCustomSessionData,
|
||||
map[string]interface{}{},
|
||||
)
|
||||
case tt.wantRedirectToLoginPageError != "":
|
||||
// Expecting an error redirect to the login UI page.
|
||||
@ -1062,6 +1063,7 @@ func TestPostLoginEndpoint(t *testing.T) {
|
||||
tt.wantDownstreamClient,
|
||||
tt.wantDownstreamRedirectURI,
|
||||
tt.wantDownstreamCustomSessionData,
|
||||
map[string]interface{}{},
|
||||
)
|
||||
default:
|
||||
require.Failf(t, "test should have expected a redirect or form body",
|
||||
|
@ -61,6 +61,9 @@ type UpstreamOIDCIdentityProviderI interface {
|
||||
// GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests.
|
||||
GetAdditionalAuthcodeParams() map[string]string
|
||||
|
||||
// GetAdditionalClaimMappings returns additional claims to be mapped from the upstream ID token.
|
||||
GetAdditionalClaimMappings() map[string]string
|
||||
|
||||
// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
|
||||
// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
|
||||
PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)
|
||||
|
@ -285,6 +285,7 @@ type tokenEndpointResponseExpectedValues struct {
|
||||
wantUpstreamOIDCValidateTokenCall *expectedUpstreamValidateTokens
|
||||
wantCustomSessionDataStored *psession.CustomSessionData
|
||||
wantWarnings []RecordedWarning
|
||||
wantAdditionalClaims map[string]interface{}
|
||||
}
|
||||
|
||||
type authcodeExchangeInputs struct {
|
||||
@ -297,6 +298,7 @@ type authcodeExchangeInputs struct {
|
||||
)
|
||||
makeOathHelper OauthHelperFactoryFunc
|
||||
customSessionData *psession.CustomSessionData
|
||||
modifySession func(*psession.PinnipedSession)
|
||||
want tokenEndpointResponseExpectedValues
|
||||
}
|
||||
|
||||
@ -344,6 +346,33 @@ func TestTokenEndpointAuthcodeExchange(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "request is valid and tokens are issued with additional claims",
|
||||
authcodeExchange: authcodeExchangeInputs{
|
||||
modifyAuthRequest: func(r *http.Request) { r.Form.Set("scope", "openid profile email username groups") },
|
||||
modifySession: func(session *psession.PinnipedSession) {
|
||||
session.IDTokenClaims().Extra["additionalClaims"] = map[string]interface{}{
|
||||
"upstream1": "value1",
|
||||
"upstream2": "value2",
|
||||
"upstream3": "value3",
|
||||
}
|
||||
},
|
||||
want: tokenEndpointResponseExpectedValues{
|
||||
wantStatus: http.StatusOK,
|
||||
wantClientID: pinnipedCLIClientID,
|
||||
wantSuccessBodyFields: []string{"id_token", "access_token", "token_type", "scope", "expires_in"}, // no refresh token
|
||||
wantRequestedScopes: []string{"openid", "profile", "email", "username", "groups"},
|
||||
wantGrantedScopes: []string{"openid", "username", "groups"},
|
||||
wantUsername: goodUsername,
|
||||
wantGroups: goodGroups,
|
||||
wantAdditionalClaims: map[string]interface{}{
|
||||
"upstream1": "value1",
|
||||
"upstream2": "value2",
|
||||
"upstream3": "value3",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "request is valid and tokens are issued for dynamic client",
|
||||
kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources,
|
||||
@ -870,7 +899,7 @@ func TestTokenEndpointWhenAuthcodeIsUsedTwice(t *testing.T) {
|
||||
test.authcodeExchange.want.wantClientID,
|
||||
test.authcodeExchange.want.wantRequestedScopes, test.authcodeExchange.want.wantGrantedScopes,
|
||||
test.authcodeExchange.want.wantUsername, test.authcodeExchange.want.wantGroups,
|
||||
nil, approxRequestTime)
|
||||
nil, test.authcodeExchange.want.wantAdditionalClaims, approxRequestTime)
|
||||
|
||||
// Check that the access token and refresh token storage were both deleted, and the number of other storage objects did not change.
