feat(dex): add option to modify userid claim, skip email_verified verification

api/v1alpha1/organization_types.go

@@ -83,6 +83,13 @@ type OIDCConfig struct {
 	// OAuth2ClientRedirectURIs are a registered set of redirect URIs. When redirecting from the idproxy to
 	// the client application, the URI requested to redirect to must be contained in this list.
 	OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"`
+	// InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens.
+	// +kubebuilder:default:=false
+	// +kubebuilder:validation:Enum:=true;false
+	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"`
+	// UserIDClaim is the claim to be used as user ID.
+	// +kubebuilder:default:="login_name"
+	UserIDClaim string `json:"userIDClaim,omitempty"`
 }
 
 type SCIMConfig struct {

charts/manager/crds/greenhouse.sap_organizations.yaml

@@ -92,6 +92,14 @@ spec:
                         - key
                         - name
                         type: object
+                      insecureSkipEmailVerified:
+                        default: false
+                        description: InsecureSkipEmailVerified allows to skip the
+                          verification of the "email_verified" claim in ID tokens.
+                        enum:
+                        - true
+                        - false
+                        type: boolean
                       issuer:
                         description: Issuer is the URL of the identity service.
                         type: string
@@ -107,6 +115,10 @@ spec:
                           RedirectURI is the redirect URI to be used for the OIDC flow against the upstream IdP.
                           If none is specified, the Greenhouse ID proxy will be used.
                         type: string
+                      userIDClaim:
+                        default: login_name
+                        description: UserIDClaim is the claim to be used as user ID.
+                        type: string
                     required:
                     - clientIDReference
                     - clientSecretReference

config/samples/organization/demo.yaml

@@ -53,3 +53,5 @@ spec:
         name: demo-oidc
       issuer: https://global.accounts.dev
       redirectURI: https://bogus.accounts.foo
+      insecureSkipEmailVerified: true
+      userIDClaim: email

docs/reference/api/index.html

@@ -1807,6 +1807,28 @@ <h3 id="greenhouse.sap/v1alpha1.OIDCConfig">OIDCConfig
 the client application, the URI requested to redirect to must be contained in this list.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>insecureSkipEmailVerified</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>InsecureSkipEmailVerified allows to skip the verification of the &ldquo;email_verified&rdquo; claim in ID tokens.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>userIDClaim</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>UserIDClaim is the claim to be used as user ID.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

docs/reference/api/openapi.yaml

@@ -669,6 +669,13 @@ components:
                         - key
                         - name
                       type: object
+                    insecureSkipEmailVerified:
+                      default: false
+                      description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens.
+                      enum:
+                        - true
+                        - false
+                      type: boolean
                     issuer:
                       description: Issuer is the URL of the identity service.
                       type: string
@@ -684,6 +691,10 @@ components:
                         RedirectURI is the redirect URI to be used for the OIDC flow against the upstream IdP.
                         If none is specified, the Greenhouse ID proxy will be used.
                       type: string
+                    userIDClaim:
+                      default: login_name
+                      description: UserIDClaim is the claim to be used as user ID.
+                      type: string
                   required:
                     - clientIDReference
                     - clientSecretReference

internal/controller/organization/dex.go

@@ -111,14 +111,15 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org
 		return err
 	}
 	oidcConfig := &oidc.Config{
-		Issuer:               org.Spec.Authentication.OIDCConfig.Issuer,
-		ClientID:             clientID,
-		ClientSecret:         clientSecret,
-		RedirectURI:          redirectURL,
-		UserNameKey:          "login_name",
-		UserIDKey:            "login_name",
-		InsecureSkipVerify:   true,
-		InsecureEnableGroups: true,
+		Issuer:                    org.Spec.Authentication.OIDCConfig.Issuer,
+		ClientID:                  clientID,
+		ClientSecret:              clientSecret,
+		RedirectURI:               redirectURL,
+		UserNameKey:               org.Spec.Authentication.OIDCConfig.UserIDClaim,
+		UserIDKey:                 org.Spec.Authentication.OIDCConfig.UserIDClaim,
+		InsecureSkipEmailVerified: org.Spec.Authentication.OIDCConfig.InsecureSkipEmailVerified,
+		InsecureSkipVerify:        true,
+		InsecureEnableGroups:      true,
 	}
 	configByte, err := json.Marshal(oidcConfig)
 	if err != nil {

types/typescript/schema.d.ts

@@ -533,6 +533,12 @@ export interface components {
                             /** @description Name of the secret in the same namespace. */
                             name: string;
                         };
+                        /**
+                         * @description InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens.
+                         * @default false
+                         * @enum {boolean}
+                         */
+                        insecureSkipEmailVerified: true | false;
                         /** @description Issuer is the URL of the identity service. */
                         issuer: string;
                         /**
@@ -545,6 +551,11 @@ export interface components {
                          *     If none is specified, the Greenhouse ID proxy will be used.
                          */
                         redirectURI?: string;
+                        /**
+                         * @description UserIDClaim is the claim to be used as user ID.
+                         * @default login_name
+                         */
+                        userIDClaim: string;
                     };
                     /** @description SCIMConfig configures the SCIM client. */
                     scim?: {