cloudoperators · kengou · Oct 27, 2025 · Oct 27, 2025 · Oct 28, 2025 · Oct 28, 2025
@@ -85,6 +85,19 @@ type OIDCConfig struct {
 	// OAuth2ClientRedirectURIs are a registered set of redirect URIs. When redirecting from the idproxy to
 	// the client application, the URI requested to redirect to must be contained in this list.
 	OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"`
+	// ExtraConfig contains additional OIDC configuration for claim mapping and token validation behavior.
+	ExtraConfig *OIDCExtraConfig `json:"extraConfig,omitempty"`
+}
+
+type OIDCExtraConfig struct {
+	// InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+	// This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).
+	// +kubebuilder:default:=false
+	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"`
+	// UserIDClaim is the claim to be used as both user ID and username.
+	// When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.
+	// +kubebuilder:default:="login_name"
+	UserIDClaim string `json:"userIDClaim,omitempty"`
 }
 
 type SCIMConfig struct {

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: catalogs.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: clusterkubeconfigs.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: clusterplugindefinitions.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: clusters.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: organizations.greenhouse.sap
 spec:
   group: greenhouse.sap
@@ -92,6 +92,23 @@ spec:
                         - key
                         - name
                         type: object
+                      extraConfig:
+                        description: ExtraConfig contains additional OIDC configuration
+                          for claim mapping and token validation behavior.
+                        properties:
+                          insecureSkipEmailVerified:
+                            default: false
+                            description: |-
+                              InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+                              This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).
+                            type: boolean
+                          userIDClaim:
+                            default: login_name
+                            description: |-
+                              UserIDClaim is the claim to be used as both user ID and username.
+                              When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.
+                            type: string
+                        type: object
                       issuer:
                         description: Issuer is the URL of the identity service.
                         type: string

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: plugindefinitions.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: pluginpresets.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: plugins.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: teamrolebindings.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: teamroles.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -6,7 +6,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: teams.greenhouse.sap
 spec:
   group: greenhouse.sap

@@ -65,3 +65,5 @@ spec:
 #        name: demo-oidc
 #      issuer: https://global.accounts.dev
 #      redirectURI: https://bogus.accounts.foo
+#      extraConfig:
+#        userIDClaim: email
@@ -2083,6 +2083,63 @@ <h3 id="greenhouse.sap/v1alpha1.OIDCConfig">OIDCConfig
 the client application, the URI requested to redirect to must be contained in this list.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>extraConfig</code><br>
+<em>
+<a href="#greenhouse.sap/v1alpha1.OIDCExtraConfig">
+OIDCExtraConfig
+</a>
+</em>
+</td>
+<td>
+<p>ExtraConfig contains additional OIDC configuration for claim mapping and token validation behavior.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<h3 id="greenhouse.sap/v1alpha1.OIDCExtraConfig">OIDCExtraConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#greenhouse.sap/v1alpha1.OIDCConfig">OIDCConfig</a>)
+</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>insecureSkipEmailVerified</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>userIDClaim</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>UserIDClaim is the claim to be used as both user ID and username.
+When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

@@ -719,6 +719,22 @@ components:
                         - key
                         - name
                       type: object
+                    extraConfig:
+                      description: ExtraConfig contains additional OIDC configuration for claim mapping and token validation behavior.
+                      properties:
+                        insecureSkipEmailVerified:
+                          default: false
+                          description: |-
+                            InsecureSkipEmailVerified if set to true, treats email_verified as true when the claim is absent from the ID token.
+                            This does not override an explicit email_verified=false. Only enable for providers that omit the claim entirely (e.g. some Okta, EntraID or CloudFoundry configurations).
+                          type: boolean
+                        userIDClaim:
+                          default: login_name
+                          description: |-
+                            UserIDClaim is the claim to be used as both user ID and username.
+                            When set, it overrides both UserIDKey and UserNameKey in the dex OIDC connector config.
+                          type: string
+                      type: object
                     issuer:
                       description: Issuer is the URL of the identity service.
                       type: string

@@ -113,15 +113,24 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org
 	if err != nil {
 		return err
 	}
+	var userNameKey = "login_name"
+	var skipEmailVerified = false
+	if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil {
+		if org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim != "" {
+			userNameKey = org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim
+		}
+		skipEmailVerified = org.Spec.Authentication.OIDCConfig.ExtraConfig.InsecureSkipEmailVerified
+	}
 	oidcConfig := &oidc.Config{
-		Issuer:               org.Spec.Authentication.OIDCConfig.Issuer,
-		ClientID:             clientID,
-		ClientSecret:         clientSecret,
-		RedirectURI:          redirectURL,
-		UserNameKey:          "login_name",
-		UserIDKey:            "login_name",
-		InsecureSkipVerify:   true,
-		InsecureEnableGroups: true,
+		Issuer:                    org.Spec.Authentication.OIDCConfig.Issuer,
+		ClientID:                  clientID,
+		ClientSecret:              clientSecret,
+		RedirectURI:               redirectURL,
+		UserNameKey:               userNameKey,
+		UserIDKey:                 userNameKey,
+		InsecureSkipEmailVerified: skipEmailVerified,
+		InsecureSkipVerify:        true,
+		InsecureEnableGroups:      true,
 	}
 	configByte, err := json.Marshal(oidcConfig)
 	if err != nil {