|
||||
testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
|
||||
@ -3853,10 +3882,10 @@ func exchangeAuthcodeForTokens(
|
||||
// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
|
||||
oauthStore = oidc.NewKubeStorage(secrets, oidcClientsClient, oidc.DefaultOIDCTimeoutsConfiguration(), bcrypt.MinCost)
|
||||
if test.makeOathHelper != nil {
|
||||
oauthHelper, authCode, jwtSigningKey = test.makeOathHelper(t, authRequest, oauthStore, test.customSessionData)
|
||||
oauthHelper, authCode, jwtSigningKey = test.makeOathHelper(t, authRequest, oauthStore, test.customSessionData, test.modifySession)
|
||||
} else {
|
||||
// Note that makeHappyOauthHelper() calls simulateAuthEndpointHavingAlreadyRun() to preload the session storage.
|
||||
oauthHelper, authCode, jwtSigningKey = makeHappyOauthHelper(t, authRequest, oauthStore, test.customSessionData)
|
||||
oauthHelper, authCode, jwtSigningKey = makeHappyOauthHelper(t, authRequest, oauthStore, test.customSessionData, test.modifySession)
|
||||
}
|
||||
|
||||
if test.modifyStorage != nil {
|
||||
@ -3936,10 +3965,10 @@ func requireTokenEndpointBehavior(
|
||||
wantRefreshToken := contains(test.wantSuccessBodyFields, "refresh_token")
|
||||
|
||||
requireInvalidAuthCodeStorage(t, authCode, oauthStore, secrets, requestTime)
|
||||
requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantUsername, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime)
|
||||
requireValidAccessTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantUsername, test.wantGroups, test.wantCustomSessionDataStored, test.wantAdditionalClaims, secrets, requestTime)
|
||||
requireInvalidPKCEStorage(t, authCode, oauthStore)
|
||||
// Performing a refresh does not update the OIDC storage, so after a refresh it should still have the old custom session data and old username and groups from the initial login.
|
||||
requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, oldUsername, oldGroups, oldCustomSessionData, requestTime)
|
||||
requireValidOIDCStorage(t, parsedResponseBody, authCode, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, oldUsername, oldGroups, oldCustomSessionData, test.wantAdditionalClaims, requestTime)
|
||||
|
||||
expectedNumberOfRefreshTokenSessionsStored := 0
|
||||
if wantRefreshToken {
|
||||
@ -3948,10 +3977,10 @@ func requireTokenEndpointBehavior(
|
||||
expectedNumberOfIDSessionsStored := 0
|
||||
if wantIDToken {
|
||||
expectedNumberOfIDSessionsStored = 1
|
||||
requireValidIDToken(t, parsedResponseBody, jwtSigningKey, test.wantClientID, wantNonceValueInIDToken, test.wantUsername, test.wantGroups, parsedResponseBody["access_token"].(string), requestTime)
|
||||
requireValidIDToken(t, parsedResponseBody, jwtSigningKey, test.wantClientID, wantNonceValueInIDToken, test.wantUsername, test.wantGroups, test.wantAdditionalClaims, parsedResponseBody["access_token"].(string), requestTime)
|
||||
}
|
||||
if wantRefreshToken {
|
||||
requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantUsername, test.wantGroups, test.wantCustomSessionDataStored, secrets, requestTime)
|
||||
requireValidRefreshTokenStorage(t, parsedResponseBody, oauthStore, test.wantClientID, test.wantRequestedScopes, test.wantGrantedScopes, test.wantUsername, test.wantGroups, test.wantCustomSessionDataStored, test.wantAdditionalClaims, secrets, requestTime)
|
||||
}
|
||||
|
||||
testutil.RequireNumberOfSecretsMatchingLabelSelector(t, secrets, labels.Set{crud.SecretLabelKey: authorizationcode.TypeLabelValue}, 1)
|
||||
