From 125fb3413f6241839bd96868490ff5416515d7ba Mon Sep 17 00:00:00 2001 From: David Gogl <1381862+kengou@users.noreply.github.com> Date: Mon, 27 Oct 2025 21:45:57 +0100 Subject: [PATCH 1/6] feat(dex): add option to modify user id claim, skip email_verified via toggle --- api/v1alpha1/organization_types.go | 7 ++++++ .../crds/greenhouse.sap_organizations.yaml | 10 +++++++++ docs/reference/api/index.html | 22 +++++++++++++++++++ docs/reference/api/openapi.yaml | 9 ++++++++ internal/controller/organization/dex.go | 17 +++++++------- types/typescript/schema.d.ts | 7 ++++++ 6 files changed, 64 insertions(+), 8 deletions(-) diff --git a/api/v1alpha1/organization_types.go b/api/v1alpha1/organization_types.go index c5447a819..5f2c67ccd 100644 --- a/api/v1alpha1/organization_types.go +++ b/api/v1alpha1/organization_types.go @@ -83,6 +83,13 @@ type OIDCConfig struct { // OAuth2ClientRedirectURIs are a registered set of redirect URIs. When redirecting from the idproxy to // the client application, the URI requested to redirect to must be contained in this list. OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"` + // InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + // +kubebuilder:validation:default:=false + // +kubebuilder:validation:Enum:=true;false + InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"` + // UserIDClaim is the claim to be used as user ID. + // +kubebuilder:validation:default:="login_name" + UserIDClaim string `json:"userIDClaim,omitempty"` } type SCIMConfig struct { diff --git a/charts/manager/crds/greenhouse.sap_organizations.yaml b/charts/manager/crds/greenhouse.sap_organizations.yaml index 3885c27b1..2ad4c073b 100644 --- a/charts/manager/crds/greenhouse.sap_organizations.yaml +++ b/charts/manager/crds/greenhouse.sap_organizations.yaml @@ -92,6 +92,13 @@ spec: - key - name type: object + insecureSkipEmailVerified: + description: InsecureSkipEmailVerified allows to skip the + verification of the "email_verified" claim in ID tokens. + enum: + - true + - false + type: boolean issuer: description: Issuer is the URL of the identity service. type: string @@ -107,6 +114,9 @@ spec: RedirectURI is the redirect URI to be used for the OIDC flow against the upstream IdP. If none is specified, the Greenhouse ID proxy will be used. type: string + userIDClaim: + description: UserIDClaim is the claim to be used as user ID. + type: string required: - clientIDReference - clientSecretReference diff --git a/docs/reference/api/index.html b/docs/reference/api/index.html index 99a1e1d75..2675a919c 100644 --- a/docs/reference/api/index.html +++ b/docs/reference/api/index.html @@ -1807,6 +1807,28 @@

OIDCConfig the client application, the URI requested to redirect to must be contained in this list.

+ + +insecureSkipEmailVerified
+ +bool + + + +

InsecureSkipEmailVerified allows to skip the verification of the “email_verified” claim in ID tokens.

+ + + + +userIDClaim
+ +string + + + +

UserIDClaim is the claim to be used as user ID.

+ + diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml index d8deb48e3..e65313185 100755 --- a/docs/reference/api/openapi.yaml +++ b/docs/reference/api/openapi.yaml @@ -669,6 +669,12 @@ components: - key - name type: object + insecureSkipEmailVerified: + description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + enum: + - true + - false + type: boolean issuer: description: Issuer is the URL of the identity service. type: string @@ -684,6 +690,9 @@ components: RedirectURI is the redirect URI to be used for the OIDC flow against the upstream IdP. If none is specified, the Greenhouse ID proxy will be used. type: string + userIDClaim: + description: UserIDClaim is the claim to be used as user ID. + type: string required: - clientIDReference - clientSecretReference diff --git a/internal/controller/organization/dex.go b/internal/controller/organization/dex.go index b679f7193..f09468669 100644 --- a/internal/controller/organization/dex.go +++ b/internal/controller/organization/dex.go @@ -111,14 +111,15 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org return err } oidcConfig := &oidc.Config{ - Issuer: org.Spec.Authentication.OIDCConfig.Issuer, - ClientID: clientID, - ClientSecret: clientSecret, - RedirectURI: redirectURL, - UserNameKey: "login_name", - UserIDKey: "login_name", - InsecureSkipVerify: true, - InsecureEnableGroups: true, + Issuer: org.Spec.Authentication.OIDCConfig.Issuer, + ClientID: clientID, + ClientSecret: clientSecret, + RedirectURI: redirectURL, + UserNameKey: org.Spec.Authentication.OIDCConfig.UserIDClaim, + UserIDKey: org.Spec.Authentication.OIDCConfig.UserIDClaim, + InsecureSkipEmailVerified: org.Spec.Authentication.OIDCConfig.InsecureSkipEmailVerified, + InsecureSkipVerify: true, + InsecureEnableGroups: true, } configByte, err := json.Marshal(oidcConfig) if err != nil { diff --git a/types/typescript/schema.d.ts b/types/typescript/schema.d.ts index 3daf40c18..64bbca219 100644 --- a/types/typescript/schema.d.ts +++ b/types/typescript/schema.d.ts @@ -533,6 +533,11 @@ export interface components { /** @description Name of the secret in the same namespace. */ name: string; }; + /** + * @description InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + * @enum {boolean} + */ + insecureSkipEmailVerified?: true | false; /** @description Issuer is the URL of the identity service. */ issuer: string; /** @@ -545,6 +550,8 @@ export interface components { * If none is specified, the Greenhouse ID proxy will be used. */ redirectURI?: string; + /** @description UserIDClaim is the claim to be used as user ID. */ + userIDClaim?: string; }; /** @description SCIMConfig configures the SCIM client. */ scim?: { From 4874534592988cb2010a928ab527433dd892cde0 Mon Sep 17 00:00:00 2001 From: David Gogl <1381862+kengou@users.noreply.github.com> Date: Mon, 27 Oct 2025 21:54:17 +0100 Subject: [PATCH 2/6] fix(api): fix default values --- api/v1alpha1/organization_types.go | 4 ++-- charts/manager/crds/greenhouse.sap_organizations.yaml | 2 ++ docs/reference/api/openapi.yaml | 2 ++ types/typescript/schema.d.ts | 10 +++++++--- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/api/v1alpha1/organization_types.go b/api/v1alpha1/organization_types.go index 5f2c67ccd..ff8177284 100644 --- a/api/v1alpha1/organization_types.go +++ b/api/v1alpha1/organization_types.go @@ -84,11 +84,11 @@ type OIDCConfig struct { // the client application, the URI requested to redirect to must be contained in this list. OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"` // InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. - // +kubebuilder:validation:default:=false + // +kubebuilder:default:=false // +kubebuilder:validation:Enum:=true;false InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"` // UserIDClaim is the claim to be used as user ID. - // +kubebuilder:validation:default:="login_name" + // +kubebuilder:default:="login_name" UserIDClaim string `json:"userIDClaim,omitempty"` } diff --git a/charts/manager/crds/greenhouse.sap_organizations.yaml b/charts/manager/crds/greenhouse.sap_organizations.yaml index 2ad4c073b..e77bd3bd7 100644 --- a/charts/manager/crds/greenhouse.sap_organizations.yaml +++ b/charts/manager/crds/greenhouse.sap_organizations.yaml @@ -93,6 +93,7 @@ spec: - name type: object insecureSkipEmailVerified: + default: false description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. enum: @@ -115,6 +116,7 @@ spec: If none is specified, the Greenhouse ID proxy will be used. type: string userIDClaim: + default: login_name description: UserIDClaim is the claim to be used as user ID. type: string required: diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml index e65313185..fa5585217 100755 --- a/docs/reference/api/openapi.yaml +++ b/docs/reference/api/openapi.yaml @@ -670,6 +670,7 @@ components: - name type: object insecureSkipEmailVerified: + default: false description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. enum: - true @@ -691,6 +692,7 @@ components: If none is specified, the Greenhouse ID proxy will be used. type: string userIDClaim: + default: login_name description: UserIDClaim is the claim to be used as user ID. type: string required: diff --git a/types/typescript/schema.d.ts b/types/typescript/schema.d.ts index 64bbca219..6d07967c1 100644 --- a/types/typescript/schema.d.ts +++ b/types/typescript/schema.d.ts @@ -535,9 +535,10 @@ export interface components { }; /** * @description InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + * @default false * @enum {boolean} */ - insecureSkipEmailVerified?: true | false; + insecureSkipEmailVerified: true | false; /** @description Issuer is the URL of the identity service. */ issuer: string; /** @@ -550,8 +551,11 @@ export interface components { * If none is specified, the Greenhouse ID proxy will be used. */ redirectURI?: string; - /** @description UserIDClaim is the claim to be used as user ID. */ - userIDClaim?: string; + /** + * @description UserIDClaim is the claim to be used as user ID. + * @default login_name + */ + userIDClaim: string; }; /** @description SCIMConfig configures the SCIM client. */ scim?: { From f7b847ac1a2aee41153a076862aa64a4b5797127 Mon Sep 17 00:00:00 2001 From: David Gogl <1381862+kengou@users.noreply.github.com> Date: Tue, 28 Oct 2025 09:12:21 +0100 Subject: [PATCH 3/6] update org sample --- config/samples/organization/demo.