@@ -4,10 +4,12 @@
 package organization_test
 
 import (
+	"encoding/json"
 	"fmt"
 
 	"slices"
 
+	dexoidc "github.com/dexidp/dex/connector/oidc"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gstruct"
@@ -390,6 +392,61 @@ var _ = Describe("Test Organization reconciliation", Ordered, func() {
 			}
 			test.EventuallyDeleted(test.Ctx, test.K8sClient, team)
 		})
+
+		It("should propagate ExtraConfig to dex connector", func() {
+			team := setup.CreateTeam(test.Ctx, "test-team-extra", test.WithTeamLabel(greenhouseapis.LabelKeySupportGroup, "true"))
+
+			defaultOrg := setup.CreateDefaultOrgWithOIDCSecret(test.Ctx, team.Name)
+			test.EventuallyCreated(test.Ctx, test.K8sClient, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: defaultOrg.Name}})
+			Eventually(func(g Gomega) {
+				err := test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: defaultOrg.Name}, defaultOrg)
+				g.Expect(err).ToNot(HaveOccurred())
+				oidcCondition := defaultOrg.Status.GetConditionByType(greenhousev1alpha1.OrganizationOICDConfigured)
+				g.Expect(oidcCondition).ToNot(BeNil())
+				g.Expect(oidcCondition.IsTrue()).To(BeTrue())
+			}).Should(Succeed())
+
+			By("creating a test organization with ExtraConfig")
+			extraConfigOrg := setup.CreateOrganization(test.Ctx, "test-extraconfig-org", test.WithMappedAdminIDPGroup("EXTRA_CONFIG_GROUP"))
+			test.EventuallyCreated(test.Ctx, test.K8sClient, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: extraConfigOrg.Name}})
+
+			oidcSecret := setup.CreateOrgOIDCSecret(test.Ctx, extraConfigOrg.Name, team.Name)
+			extraConfigOrg = setup.UpdateOrganization(test.Ctx,
+				extraConfigOrg.Name,
+				test.WithOIDCConfig(test.OIDCIssuer, oidcSecret.Name, test.OIDCClientIDKey, test.OIDCClientSecretKey),
+				test.WithOIDCExtraConfig("email", true),
+			)
+
+			By("checking Organization OIDC status is ready")
+			Eventually(func(g Gomega) {
+				err := test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: extraConfigOrg.Name}, extraConfigOrg)
+				g.Expect(err).ToNot(HaveOccurred())
+				oidcCondition := extraConfigOrg.Status.GetConditionByType(greenhousev1alpha1.OrganizationOICDConfigured)
+				g.Expect(oidcCondition).ToNot(BeNil(), "OrganizationOICDConfigured should be set")
+				g.Expect(oidcCondition.IsTrue()).To(BeTrue(), "OrganizationOICDConfigured should be True")
+			}).Should(Succeed())
+
+			if DexStorageType == dex.K8s {
+				By("verifying the dex connector config contains ExtraConfig values")
+				connectors := &dexapi.ConnectorList{}
+				err := setup.List(test.Ctx, connectors)
+				Expect(err).ToNot(HaveOccurred())
+
+				filteredConnectors := slices.DeleteFunc(connectors.Items, func(c dexapi.Connector) bool {
+					return c.ID != extraConfigOrg.Name
+				})
+				Expect(filteredConnectors).To(HaveLen(1), "there should be exactly one connector for the org")
+
+				var connectorConfig dexoidc.Config
+				Expect(json.Unmarshal(filteredConnectors[0].Config, &connectorConfig)).To(Succeed(), "connector config should be valid JSON")
+				Expect(connectorConfig.UserNameKey).To(Equal("email"), "UserNameKey should be set to the custom claim")
+				Expect(connectorConfig.UserIDKey).To(Equal("email"), "UserIDKey should be set to the custom claim")
+				Expect(connectorConfig.InsecureSkipEmailVerified).To(BeTrue(), "InsecureSkipEmailVerified should be true")
+			}
+
+			test.EventuallyDeleted(test.Ctx, test.K8sClient, &greenhousev1alpha1.Organization{ObjectMeta: metav1.ObjectMeta{Name: extraConfigOrg.Name}})
+			test.EventuallyDeleted(test.Ctx, test.K8sClient, team)
+		})
 	})
 
 	When("reconciling PluginDefinitionCatalog ServiceAccount for regular organization", Ordered, func() {