@ -4058,6 +4087,7 @@ type OauthHelperFactoryFunc func(
|
||||
authRequest *http.Request,
|
||||
store fositestoragei.AllFositeStorage,
|
||||
initialCustomSessionData *psession.CustomSessionData,
|
||||
sessionModifier func(session *psession.PinnipedSession),
|
||||
) (fosite.OAuth2Provider, string, *ecdsa.PrivateKey)
|
||||
|
||||
func makeHappyOauthHelper(
|
||||
@ -4065,12 +4095,13 @@ func makeHappyOauthHelper(
|
||||
authRequest *http.Request,
|
||||
store fositestoragei.AllFositeStorage,
|
||||
initialCustomSessionData *psession.CustomSessionData,
|
||||
sessionModifier func(session *psession.PinnipedSession),
|
||||
) (fosite.OAuth2Provider, string, *ecdsa.PrivateKey) {
|
||||
t.Helper()
|
||||
|
||||
jwtSigningKey, jwkProvider := generateJWTSigningKeyAndJWKSProvider(t, goodIssuer)
|
||||
oauthHelper := oidc.FositeOauth2Helper(store, goodIssuer, hmacSecretFunc, jwkProvider, oidc.DefaultOIDCTimeoutsConfiguration())
|
||||
authResponder := simulateAuthEndpointHavingAlreadyRun(t, authRequest, oauthHelper, initialCustomSessionData)
|
||||
authResponder := simulateAuthEndpointHavingAlreadyRun(t, authRequest, oauthHelper, initialCustomSessionData, sessionModifier)
|
||||
return oauthHelper, authResponder.GetCode(), jwtSigningKey
|
||||
}
|
||||
|
||||
@ -4092,12 +4123,13 @@ func makeOauthHelperWithJWTKeyThatWorksOnlyOnce(
|
||||
authRequest *http.Request,
|
||||
store fositestoragei.AllFositeStorage,
|
||||
initialCustomSessionData *psession.CustomSessionData,
|
||||
modifySession func(session *psession.PinnipedSession),
|
||||
) (fosite.OAuth2Provider, string, *ecdsa.PrivateKey) {
|
||||
t.Helper()
|
||||
|
||||
jwtSigningKey, jwkProvider := generateJWTSigningKeyAndJWKSProvider(t, goodIssuer)
|
||||
oauthHelper := oidc.FositeOauth2Helper(store, goodIssuer, hmacSecretFunc, &singleUseJWKProvider{DynamicJWKSProvider: jwkProvider}, oidc.DefaultOIDCTimeoutsConfiguration())
|
||||
authResponder := simulateAuthEndpointHavingAlreadyRun(t, authRequest, oauthHelper, initialCustomSessionData)
|
||||
authResponder := simulateAuthEndpointHavingAlreadyRun(t, authRequest, oauthHelper, initialCustomSessionData, modifySession)
|
||||
return oauthHelper, authResponder.GetCode(), jwtSigningKey
|
||||
}
|
||||
|
||||
@ -4106,12 +4138,13 @@ func makeOauthHelperWithNilPrivateJWTSigningKey(
|
||||
authRequest *http.Request,
|
||||
store fositestoragei.AllFositeStorage,
|
||||
initialCustomSessionData *psession.CustomSessionData,
|
||||
modifySession func(session *psession.PinnipedSession),
|
||||
) (fosite.OAuth2Provider, string, *ecdsa.PrivateKey) {
|
||||
t.Helper()
|
||||
|
||||
jwkProvider := jwks.NewDynamicJWKSProvider() // empty provider which contains no signing key for this issuer
|
||||
oauthHelper := oidc.FositeOauth2Helper(store, goodIssuer, hmacSecretFunc, jwkProvider, oidc.DefaultOIDCTimeoutsConfiguration())
|
||||
authResponder := simulateAuthEndpointHavingAlreadyRun(t, authRequest, oauthHelper, initialCustomSessionData)
|
||||
authResponder := simulateAuthEndpointHavingAlreadyRun(t, authRequest, oauthHelper, initialCustomSessionData, modifySession)
|
||||
return oauthHelper, authResponder.GetCode(), nil
|
||||
}
|
||||
|
||||
@ -4121,6 +4154,7 @@ func simulateAuthEndpointHavingAlreadyRun(
|
||||
authRequest *http.Request,
|
||||
oauthHelper fosite.OAuth2Provider,
|
||||
initialCustomSessionData *psession.CustomSessionData,
|
||||
modifySession func(session *psession.PinnipedSession),
|
||||
) fosite.AuthorizeResponder {
|
||||
// We only set the fields in the session that Fosite wants us to set.