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/samples/organization/demo.yaml b/config/samples/organization/demo.yaml index 4b02a3df8..6afb30e12 100644 --- a/config/samples/organization/demo.yaml +++ b/config/samples/organization/demo.yaml @@ -53,3 +53,5 @@ spec: name: demo-oidc issuer: https://global.accounts.dev redirectURI: https://bogus.accounts.foo + InsecureSkipEmailVerified: true + UserIDClaim: email From d2320e3ee45c1095e591c23dc6b2f3568f4e9ebe Mon Sep 17 00:00:00 2001 From: David Gogl <1381862+kengou@users.noreply.github.com> Date: Tue, 28 Oct 2025 09:13:29 +0100 Subject: [PATCH 4/6] fix org sample --- config/samples/organization/demo.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/samples/organization/demo.yaml b/config/samples/organization/demo.yaml index 6afb30e12..cac535baf 100644 --- a/config/samples/organization/demo.yaml +++ b/config/samples/organization/demo.yaml @@ -53,5 +53,5 @@ spec: name: demo-oidc issuer: https://global.accounts.dev redirectURI: https://bogus.accounts.foo - InsecureSkipEmailVerified: true - UserIDClaim: email + insecureSkipEmailVerified: true + userIDClaim: email From 7a52ae16d553c04b26f044b01f98ee54c78e4b67 Mon Sep 17 00:00:00 2001 From: David Gogl <1381862+kengou@users.noreply.github.com> Date: Sun, 16 Nov 2025 01:02:34 +0100 Subject: [PATCH 5/6] introduce ExtraConfig --- api/v1alpha1/organization_types.go | 5 +++++ internal/controller/organization/dex.go | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) mode change 100644 => 100755 api/v1alpha1/organization_types.go mode change 100644 => 100755 internal/controller/organization/dex.go diff --git a/api/v1alpha1/organization_types.go b/api/v1alpha1/organization_types.go old mode 100644 new mode 100755 index ff8177284..55cd100c5 --- a/api/v1alpha1/organization_types.go +++ b/api/v1alpha1/organization_types.go @@ -83,6 +83,11 @@ type OIDCConfig struct { // OAuth2ClientRedirectURIs are a registered set of redirect URIs. When redirecting from the idproxy to // the client application, the URI requested to redirect to must be contained in this list. OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"` + // ExtraClaims contains additional configuration for extra claims. + ExtraConfig *OIDCExtraConfig `json:"extraConfig,omitempty"` +} + +type OIDCExtraConfig struct { // InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. // +kubebuilder:default:=false // +kubebuilder:validation:Enum:=true;false diff --git a/internal/controller/organization/dex.go b/internal/controller/organization/dex.go old mode 100644 new mode 100755 index f09468669..ff026db68 --- a/internal/controller/organization/dex.go +++ b/internal/controller/organization/dex.go @@ -110,14 +110,24 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org if err != nil { return err } + var userNameKey = "login_name" + var skipEmailVerified = false + if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil { + if org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim == "" { + userNameKey = org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim + } + if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil { + skipEmailVerified = org.Spec.Authentication.OIDCConfig.ExtraConfig.InsecureSkipEmailVerified + } + } oidcConfig := &oidc.Config{ Issuer: org.Spec.Authentication.OIDCConfig.Issuer, ClientID: clientID, ClientSecret: clientSecret, RedirectURI: redirectURL, - UserNameKey: org.Spec.Authentication.OIDCConfig.UserIDClaim, - UserIDKey: org.Spec.Authentication.OIDCConfig.UserIDClaim, - InsecureSkipEmailVerified: org.Spec.Authentication.OIDCConfig.InsecureSkipEmailVerified, + UserNameKey: userNameKey, + UserIDKey: userNameKey, + InsecureSkipEmailVerified: skipEmailVerified, InsecureSkipVerify: true, InsecureEnableGroups: true, } From da900f0f3c2df2f9fc8c0756a50fecba1419c55a Mon Sep 17 00:00:00 2001 From: "cloud-operator-bot[bot]" <224791424+cloud-operator-bot[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 00:05:48 +0000 Subject: [PATCH 6/6] Automatic generation of CRD API Docs --- api/v1alpha1/zz_generated.deepcopy.go | 20 +++++++++++ .../crds/greenhouse.sap_organizations.yaml | 31 ++++++++++------- docs/reference/api/index.html | 33 +++++++++++++++++++ docs/reference/api/openapi.yaml | 26 ++++++++------- 4 files changed, 87 insertions(+), 23 deletions(-) diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 051db62f4..f27c0596b 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -791,6 +791,11 @@ func (in *OIDCConfig) DeepCopyInto(out *OIDCConfig) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.ExtraConfig != nil { + in, out := &in.ExtraConfig, &out.ExtraConfig + *out = new(OIDCExtraConfig) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCConfig. @@ -803,6 +808,21 @@ func (in *OIDCConfig) DeepCopy() *OIDCConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCExtraConfig) DeepCopyInto(out *OIDCExtraConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCExtraConfig. +func (in *OIDCExtraConfig) DeepCopy() *OIDCExtraConfig { + if in == nil { + return nil + } + out := new(OIDCExtraConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Organization) DeepCopyInto(out *Organization) { *out = *in diff --git a/charts/manager/crds/greenhouse.sap_organizations.yaml b/charts/manager/crds/greenhouse.sap_organizations.yaml index e77bd3bd7..f153c6ccc 100644 --- a/charts/manager/crds/greenhouse.sap_organizations.yaml +++ b/charts/manager/crds/greenhouse.sap_organizations.yaml @@ -92,14 +92,25 @@ spec: - key - name type: object - insecureSkipEmailVerified: - default: false - description: InsecureSkipEmailVerified allows to skip the - verification of the "email_verified" claim in ID tokens. - enum: - - true - - false - type: boolean + extraConfig: + description: ExtraClaims contains additional configuration + for extra claims. + properties: + insecureSkipEmailVerified: + default: false + description: InsecureSkipEmailVerified allows to skip + the verification of the "email_verified" claim in ID + tokens. + enum: + - true + - false + type: boolean + userIDClaim: + default: login_name + description: UserIDClaim is the claim to be used as user + ID. + type: string + type: object issuer: description: Issuer is the URL of the identity service. type: string @@ -115,10 +126,6 @@ spec: RedirectURI is the redirect URI to be used for the OIDC flow against the upstream IdP. If none is specified, the Greenhouse ID proxy will be used. type: string - userIDClaim: - default: login_name - description: UserIDClaim is the claim to be used as user ID. - type: string required: - clientIDReference - clientSecretReference diff --git a/docs/reference/api/index.html b/docs/reference/api/index.html index 2675a919c..65adbbefd 100644 --- a/docs/reference/api/index.html +++ b/docs/reference/api/index.html @@ -1809,6 +1809,39 @@

