Skip to content

CNTRLPLANE-2550: Add support for CEL expression claim mappings for username and groups #2719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ShazaAldawamneh wants to merge 15 commits into
base: master
Choose a base branch
from
Open

CNTRLPLANE-2550: Add support for CEL expression claim mappings for username and groups #2719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
e8556dd
Add support for CEL expression claim mappings for username and groups
ShazaAldawamneh Feb 19, 2026
abc8d56
Add support for CEL expression claim mappings for username and groups
ShazaAldawamneh Feb 19, 2026
6cc13c4
featuregating some validations
ShazaAldawamneh Feb 23, 2026
d040102
fixing validation
ShazaAldawamneh Feb 23, 2026
1f17fea
adding validations for claim
ShazaAldawamneh Feb 24, 2026
3994322
adding validations for claim
ShazaAldawamneh Feb 25, 2026
1726d42
fixing validations and tests
ShazaAldawamneh Feb 25, 2026
b1eb335
fixing integration test
ShazaAldawamneh Feb 26, 2026
0e5bdf3
fixing integration test
ShazaAldawamneh Feb 26, 2026
91412a1
Remove generated Go cache artifacts from version control
ShazaAldawamneh Feb 26, 2026
a23a022
Remove Go module cache artifacts from version control
ShazaAldawamneh Feb 26, 2026
ea37c6a
Remove Go module cache artifacts from version control
ShazaAldawamneh Feb 26, 2026
39c762b
Remove Go module cache artifacts from version control
ShazaAldawamneh Feb 26, 2026
f87a2b3
Remove cache directories and temporary log files from version control
ShazaAldawamneh Feb 26, 2026
b9a7264
addressing review comments
ShazaAldawamneh Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,49 @@ tests:
claimMappings:
username:
claim: ""
- name: Should allow updating groups claim mapping from invalid empty value to valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/minLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: ""
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
Comment on lines +495 to +537
Copy link
Contributor

@everettraven everettraven Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this test, an empty group claim ("") is a valid input.

- name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
initialCRDPatches:
- op: remove
Expand Down Expand Up @@ -535,6 +578,80 @@ tests:
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
- name: Should allow updating groups claim mapping from a previously invalid long value to a valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
Comment on lines +595 to +597
Copy link
Contributor

@everettraven everettraven Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

claimMappings.username is a required field, so it should be provided here.

Additionally, you added a maxLength of 256 and thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse is only 129 characters. For this to test what we are actually trying to test, make sure this string value is at more than 256 characters.

updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
- name: Should not allow updating groups claim mapping from a previously invalid long value to a still invalid long value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
Comment on lines +638 to +640
Copy link
Contributor

@everettraven everettraven Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as https://github.com/openshift/api/pull/2719/changes#r2861352592

updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuseandstilltoolong"
expectedError: "Too long: may not be more than 256 bytes"
- name: Should allow updating other fields if issuerURL contains fragment
initialCRDPatches:
- op: remove
Expand Down
203 changes: 203 additions & 0 deletions ...1/tests/authentications.config.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,209 @@ tests:
valueExpression: "claims.foo"
expectedError: "the domain of the key must consist of only lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
onUpdate:
- name: Should allow updating other fields if existing username claim mapping is empty string
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/username/properties/claim/minLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: ""
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: ""
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: ""
- name: Should allow updating groups claim mapping from previously invalid empty value to a valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/minLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: ""
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
- name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/username/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://huh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
- name: Should allow updating groups claim mapping from a previously invalid long value to a valid value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "groups"
- name: Should not allow updating groups claim mapping from a previously invalid long value to a still invalid long value
initialCRDPatches:
- op: remove
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
updated: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
groups:
claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuseandstilltoolong"
expectedError: "Too long: may not be more than 256 bytes"
Comment on lines +591 to +793
Copy link
Contributor

@everettraven everettraven Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep things easier to track here, lets just trust that the ratcheting test in the ExternalOIDC.yaml test file is sufficient here.

I know I said it should be added to all files, and while it doesn't hurt, it makes this PR bigger than it needs to be and I hadn't thought of that. Apologies for the churn here, I should have had better foresight here - not sure why I didn't.

- name: Updating OIDC provider with a client that's not in the status
initial: |
apiVersion: config.openshift.io/v1
Expand Down
Loading