|
||||
ctx := context.Background()
|
||||
@ -4137,6 +4171,10 @@ func simulateAuthEndpointHavingAlreadyRun(
|
||||
},
|
||||
Custom: initialCustomSessionData,
|
||||
}
|
||||
if modifySession != nil {
|
||||
modifySession(session)
|
||||
}
|
||||
|
||||
authRequester, err := oauthHelper.NewAuthorizeRequest(ctx, authRequest)
|
||||
require.NoError(t, err)
|
||||
if strings.Contains(authRequest.Form.Get("scope"), "openid") {
|
||||
@ -4212,6 +4250,7 @@ func requireValidRefreshTokenStorage(
|
||||
wantUsername string,
|
||||
wantGroups []string,
|
||||
wantCustomSessionData *psession.CustomSessionData,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
secrets v1.SecretInterface,
|
||||
requestTime time.Time,
|
||||
) {
|
||||
@ -4241,6 +4280,7 @@ func requireValidRefreshTokenStorage(
|
||||
wantUsername,
|
||||
wantGroups,
|
||||
wantCustomSessionData,
|
||||
wantAdditionalClaims,
|
||||
requestTime,
|
||||
)
|
||||
|
||||
@ -4257,6 +4297,7 @@ func requireValidAccessTokenStorage(
|
||||
wantUsername string,
|
||||
wantGroups []string,
|
||||
wantCustomSessionData *psession.CustomSessionData,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
secrets v1.SecretInterface,
|
||||
requestTime time.Time,
|
||||
) {
|
||||
@ -4305,6 +4346,7 @@ func requireValidAccessTokenStorage(
|
||||
wantUsername,
|
||||
wantGroups,
|
||||
wantCustomSessionData,
|
||||
wantAdditionalClaims,
|
||||
requestTime,
|
||||
)
|
||||
|
||||
@ -4351,6 +4393,7 @@ func requireValidOIDCStorage(
|
||||
wantUsername string,
|
||||
wantGroups []string,
|
||||
wantCustomSessionData *psession.CustomSessionData,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
requestTime time.Time,
|
||||
) {
|
||||
t.Helper()
|
||||
@ -4378,6 +4421,7 @@ func requireValidOIDCStorage(
|
||||
wantUsername,
|
||||
wantGroups,
|
||||
wantCustomSessionData,
|
||||
wantAdditionalClaims,
|
||||
requestTime,
|
||||
)
|
||||
} else {
|
||||
@ -4397,6 +4441,7 @@ func requireValidStoredRequest(
|
||||
wantUsername string,
|
||||
wantGroups []string,
|
||||
wantCustomSessionData *psession.CustomSessionData,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
requestTime time.Time,
|
||||
) {
|
||||
t.Helper()
|
||||
@ -4429,6 +4474,9 @@ func requireValidStoredRequest(
|
||||
expectedExtra["groups"] = toSliceOfInterface(wantGroups)
|
||||
}
|
||||
expectedExtra["azp"] = wantClientID
|
||||
if len(wantAdditionalClaims) > 0 {
|
||||
expectedExtra["additionalClaims"] = wantAdditionalClaims
|
||||
}
|
||||
require.Equal(t, expectedExtra, claims.Extra)
|
||||
|
||||
// We are in charge of setting these fields. For the purpose of testing, we ensure that the
