diff --git a/api/v1alpha1/organization_types.go b/api/v1alpha1/organization_types.go old mode 100644 new mode 100755 index c5447a819..55cd100c5 --- a/api/v1alpha1/organization_types.go +++ b/api/v1alpha1/organization_types.go @@ -83,6 +83,18 @@ type OIDCConfig struct { // OAuth2ClientRedirectURIs are a registered set of redirect URIs. When redirecting from the idproxy to // the client application, the URI requested to redirect to must be contained in this list. OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"` + // ExtraClaims contains additional configuration for extra claims. + ExtraConfig *OIDCExtraConfig `json:"extraConfig,omitempty"` +} + +type OIDCExtraConfig struct { + // InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + // +kubebuilder:default:=false + // +kubebuilder:validation:Enum:=true;false + InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"` + // UserIDClaim is the claim to be used as user ID. + // +kubebuilder:default:="login_name" + UserIDClaim string `json:"userIDClaim,omitempty"` } type SCIMConfig struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 051db62f4..f27c0596b 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -791,6 +791,11 @@ func (in *OIDCConfig) DeepCopyInto(out *OIDCConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.ExtraConfig != nil { + in, out := &in.ExtraConfig, &out.ExtraConfig + *out = new(OIDCExtraConfig) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCConfig. @@ -803,6 +808,21 @@ func (in *OIDCConfig) DeepCopy() *OIDCConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCExtraConfig) DeepCopyInto(out *OIDCExtraConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCExtraConfig. +func (in *OIDCExtraConfig) DeepCopy() *OIDCExtraConfig { + if in == nil { + return nil + } + out := new(OIDCExtraConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Organization) DeepCopyInto(out *Organization) { *out = *in diff --git a/charts/manager/crds/greenhouse.sap_organizations.yaml b/charts/manager/crds/greenhouse.sap_organizations.yaml index 3885c27b1..f153c6ccc 100644 --- a/charts/manager/crds/greenhouse.sap_organizations.yaml +++ b/charts/manager/crds/greenhouse.sap_organizations.yaml @@ -92,6 +92,25 @@ spec: - key - name type: object + extraConfig: + description: ExtraClaims contains additional configuration + for extra claims. + properties: + insecureSkipEmailVerified: + default: false + description: InsecureSkipEmailVerified allows to skip + the verification of the "email_verified" claim in ID + tokens. + enum: + - true + - false + type: boolean + userIDClaim: + default: login_name + description: UserIDClaim is the claim to be used as user + ID. + type: string + type: object issuer: description: Issuer is the URL of the identity service. type: string diff --git a/config/samples/organization/demo.yaml b/config/samples/organization/demo.yaml index 4b02a3df8..cac535baf 100644 --- a/config/samples/organization/demo.yaml +++ b/config/samples/organization/demo.yaml @@ -53,3 +53,5 @@ spec: name: demo-oidc issuer: https://global.accounts.dev redirectURI: https://bogus.accounts.foo + insecureSkipEmailVerified: true + userIDClaim: email diff --git a/docs/reference/api/index.html b/docs/reference/api/index.html index 99a1e1d75..65adbbefd 100644 --- a/docs/reference/api/index.html +++ b/docs/reference/api/index.html @@ -1807,6 +1807,61 @@

OIDCConfig the client application, the URI requested to redirect to must be contained in this list.

+ + +extraConfig
+ + +OIDCExtraConfig + + + + +

ExtraClaims contains additional configuration for extra claims.

+ + + + + + +

OIDCExtraConfig +

+

+(Appears on: +OIDCConfig) +

+
+
+ + + + + + + + + + + + + + + +
FieldDescription
+insecureSkipEmailVerified
+ +bool + +		 +

InsecureSkipEmailVerified allows to skip the verification of the “email_verified” claim in ID tokens.

+
+userIDClaim
+ +string + +		 +

UserIDClaim is the claim to be used as user ID.

+
diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml index d8deb48e3..d3a5e6f14 100755 --- a/docs/reference/api/openapi.yaml +++ b/docs/reference/api/openapi.yaml @@ -669,6 +669,21 @@ components: - key - name type: object + extraConfig: + description: ExtraClaims contains additional configuration for extra claims. + properties: + insecureSkipEmailVerified: + default: false + description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + enum: + - true + - false + type: boolean + userIDClaim: + default: login_name + description: UserIDClaim is the claim to be used as user ID. + type: string + type: object issuer: description: Issuer is the URL of the identity service. type: string diff --git a/internal/controller/organization/dex.go b/internal/controller/organization/dex.go old mode 100644 new mode 100755 index b679f7193..ff026db68 --- a/internal/controller/organization/dex.go +++ b/internal/controller/organization/dex.go @@ -110,15 +110,26 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org if err != nil { return err } + var userNameKey = "login_name" + var skipEmailVerified = false + if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil { + if org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim == "" { + userNameKey = org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim + } + if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil { + skipEmailVerified = org.Spec.Authentication.OIDCConfig.ExtraConfig.InsecureSkipEmailVerified + } + } oidcConfig := &oidc.Config{ - Issuer: org.Spec.Authentication.OIDCConfig.Issuer, - ClientID: clientID, - ClientSecret: clientSecret, - RedirectURI: redirectURL, - UserNameKey: "login_name", - UserIDKey: "login_name", - InsecureSkipVerify: true, - InsecureEnableGroups: true, + Issuer: org.Spec.Authentication.OIDCConfig.Issuer, + ClientID: clientID, + ClientSecret: clientSecret, + RedirectURI: redirectURL, + UserNameKey: userNameKey, + UserIDKey: userNameKey, + InsecureSkipEmailVerified: skipEmailVerified, + InsecureSkipVerify: true, + InsecureEnableGroups: true, } configByte, err := json.Marshal(oidcConfig) if err != nil { diff --git a/types/typescript/schema.d.ts b/types/typescript/schema.d.ts index 3daf40c18..6d07967c1 100644 --- a/types/typescript/schema.d.ts +++ b/types/typescript/schema.d.ts @@ -533,6 +533,12 @@ export interface components { /** @description Name of the secret in the same namespace. */ name: string; }; + /** + * @description InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + * @default false + * @enum {boolean} + */ + insecureSkipEmailVerified: true | false; /** @description Issuer is the URL of the identity service. */ issuer: string; /** @@ -545,6 +551,11 @@ export interface components { * If none is specified, the Greenhouse ID proxy will be used. */ redirectURI?: string; + /** + * @description UserIDClaim is the claim to be used as user ID. + * @default login_name + */ + userIDClaim: string; }; /** @description SCIMConfig configures the SCIM client. */ scim?: {