Skip to content

[WIP]: CNTRLPLANE-2550: Add support for CEL expression claim mappings for username and groups #2719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ShazaAldawamneh wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[WIP]: CNTRLPLANE-2550: Add support for CEL expression claim mappings for username and groups #2719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e8556dd
Add support for CEL expression claim mappings for username and groups
ShazaAldawamneh Feb 19, 2026
abc8d56
Add support for CEL expression claim mappings for username and groups
ShazaAldawamneh Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 99 additions & 1 deletion config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,7 +435,6 @@ tests:
message: "Empty expressions are invalid"
expectedError: "spec.oidcProviders[0].userValidationRules[0].expression: Invalid value: \"\": spec.oidcProviders[0].userValidationRules[0].expression in body should be at least 1 chars long"


- name: Invalid TokenUserValidationRule with expression only
initial: |
apiVersion: config.openshift.io/v1
Expand All @@ -456,3 +455,102 @@ tests:
userValidationRules:
- expression: "user.username.startsWith('admin')"
expectedError: "message: Required value"

- name: Can set username claim mapping using a CEL expression only
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
expression: "has(claims.upn) ? claims.upn : claims.oid"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
expression: "has(claims.upn) ? claims.upn : claims.oid"

- name: Cannot set both claim and expression for username mapping
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "preferred_username"
expression: "claims.sub"
expectedError: "claim must not be set when expression is provided"

- name: Can set groups mapping using a CEL expression
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "preferred_username"
groups:
expression: "claims.roles.split(',')"
expected: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "preferred_username"
groups:
expression: "claims.roles.split(',')"

- name: Cannot set both claim and expression for groups mapping
initial: |
apiVersion: config.openshift.io/v1
kind: Authentication
spec:
type: OIDC
oidcProviders:
- name: myoidc
issuer:
issuerURL: https://meh.tld
audiences: ['openshift-aud']
claimMappings:
username:
claim: "preferred_username"
groups:
claim: "roles"
expression: "claims.roles.split(',')"
expectedError: "claim must not be set when expression is provided"



36 changes: 34 additions & 2 deletions config/v1/types_authentication.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,15 +591,35 @@ type OIDCClientReference struct {
// +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
// +union
type UsernameClaimMapping struct {
// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
// claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
//
// Precisely one of claim or expression must be set if the
// ExternalOIDCWithUpstreamParity feature gate is enabled.
//
// claim must not be an empty string ("") and must not exceed 256 characters.
//
// +required
// +optional
// +kubebuilder:validation:MinLength:=1
// +kubebuilder:validation:MaxLength:=256
Claim string `json:"claim"`

// expression is an optional CEL expression used to derive
// the username from JWT claims.
//
// CEL expressions have access to the token claims
// through a CEL variable, 'claims'.
//
// Precisely one of claim or expression must be set if the
// ExternalOIDCWithUpstreamParity feature gate is enabled.
//
// +optional
// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:XValidation:rule="has(self.expression) ? !has(self.claim) : true",message="claim must not be set when expression is provided"
Copy link
Contributor

@everettraven everettraven Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has to be moved to the struct level and needs to be feature gated


Expression string `json:"expression,omitempty"`

// prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.
//
// Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
Expand Down Expand Up @@ -668,6 +688,18 @@ type UsernamePrefix struct {
type PrefixedClaimMapping struct {
TokenClaimMapping `json:",inline"`

// expression is an optional CEL expression used to derive
// group values from JWT claims.
//
// When specified, claim must not be set.
//
// +optional
// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:XValidation:rule="has(self.expression) ? !has(self.claim) : true",message="claim must not be set when expression is provided"
Copy link
Contributor

@everettraven everettraven Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be moved to the struct level and needs to be feature gated.

Expression string `json:"expression,omitempty"`
Comment on lines +691 to +701
Copy link
Contributor

@everettraven everettraven Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this instead be added to the TokenClaimMapping type that is inlined above?


// prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
//
// When omitted (""), no prefix is applied to the cluster identity attribute.
Expand Down
28 changes: 25 additions & 3 deletions ...nerated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,19 @@ spec:
the JWT token claim whose value is assigned to the
cluster identity field associated with this mapping.
type: string
expression:
description: |-
expression is an optional CEL expression used to derive
group values from JWT claims.

When specified, claim must not be set.
maxLength: 1024
minLength: 1
type: string
x-kubernetes-validations:
- message: claim must not be set when expression is
provided
rule: 'has(self.expression) ? !has(self.claim) : true'
prefix:
description: |-
prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
Expand Down Expand Up @@ -252,12 +265,23 @@ spec:
properties:
claim:
description: |-
claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.

