+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+insecureSkipEmailVerified
+
+bool
+
+ |
+
+ InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).
+ |
+
+
+
+userIDClaim
+
+string
+
+ |
+
+ UserIDClaim is the claim to be used as both user ID and username.
+When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.
+ |
+
diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml
index 6fe406f38..6418f3628 100755
--- a/docs/reference/api/openapi.yaml
+++ b/docs/reference/api/openapi.yaml
@@ -719,6 +719,22 @@ components:
- key
- name
type: object
+ extraConfig:
+ description: ExtraConfig contains additional OIDC configuration for claim mapping and token validation behavior.
+ properties:
+ insecureSkipEmailVerified:
+ default: false
+ description: |-
+ InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+ This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).
+ type: boolean
+ userIDClaim:
+ default: login_name
+ description: |-
+ UserIDClaim is the claim to be used as both user ID and username.
+ When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.
+ type: string
+ type: object
issuer:
description: Issuer is the URL of the identity service.
type: string
diff --git a/internal/controller/organization/dex.go b/internal/controller/organization/dex.go
old mode 100644
new mode 100755
index a027f8c2f..8826d39bc
--- a/internal/controller/organization/dex.go
+++ b/internal/controller/organization/dex.go
@@ -113,15 +113,24 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org
if err != nil {
return err
}
+ var userNameKey = "login_name"
+ var skipEmailVerified = false
+ if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil {
+ if org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim != "" {
+ userNameKey = org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim
+ }
+ skipEmailVerified = org.Spec.Authentication.OIDCConfig.ExtraConfig.InsecureSkipEmailVerified
+ }
oidcConfig := &oidc.Config{
- Issuer: org.Spec.Authentication.OIDCConfig.Issuer,
- ClientID: clientID,
- ClientSecret: clientSecret,
- RedirectURI: redirectURL,
- UserNameKey: "login_name",
- UserIDKey: "login_name",
- InsecureSkipVerify: true,
- InsecureEnableGroups: true,
+ Issuer: org.Spec.Authentication.OIDCConfig.Issuer,
+ ClientID: clientID,
+ ClientSecret: clientSecret,
+ RedirectURI: redirectURL,
+ UserNameKey: userNameKey,
+ UserIDKey: userNameKey,
+ InsecureSkipEmailVerified: skipEmailVerified,
+ InsecureSkipVerify: true,
+ InsecureEnableGroups: true,
}
configByte, err := json.Marshal(oidcConfig)
if err != nil {
diff --git a/internal/controller/organization/organization_controller_test.go b/internal/controller/organization/organization_controller_test.go
index e09efb785..ff7d77af6 100644
--- a/internal/controller/organization/organization_controller_test.go
+++ b/internal/controller/organization/organization_controller_test.go
@@ -4,10 +4,12 @@
package organization_test
import (
+ "encoding/json"
"fmt"
"slices"
+ dexoidc "github.com/dexidp/dex/connector/oidc"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
. "github.com/onsi/gomega/gstruct"
@@ -390,6 +392,61 @@ var _ = Describe("Test Organization reconciliation", Ordered, func() {
}
test.EventuallyDeleted(test.Ctx, test.K8sClient, team)
})
+
+ It("should propagate ExtraConfig to dex connector", func() {
+ team := setup.CreateTeam(test.Ctx, "test-team-extra", test.WithTeamLabel(greenhouseapis.LabelKeySupportGroup, "true"))
+
+ defaultOrg := setup.CreateDefaultOrgWithOIDCSecret(test.Ctx, team.Name)
+ test.EventuallyCreated(test.Ctx, test.K8sClient, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: defaultOrg.Name}})
+ Eventually(func(g Gomega) {
+ err := test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: defaultOrg.Name}, defaultOrg)
+ g.Expect(err).ToNot(HaveOccurred())
+ oidcCondition := defaultOrg.Status.GetConditionByType(greenhousev1alpha1.OrganizationOICDConfigured)
+ g.Expect(oidcCondition).ToNot(BeNil())
+ g.Expect(oidcCondition.IsTrue()).To(BeTrue())
+ }).Should(Succeed())
+
+ By("creating a test organization with ExtraConfig")
+ extraConfigOrg := setup.CreateOrganization(test.Ctx, "test-extraconfig-org", test.WithMappedAdminIDPGroup("EXTRA_CONFIG_GROUP"))
+ test.EventuallyCreated(test.Ctx, test.K8sClient, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: extraConfigOrg.Name}})
+
