Skip to content

feat(dex): add option to modify userid claim, skip email_verified verification #1569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kengou wants to merge 28 commits into
base: main
Choose a base branch
from
+323 βˆ’18
Open

feat(dex): add option to modify userid claim, skip email_verified verification #1569

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
125fb34
feat(dex): add option to modify user id claim, skip email_verified vi…
kengou Oct 27, 2025
4874534
fix(api): fix default values
kengou Oct 27, 2025
f7b847a
update org sample
kengou Oct 28, 2025
d2320e3
fix org sample
kengou Oct 28, 2025
a7ae42c
Merge branch 'main' into feat/dex-orgconfig
kengou Oct 28, 2025
7a52ae1
introduce ExtraConfig
kengou Nov 16, 2025
da900f0
Automatic generation of CRD API Docs
cloud-operator-bot[bot] Nov 16, 2025
1e7cec3
Merge branch 'main' into feat/dex-orgconfig
kengou Jan 29, 2026
2290e27
Automatic generation of CRD API Docs
cloud-operator-bot[bot] Jan 29, 2026
969c4cf
Merge branch 'main' into feat/dex-orgconfig
kengou Feb 11, 2026
52ce0df
Update config/samples/organization/demo.yaml
kengou Feb 26, 2026
2d63648
Merge branch 'main' into feat/dex-orgconfig
kengou Mar 6, 2026
74fe8c2
Merge branch 'main' into feat/dex-orgconfig
kengou Mar 27, 2026
9480ff5
fix issues, add test and run generate
kengou Mar 27, 2026
68337c2
Merge branch 'main' into feat/dex-orgconfig
kengou Mar 31, 2026
e816e77
Merge branch 'main' into feat/dex-orgconfig
kengou Apr 2, 2026
2351fc3
Merge branch 'main' into feat/dex-orgconfig
kengou Apr 7, 2026
a714e74
Merge branch 'main' into feat/dex-orgconfig
kengou Apr 16, 2026
061166d
Merge branch 'main' into feat/dex-orgconfig
kengou Apr 19, 2026
a8200c7
Merge branch 'main' into feat/dex-orgconfig
kengou Apr 27, 2026
340f3f5
Merge branch 'main' into feat/dex-orgconfig
kengou May 5, 2026
acb80d3
Automatic generation of CRD API Docs
cloud-operator-bot[bot] May 5, 2026
dc278fc
Merge branch 'main' into feat/dex-orgconfig
kengou May 17, 2026
e7485d0
fix review comment
kengou May 19, 2026
31b2984
Merge branch 'main' into feat/dex-orgconfig
kengou May 19, 2026
4801d25
Potential fix for pull request finding
kengou May 19, 2026
f376faa
Merge branch 'main' into feat/dex-orgconfig
kengou May 26, 2026
64d39f0
Merge branch 'main' into feat/dex-orgconfig
kengou Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions api/v1alpha1/organization_types.go
100644 β†’ 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,18 @@ type OIDCConfig struct {
// OAuth2ClientRedirectURIs are a registered set of redirect URIs. When redirecting from the idproxy to
// the client application, the URI requested to redirect to must be contained in this list.
OAuth2ClientRedirectURIs []string `json:"oauth2ClientRedirectURIs,omitempty"`
// ExtraClaims contains additional configuration for extra claims.
ExtraConfig *OIDCExtraConfig `json:"extraConfig,omitempty"`
}

type OIDCExtraConfig struct {
// InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens.
// +kubebuilder:default:=false
// +kubebuilder:validation:Enum:=true;false
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified,omitempty"`
Comment thread
abhijith-darshan marked this conversation as resolved.
Comment thread
kengou marked this conversation as resolved.
// UserIDClaim is the claim to be used as user ID.
// +kubebuilder:default:="login_name"
UserIDClaim string `json:"userIDClaim,omitempty"`
}