Precisely one of claim or expression must be set if the
ExternalOIDCWithUpstreamParity feature gate is enabled.

claim must not be an empty string ("") and must not exceed 256 characters.
maxLength: 256
minLength: 1
type: string
expression:
maxLength: 1024
minLength: 1
type: string
x-kubernetes-validations:
- message: claim must not be set when expression is
provided
rule: 'has(self.expression) ? !has(self.claim) : true'
prefix:
description: |-
prefix configures the prefix that should be prepended to the value of the JWT claim.
Expand Down Expand Up @@ -301,8 +325,6 @@ spec:
- NoPrefix
- Prefix
type: string
required:
- claim
type: object
x-kubernetes-validations:
- message: prefix must be set if prefixPolicy is 'Prefix',
Expand Down
7 changes: 4 additions & 3 deletions ...v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,10 @@ spec:
properties:
claim:
description: |-
claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.

Precisely one of claim or expression must be set if the
ExternalOIDCWithUpstreamParity feature gate is enabled.

claim must not be an empty string ("") and must not exceed 256 characters.
maxLength: 256
Expand Down Expand Up @@ -301,8 +304,6 @@ spec:
- NoPrefix
- Prefix
type: string
required:
- claim
type: object
x-kubernetes-validations:
- message: prefix must be set if prefixPolicy is 'Prefix',
Expand Down
28 changes: 25 additions & 3 deletions ...ted.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,19 @@ spec:
the JWT token claim whose value is assigned to the
cluster identity field associated with this mapping.
type: string
expression:
description: |-
expression is an optional CEL expression used to derive
group values from JWT claims.

When specified, claim must not be set.
maxLength: 1024
minLength: 1
type: string
x-kubernetes-validations:
- message: claim must not be set when expression is
provided
rule: 'has(self.expression) ? !has(self.claim) : true'
prefix:
description: |-
prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
Expand Down Expand Up @@ -252,12 +265,23 @@ spec:
properties:
claim:
description: |-
claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.

Precisely one of claim or expression must be set if the
ExternalOIDCWithUpstreamParity feature gate is enabled.

claim must not be an empty string ("") and must not exceed 256 characters.
maxLength: 256
minLength: 1
type: string
expression:
maxLength: 1024
minLength: 1
type: string
x-kubernetes-validations:
- message: claim must not be set when expression is
provided
rule: 'has(self.expression) ? !has(self.claim) : true'
prefix:
description: |-
prefix configures the prefix that should be prepended to the value of the JWT claim.
Expand Down Expand Up @@ -301,8 +325,6 @@ spec:
- NoPrefix
- Prefix
type: string
required:
- claim
type: object
x-kubernetes-validations:
- message: prefix must be set if prefixPolicy is 'Prefix',
Expand Down
7 changes: 4 additions & 3 deletions config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,10 @@ spec:
properties:
claim:
description: |-
claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.

Precisely one of claim or expression must be set if the
ExternalOIDCWithUpstreamParity feature gate is enabled.

claim must not be an empty string ("") and must not exceed 256 characters.
maxLength: 256
Expand Down Expand Up @@ -301,8 +304,6 @@ spec:
- NoPrefix
- Prefix
type: string
required:
- claim
type: object
x-kubernetes-validations:
- message: prefix must be set if prefixPolicy is 'Prefix',
Expand Down
28 changes: 25 additions & 3 deletions ...ed.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,19 @@ spec:
the JWT token claim whose value is assigned to the
cluster identity field associated with this mapping.
type: string
expression:
description: |-
expression is an optional CEL expression used to derive
group values from JWT claims.

When specified, claim must not be set.
maxLength: 1024
minLength: 1
type: string
x-kubernetes-validations:
- message: claim must not be set when expression is
provided
rule: 'has(self.expression) ? !has(self.claim) : true'
prefix:
description: |-
prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
Expand Down Expand Up @@ -252,12 +265,23 @@ spec:
properties:
claim:
description: |-
claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.

Precisely one of claim or expression must be set if the
ExternalOIDCWithUpstreamParity feature gate is enabled.

claim must not be an empty string ("") and must not exceed 256 characters.
maxLength: 256
minLength: 1
type: string
expression:
maxLength: 1024
minLength: 1
type: string
x-kubernetes-validations:
- message: claim must not be set when expression is
provided
rule: 'has(self.expression) ? !has(self.claim) : true'
prefix:
description: |-
prefix configures the prefix that should be prepended to the value of the JWT claim.
Expand Down Expand Up @@ -301,8 +325,6 @@ spec:
- NoPrefix
- Prefix
type: string
required:
- claim
type: object
x-kubernetes-validations:
- message: prefix must be set if prefixPolicy is 'Prefix',
Expand Down
7 changes: 4 additions & 3 deletions ...enerated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDC.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,10 @@ spec:
properties:
claim:
description: |-
claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
claim is a optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.

Precisely one of claim or expression must be set if the
ExternalOIDCWithUpstreamParity feature gate is enabled.

claim must not be an empty string ("") and must not exceed 256 characters.
maxLength: 256
Expand Down Expand Up @@ -164,8 +167,6 @@ spec:
- NoPrefix
- Prefix
type: string
required:
- claim
type: object
x-kubernetes-validations:
- message: prefix must be set if prefixPolicy is 'Prefix',
Expand Down
Loading