feat(dex): add option to modify userid claim, skip email_verified verification

[kengou]

Add option to organization oidc config to change userID claim.
At the moment login_name is hardcoded, and with this change it could be changed to email or any other claim to use as identifier.
Possibility to skip email_verified verification on oidc config. Keycloak turns the email_verified to off(false) by default if using SAML or other user federation.

Description

What type of PR is this? (check all applicable)

• 🍕 Feature
• 🐛 Bug Fix
• 📝 Documentation Update
• 🎨 Style
• 🧑‍💻 Code Refactor
• 🔥 Performance Improvements
• ✅ Test
• 🤖 Build
• 🔁 CI
• 📦 Chore (Release)
• ⏩ Revert

Related Tickets & Documents

Added tests?

• 👍 yes
• 🙅 no, because they aren't needed
• 🙋 no, because I need help
• Separate ticket for tests # (issue/pr)

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Added to documentation?

• 📜 README.md
• 🤝 Documentation pages updated
• 🙅 no documentation needed
• (if applicable) generated OpenAPI docs for CRD changes

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• New and existing unit tests pass locally with my changes

[abhijith-darshan]

Not sure about this option.

since dex in greenhouse is used for k8s auth… in structured authentication when using expression claims.email it implicitly needs claims.email_verified to be true

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration

[kengou]

Yes you are right, but when an OIDC provider returns email claim without "email_verified" field, this is assumed to be false by Dex, and newly generated claim is with email_verified=false.

Some enterprise providers return claims without email_verified, when they had no usage of emails verification in enrollement process. Like Okta, CloudFoundry, EntraID.

Kubernetes changed it's original behavior in this PR: kubernetes/kubernetes#61508 to set email_verified=true if the claim is not present, but on Dex side the PR is still open, and original behavior remained: dexidp/dex#3811

[abhijith-darshan]

I think the PR you referenced for k8s is for the legacy OIDC config and not for the structured auth anymore.

In structured auth when using claims.expression (and not claimMappings) email_verified is required.
https://github.com/kubernetes/kubernetes/blob/3daf280c464c712f38fe2a24d9434fcf2670c251/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go#L417-L420

But Okta and EntraID (https://learn.microsoft.com/en-us/entra/external-id/customers/reference-oidc-claims-mapping-customers#claim-and-attribute-mappings) have the email_verfied claim and in Okta there should be a toggle to turn it on for each user.

The verification is anyway part of the enrollment process during sign-up. If users are added programmatically then the email_verified can also be set during that process.

Also when dex config changes with new properties being introduced, the sig alg may change and there will be auth issues.

Here is what I would propose -

move InsecureSkipEmailVerified and UserIDClaim to either map[string]string or a *struct (for easy nil checks)

That way no config changes are introduced on the existing connectors and only during enabling a new config these properties if available are considered.

sounds good?