OIDCConfig +extraConfig
+ + +OIDCExtraConfig + + + + +

ExtraClaims contains additional configuration for extra claims.

+ + + + + + +

OIDCExtraConfig +

+

+(Appears on: +OIDCConfig) +

+
+
+ + + + + + + + + +
FieldDescription
insecureSkipEmailVerified
bool diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml index fa5585217..d3a5e6f14 100755 --- a/docs/reference/api/openapi.yaml +++ b/docs/reference/api/openapi.yaml @@ -669,13 +669,21 @@ components: - key - name type: object - insecureSkipEmailVerified: - default: false - description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. - enum: - - true - - false - type: boolean + extraConfig: + description: ExtraClaims contains additional configuration for extra claims. + properties: + insecureSkipEmailVerified: + default: false + description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens. + enum: + - true + - false + type: boolean + userIDClaim: + default: login_name + description: UserIDClaim is the claim to be used as user ID. + type: string + type: object issuer: description: Issuer is the URL of the identity service. type: string @@ -691,10 +699,6 @@ components: RedirectURI is the redirect URI to be used for the OIDC flow against the upstream IdP. If none is specified, the Greenhouse ID proxy will be used. type: string - userIDClaim: - default: login_name - description: UserIDClaim is the claim to be used as user ID. - type: string required: - clientIDReference - clientSecretReference