|
||||
@ -4518,6 +4566,7 @@ func requireValidIDToken(
|
||||
wantNonceValueInIDToken bool,
|
||||
wantUsernameInIDToken string,
|
||||
wantGroupsInIDToken []string,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
actualAccessToken string,
|
||||
requestTime time.Time,
|
||||
) {
|
||||
@ -4532,18 +4581,19 @@ func requireValidIDToken(
|
||||
token := oidctestutil.VerifyECDSAIDToken(t, goodIssuer, wantClientID, jwtSigningKey, idTokenString)
|
||||
|
||||
var claims struct {
|
||||
Subject string `json:"sub"`
|
||||
Audience []string `json:"aud"`
|
||||
Issuer string `json:"iss"`
|
||||
JTI string `json:"jti"`
|
||||
Nonce string `json:"nonce"`
|
||||
AccessTokenHash string `json:"at_hash"`
|
||||
ExpiresAt int64 `json:"exp"`
|
||||
IssuedAt int64 `json:"iat"`
|
||||
RequestedAt int64 `json:"rat"`
|
||||
AuthTime int64 `json:"auth_time"`
|
||||
Groups []string `json:"groups"`
|
||||
Username string `json:"username"`
|
||||
Subject string `json:"sub"`
|
||||
Audience []string `json:"aud"`
|
||||
Issuer string `json:"iss"`
|
||||
JTI string `json:"jti"`
|
||||
Nonce string `json:"nonce"`
|
||||
AccessTokenHash string `json:"at_hash"`
|
||||
ExpiresAt int64 `json:"exp"`
|
||||
IssuedAt int64 `json:"iat"`
|
||||
RequestedAt int64 `json:"rat"`
|
||||
AuthTime int64 `json:"auth_time"`
|
||||
Groups []string `json:"groups"`
|
||||
Username string `json:"username"`
|
||||
AdditionalClaims map[string]interface{} `json:"additionalClaims"`
|
||||
}
|
||||
|
||||
idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "azp", "at_hash"}
|
||||
@ -4556,6 +4606,9 @@ func requireValidIDToken(
|
||||
if wantGroupsInIDToken != nil {
|
||||
idTokenFields = append(idTokenFields, "groups")
|
||||
}
|
||||
if len(wantAdditionalClaims) > 0 {
|
||||
idTokenFields = append(idTokenFields, "additionalClaims")
|
||||
}
|
||||
|
||||
// make sure that these are the only fields in the token
|
||||
var m map[string]interface{}
|
||||
@ -4573,6 +4626,8 @@ func requireValidIDToken(
|
||||
require.Equal(t, wantClientID, m["azp"])
|
||||
require.Equal(t, goodIssuer, claims.Issuer)
|
||||
require.NotEmpty(t, claims.JTI)
|
||||
require.Equal(t, wantAdditionalClaims, claims.AdditionalClaims)
|
||||
require.NotEqual(t, map[string]interface{}{}, claims.AdditionalClaims, "additionalClaims may never be present and empty in the id token")
|
||||
|
||||
if wantNonceValueInIDToken {
|
||||
require.Equal(t, goodNonce, claims.Nonce)
|
||||
|
@ -164,6 +164,7 @@ type TestUpstreamOIDCIdentityProvider struct {
|
||||
GroupsClaim string
|
||||
Scopes []string
|
||||
AdditionalAuthcodeParams map[string]string
|
||||
AdditionalClaimMappings map[string]string