type SCIMConfig struct {
Expand Down
20 changes: 20 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions charts/manager/crds/greenhouse.sap_organizations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,25 @@ spec:
- key
- name
type: object
extraConfig:
description: ExtraClaims contains additional configuration
for extra claims.
properties:
insecureSkipEmailVerified:
default: false
description: InsecureSkipEmailVerified allows to skip
the verification of the "email_verified" claim in ID
tokens.
enum:
- true
- false
type: boolean
userIDClaim:
default: login_name
description: UserIDClaim is the claim to be used as user
ID.
type: string
type: object
issuer:
description: Issuer is the URL of the identity service.
type: string
Expand Down
2 changes: 2 additions & 0 deletions config/samples/organization/demo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,5 @@ spec:
name: demo-oidc
issuer: https://global.accounts.dev
redirectURI: https://bogus.accounts.foo
insecureSkipEmailVerified: true
userIDClaim: email
Comment thread
kengou marked this conversation as resolved.
Outdated
55 changes: 55 additions & 0 deletions docs/reference/api/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1978,6 +1978,61 @@ <h3 id="greenhouse.sap/v1alpha1.OIDCConfig">OIDCConfig
the client application, the URI requested to redirect to must be contained in this list.</p>
</td>
</tr>
<tr>
<td>
<code>extraConfig</code><br>
<em>
<a href="#greenhouse.sap/v1alpha1.OIDCExtraConfig">
OIDCExtraConfig
</a>
</em>
</td>
<td>
<p>ExtraClaims contains additional configuration for extra claims.</p>
</td>
Comment thread
kengou marked this conversation as resolved.
</tr>
</tbody>
</table>
</div>
</div>
<h3 id="greenhouse.sap/v1alpha1.OIDCExtraConfig">OIDCExtraConfig
</h3>
<p>
(<em>Appears on:</em>
<a href="#greenhouse.sap/v1alpha1.OIDCConfig">OIDCConfig</a>)
</p>
<div class="md-typeset__scrollwrap">
<div class="md-typeset__table">
<table>
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>insecureSkipEmailVerified</code><br>
<em>
bool
</em>
</td>
<td>
<p>InsecureSkipEmailVerified allows to skip the verification of the &ldquo;email_verified&rdquo; claim in ID tokens.</p>
</td>
</tr>
<tr>
<td>
<code>userIDClaim</code><br>
<em>
string
</em>
</td>
<td>
<p>UserIDClaim is the claim to be used as user ID.</p>
</td>
Comment thread
kengou marked this conversation as resolved.
</tr>
</tbody>
</table>
</div>
Expand Down
15 changes: 15 additions & 0 deletions docs/reference/api/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -686,6 +686,21 @@ components:
- key
- name
type: object
extraConfig:
description: ExtraClaims contains additional configuration for extra claims.
properties:
insecureSkipEmailVerified:
default: false
description: InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens.
enum:
- true
- false
type: boolean
userIDClaim:
default: login_name
description: UserIDClaim is the claim to be used as user ID.
type: string
type: object
issuer:
description: Issuer is the URL of the identity service.
type: string
Expand Down
27 changes: 19 additions & 8 deletions internal/controller/organization/dex.go
100644 β†’ 100755
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,15 +110,26 @@ func (r *OrganizationReconciler) reconcileDexConnector(ctx context.Context, org
if err != nil {
return err
}
var userNameKey = "login_name"
var skipEmailVerified = false
if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil {
if org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim == "" {
userNameKey = org.Spec.Authentication.OIDCConfig.ExtraConfig.UserIDClaim
}
if org.Spec.Authentication.OIDCConfig.ExtraConfig != nil {
skipEmailVerified = org.Spec.Authentication.OIDCConfig.ExtraConfig.InsecureSkipEmailVerified
}
Comment thread
kengou marked this conversation as resolved.
}
oidcConfig := &oidc.Config{
Issuer: org.Spec.Authentication.OIDCConfig.Issuer,
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURI: redirectURL,
UserNameKey: "login_name",
UserIDKey: "login_name",
InsecureSkipVerify: true,
InsecureEnableGroups: true,
Issuer: org.Spec.Authentication.OIDCConfig.Issuer,
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURI: redirectURL,
UserNameKey: userNameKey,
UserIDKey: userNameKey,
InsecureSkipEmailVerified: skipEmailVerified,
InsecureSkipVerify: true,
InsecureEnableGroups: true,
}
configByte, err := json.Marshal(oidcConfig)
if err != nil {
Expand Down
11 changes: 11 additions & 0 deletions types/typescript/schema.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,12 @@ export interface components {
/** @description Name of the secret in the same namespace. */
name: string;
};
/**
* @description InsecureSkipEmailVerified allows to skip the verification of the "email_verified" claim in ID tokens.
* @default false
* @enum {boolean}
*/
insecureSkipEmailVerified: true | false;
/** @description Issuer is the URL of the identity service. */
issuer: string;
/**
Expand All @@ -551,6 +557,11 @@ export interface components {
* If none is specified, the Greenhouse ID proxy will be used.
*/
redirectURI?: string;
/**
* @description UserIDClaim is the claim to be used as user ID.
* @default login_name
*/
userIDClaim: string;
};
/** @description SCIMConfig configures the SCIM client. */
scim?: {
Expand Down
Loading