+ oidcSecret := setup.CreateOrgOIDCSecret(test.Ctx, extraConfigOrg.Name, team.Name)
+ extraConfigOrg = setup.UpdateOrganization(test.Ctx,
+ extraConfigOrg.Name,
+ test.WithOIDCConfig(test.OIDCIssuer, oidcSecret.Name, test.OIDCClientIDKey, test.OIDCClientSecretKey),
+ test.WithOIDCExtraConfig("email", true),
+ )
+
+ By("checking Organization OIDC status is ready")
+ Eventually(func(g Gomega) {
+ err := test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: extraConfigOrg.Name}, extraConfigOrg)
+ g.Expect(err).ToNot(HaveOccurred())
+ oidcCondition := extraConfigOrg.Status.GetConditionByType(greenhousev1alpha1.OrganizationOICDConfigured)
+ g.Expect(oidcCondition).ToNot(BeNil(), "OrganizationOICDConfigured should be set")
+ g.Expect(oidcCondition.IsTrue()).To(BeTrue(), "OrganizationOICDConfigured should be True")
+ }).Should(Succeed())
+
+ if DexStorageType == dex.K8s {
+ By("verifying the dex connector config contains ExtraConfig values")
+ connectors := &dexapi.ConnectorList{}
+ err := setup.List(test.Ctx, connectors)
+ Expect(err).ToNot(HaveOccurred())
+
+ filteredConnectors := slices.DeleteFunc(connectors.Items, func(c dexapi.Connector) bool {
+ return c.ID != extraConfigOrg.Name
+ })
+ Expect(filteredConnectors).To(HaveLen(1), "there should be exactly one connector for the org")
+
+ var connectorConfig dexoidc.Config
+ Expect(json.Unmarshal(filteredConnectors[0].Config, &connectorConfig)).To(Succeed(), "connector config should be valid JSON")
+ Expect(connectorConfig.UserNameKey).To(Equal("email"), "UserNameKey should be set to the custom claim")
+ Expect(connectorConfig.UserIDKey).To(Equal("email"), "UserIDKey should be set to the custom claim")
+ Expect(connectorConfig.InsecureSkipEmailVerified).To(BeTrue(), "InsecureSkipEmailVerified should be true")
+ }
+
+ test.EventuallyDeleted(test.Ctx, test.K8sClient, &greenhousev1alpha1.Organization{ObjectMeta: metav1.ObjectMeta{Name: extraConfigOrg.Name}})
+ test.EventuallyDeleted(test.Ctx, test.K8sClient, team)
+ })
})
When("reconciling PluginDefinitionCatalog ServiceAccount for regular organization", Ordered, func() {
diff --git a/internal/test/resources.go b/internal/test/resources.go
index 07b62c663..9aaa41660 100644
--- a/internal/test/resources.go
+++ b/internal/test/resources.go
@@ -133,6 +133,23 @@ func WithOIDCConfig(issuer, secretName, clientIDKey, clientSecretKey string) fun
}
}
+// WithOIDCExtraConfig sets the OIDCExtraConfig on an Organization's OIDCConfig.
+// Must be used after WithOIDCConfig to ensure OIDCConfig is initialized.
+func WithOIDCExtraConfig(userIDClaim string, insecureSkipEmailVerified bool) func(*greenhousev1alpha1.Organization) {
+ return func(org *greenhousev1alpha1.Organization) {
+ if org.Spec.Authentication == nil {
+ org.Spec.Authentication = &greenhousev1alpha1.Authentication{}
+ }
+ if org.Spec.Authentication.OIDCConfig == nil {
+ org.Spec.Authentication.OIDCConfig = &greenhousev1alpha1.OIDCConfig{}
+ }
+ org.Spec.Authentication.OIDCConfig.ExtraConfig = &greenhousev1alpha1.OIDCExtraConfig{
+ UserIDClaim: userIDClaim,
+ InsecureSkipEmailVerified: insecureSkipEmailVerified,
+ }
+ }
+}
+
// NewOrganization returns a greenhousev1alpha1.Organization object. Opts can be used to set the desired state of the Organization.
func NewOrganization(ctx context.Context, name string, opts ...func(*greenhousev1alpha1.Organization)) *greenhousev1alpha1.Organization {
org := &greenhousev1alpha1.Organization{
diff --git a/types/typescript/schema.d.ts b/types/typescript/schema.d.ts
index 5f3987e5c..41ebe1fa5 100644
--- a/types/typescript/schema.d.ts
+++ b/types/typescript/schema.d.ts
@@ -556,6 +556,21 @@ export interface components {
/** @description Name of the secret in the same namespace. */
name: string;
};
+ /** @description ExtraConfig contains additional OIDC configuration for claim mapping and token validation behavior. */
+ extraConfig?: {
+ /**
+ * @description InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+ * This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).
+ * @default false
+ */
+ insecureSkipEmailVerified: boolean;
+ /**
+ * @description UserIDClaim is the claim to be used as both user ID and username.
+ * When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.
+ * @default login_name
+ */
+ userIDClaim: string;
+ };
/** @description Issuer is the URL of the identity service. */
issuer: string;
/**