|
||||
AllowPasswordGrant bool
|
||||
|
||||
ExchangeAuthcodeAndValidateTokensFunc func(
|
||||
@ -207,6 +208,10 @@ func (u *TestUpstreamOIDCIdentityProvider) GetAdditionalAuthcodeParams() map[str
|
||||
return u.AdditionalAuthcodeParams
|
||||
}
|
||||
|
||||
func (u *TestUpstreamOIDCIdentityProvider) GetAdditionalClaimMappings() map[string]string {
|
||||
return u.AdditionalClaimMappings
|
||||
}
|
||||
|
||||
func (u *TestUpstreamOIDCIdentityProvider) GetName() string {
|
||||
return u.Name
|
||||
}
|
||||
@ -630,6 +635,7 @@ type TestUpstreamOIDCIdentityProviderBuilder struct {
|
||||
authorizationURL url.URL
|
||||
hasUserInfoURL bool
|
||||
additionalAuthcodeParams map[string]string
|
||||
additionalClaimMappings map[string]string
|
||||
allowPasswordGrant bool
|
||||
authcodeExchangeErr error
|
||||
passwordGrantErr error
|
||||
@ -716,6 +722,11 @@ func (u *TestUpstreamOIDCIdentityProviderBuilder) WithAdditionalAuthcodeParams(p
|
||||
return u
|
||||
}
|
||||
|
||||
func (u *TestUpstreamOIDCIdentityProviderBuilder) WithAdditionalClaimMappings(m map[string]string) *TestUpstreamOIDCIdentityProviderBuilder {
|
||||
u.additionalClaimMappings = m
|
||||
return u
|
||||
}
|
||||
|
||||
func (u *TestUpstreamOIDCIdentityProviderBuilder) WithRefreshToken(token string) *TestUpstreamOIDCIdentityProviderBuilder {
|
||||
u.refreshToken = &oidctypes.RefreshToken{Token: token}
|
||||
return u
|
||||
@ -792,6 +803,7 @@ func (u *TestUpstreamOIDCIdentityProviderBuilder) Build() *TestUpstreamOIDCIdent
|
||||
AuthorizationURL: u.authorizationURL,
|
||||
UserInfoURL: u.hasUserInfoURL,
|
||||
AdditionalAuthcodeParams: u.additionalAuthcodeParams,
|
||||
AdditionalClaimMappings: u.additionalClaimMappings,
|
||||
ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {
|
||||
if u.authcodeExchangeErr != nil {
|
||||
return nil, u.authcodeExchangeErr
|
||||
@ -916,6 +928,7 @@ func VerifyECDSAIDToken(
|
||||
return token
|
||||
}
|
||||
|
||||
// RequireAuthCodeRegexpMatch TODO (jtc): rename me?
|
||||
func RequireAuthCodeRegexpMatch(
|
||||
t *testing.T,
|
||||
actualContent string,
|
||||
@ -934,6 +947,7 @@ func RequireAuthCodeRegexpMatch(
|
||||
wantDownstreamClientID string,
|
||||
wantDownstreamRedirectURI string,
|
||||
wantCustomSessionData *psession.CustomSessionData,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
) {
|
||||
t.Helper()
|
||||
|
||||
@ -972,6 +986,7 @@ func RequireAuthCodeRegexpMatch(
|
||||
wantDownstreamClientID,
|
||||
wantDownstreamRedirectURI,
|
||||
wantCustomSessionData,
|
||||
wantAdditionalClaims,
|
||||
)
|
||||
|
||||
// One PKCE should have been stored.
|
||||
@ -1023,6 +1038,7 @@ func validateAuthcodeStorage(
|
||||
wantDownstreamClientID string,
|
||||
wantDownstreamRedirectURI string,
|
||||
wantCustomSessionData *psession.CustomSessionData,
|
||||
wantAdditionalClaims map[string]interface{},
|
||||
) (*fosite.Request, *psession.PinnipedSession) {
|
||||
t.Helper()
|
||||
|
||||
@ -1066,6 +1082,10 @@ func validateAuthcodeStorage(
|
||||
require.Equal(t, wantDownstreamClientID, actualClaims.Extra["azp"])
|
||||
wantDownstreamIDTokenExtraClaimsCount := 1 // should always have azp claim
|
||||
|
||||
if len(wantAdditionalClaims) > 0 {
|
||||
wantDownstreamIDTokenExtraClaimsCount++
|
||||
}
|
||||
|
||||
// Check the user's identity, which are put into the downstream ID token's subject, username and groups claims.
|
||||
require.Equal(t, wantDownstreamIDTokenSubject, actualClaims.Subject)
|
||||
if wantDownstreamIDTokenUsername == "" {
|
||||
@ -1085,6 +1105,15 @@ func validateAuthcodeStorage(
|
||||
actualDownstreamIDTokenGroups := actualClaims.Extra["groups"]
|
||||
require.Nil(t, actualDownstreamIDTokenGroups)
|
||||
}
|
||||
if len(wantAdditionalClaims) > 0 {
|
||||
actualAdditionalClaims, ok := actualClaims.Get("additionalClaims").(map[string]interface{})
|
||||
require.True(t, ok, "expected additionalClaims to be a map[string]interface{}")
|
||||
require.Equal(t, wantAdditionalClaims, actualAdditionalClaims)
|
||||
} else {
|
||||
// TODO: change assertion to verify that key `additionalClaims` DNE in actualClaims
|
||||
require.Nil(t, actualClaims.Get("additionalClaims"), "additionalClaims must be nil when there are no wanted additional claims")
|
||||
}
|
||||
|
||||
// Make sure that we asserted on every extra claim.
|
||||
require.Len(t, actualClaims.Extra, wantDownstreamIDTokenExtraClaimsCount)
|
||||
|
||||
|
@ -43,6 +43,7 @@ type ProviderConfig struct {
|
||||
Client *http.Client
|
||||
AllowPasswordGrant bool
|
||||
AdditionalAuthcodeParams map[string]string
|
||||
AdditionalClaimMappings map[string]string
|
||||
RevocationURL *url.URL // will commonly be nil: many providers do not offer this
|
||||
Provider interface {
|
||||
Verifier(*coreosoidc.Config) *coreosoidc.IDTokenVerifier
|
||||
@ -78,6 +79,10 @@ func (p *ProviderConfig) GetAdditionalAuthcodeParams() map[string]string {
|
||||
return p.AdditionalAuthcodeParams
|
||||
}
|
||||
|
||||
func (p *ProviderConfig) GetAdditionalClaimMappings() map[string]string {
|
||||
return p.AdditionalClaimMappings
|
||||
}
|
||||
|
||||
func (p *ProviderConfig) GetName() string {
|
||||
return p.Name
|
||||
}
|
||||
|
@ -68,6 +68,16 @@ func TestProviderConfig(t *testing.T) {
|
||||
rawClaims: []byte(`{`),
|
||||
}
|
||||
require.False(t, p.HasUserInfoURL())
|
||||
|
||||
// AdditionalAuthcodeParams defaults to empty
|
||||
require.Empty(t, p.AdditionalAuthcodeParams)
|
||||
p.AdditionalAuthcodeParams = map[string]string{"additional": "authcodeParams"}
|
||||
require.Equal(t, p.GetAdditionalAuthcodeParams(), map[string]string{"additional": "authcodeParams"})
|
||||
|
||||
// AdditionalClaimMappings defaults to empty
|
||||
require.Empty(t, p.AdditionalClaimMappings)
|
||||
p.AdditionalClaimMappings = map[string]string{"additional": "claimMappings"}
|
||||
require.Equal(t, p.GetAdditionalClaimMappings(), map[string]string{"additional": "claimMappings"})
|
||||
})
|
||||
|
||||
const (
|
||||
|
Loading…
Reference in New Issue
Block a user