feat(dex): add option to modify userid claim, skip email_verified verification#1569
Open
feat(dex): add option to modify userid claim, skip email_verified verification#1569
Conversation
|
This PR is stale because it has been open for 45 days with no activity. |
abhijith-darshan
requested changes
Feb 18, 2026
Co-authored-by: Abhijith Ravindra <137736216+abhijith-darshan@users.noreply.github.com>
📝 WalkthroughWalkthroughThe changes extend OIDC configuration capabilities by introducing a new OIDCExtraConfig type with fields for email verification skipping and user ID claim customization. Updates include Go type definitions, generated deep copy methods, Kubernetes CRD schema, controller logic, API documentation, configuration examples, and TypeScript type bindings. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
types/typescript/schema.d.ts (1)
549-571:⚠️ Potential issue | 🟠 MajorThe generated TS contract no longer matches the CRD.
oidcnow exposesinsecureSkipEmailVerifiedanduserIDClaimas required top-level properties here, but the actual API incharts/manager/crds/greenhouse.sap_organizations.yamlat Line 95 through Line 113 anddocs/reference/api/openapi.yamlat Line 696 through Line 710 nests both underoidc.extraConfigand keeps them optional. Consumers using this type will compile code that submits invalid manifests.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@types/typescript/schema.d.ts` around lines 549 - 571, The TypeScript schema currently declares insecureSkipEmailVerified and userIDClaim as required top-level properties on oidc, but the CRD/OpenAPI expect these as optional fields under oidc.extraConfig; update the generated types so insecureSkipEmailVerified and userIDClaim are defined as optional (use ?:) and located on the oidc.extraConfig type/interface (or make oidc.extraConfig an explicit typed object that includes insecureSkipEmailVerified?: boolean and userIDClaim?: string) so the TS contract matches the CRD/openapi shape (referencing the symbols insecureSkipEmailVerified, userIDClaim, oidc.extraConfig, and the oidc type in schema.d.ts).
🧹 Nitpick comments (2)
config/samples/organization/demo.yaml (1)
56-58: Keep the insecure flag out of the default sample.This is likely the first manifest users will copy. Setting
insecureSkipEmailVerified: truehere makes the bypass look like the recommended/default setup even though it should only be enabled for specific IdPs. I'd omit it here or move it into a provider-specific sample.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@config/samples/organization/demo.yaml` around lines 56 - 58, The sample manifest's extraConfig currently enables insecureSkipEmailVerified: true which should not be in a default/copyable sample; remove the insecureSkipEmailVerified key from the extraConfig block in the demo sample (or move it into a separate provider-specific sample) so the top-level demo.yaml only contains safe defaults (e.g., keep userIDClaim: email) and document that insecureSkipEmailVerified is only for testing or specific IdP cases.api/v1alpha1/organization_types.go (1)
97-99: Document that this override changes more than the user ID.
UserIDClaimis later applied to bothUserNameKeyandUserIDKeyininternal/controller/organization/dex.go, at Line 128 and Line 129. Either rename this field before the API settles, or update the doc string so callers know it also changes the username claim.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@api/v1alpha1/organization_types.go` around lines 97 - 99, The doc comment for UserIDClaim is misleading because the same field is later used to set both UserNameKey and UserIDKey (see UserIDClaim, UserNameKey, UserIDKey), so update the API comment on the UserIDClaim field to state that this override controls both the user ID and the username claim (or alternatively rename the field to something like UserIDAndNameClaim before the API stabilizes); change the comment on the UserIDClaim declaration to explicitly mention it is applied to both UserNameKey and UserIDKey so callers know it also affects the username claim.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/reference/api/index.html`:
- Around line 1994-2005: The docstring for OIDCConfig.ExtraConfig is incorrect:
update the source comment on the OIDCConfig.ExtraConfig field to replace
"ExtraClaims contains additional configuration for extra claims." with text that
documents both extra claims handling and the skip-email-verified behavior (e.g.,
mention it configures additional claim mapping and whether to skip setting
email_verified), then regenerate the API reference so the change appears in
docs/index.html; locate the field comment for OIDCConfig.ExtraConfig (symbol:
OIDCConfig.ExtraConfig) and edit it accordingly before running the doc
generation step.
- Around line 2027-2047: The docs for insecureSkipEmailVerified and userIDClaim
lack their defaults and security impact; update the API reference entries for
insecureSkipEmailVerified and userIDClaim to state that userIDClaim defaults to
"login_name" when unset and to explicitly document that
insecureSkipEmailVerified relaxes ID token validation (it skips checking the
email_verified claim) and therefore should only be enabled for providers known
to misreport email_verified, with a clear warning about the increased risk of
accepting unverified emails.
In `@internal/controller/organization/dex.go`:
- Around line 115-121: The guard around setting userNameKey is inverted: in the
dex handling code that checks org.Spec.Authentication.OIDCConfig.ExtraConfig you
must set userNameKey when ExtraConfig.UserIDClaim is non-empty (UserIDClaim !=
"") instead of when it equals ""; change the condition in that block accordingly
and remove the duplicated ExtraConfig nil-check (or consolidate the nil-check
once) so skipEmailVerified = ExtraConfig.InsecureSkipEmailVerified still
executes when ExtraConfig is present; update the branches around
org.Spec.Authentication.OIDCConfig.ExtraConfig, the UserIDClaim assignment
(userNameKey) and the InsecureSkipEmailVerified assignment to use the correct
non-empty check and a single nil guard.
---
Outside diff comments:
In `@types/typescript/schema.d.ts`:
- Around line 549-571: The TypeScript schema currently declares
insecureSkipEmailVerified and userIDClaim as required top-level properties on
oidc, but the CRD/OpenAPI expect these as optional fields under
oidc.extraConfig; update the generated types so insecureSkipEmailVerified and
userIDClaim are defined as optional (use ?:) and located on the oidc.extraConfig
type/interface (or make oidc.extraConfig an explicit typed object that includes
insecureSkipEmailVerified?: boolean and userIDClaim?: string) so the TS contract
matches the CRD/openapi shape (referencing the symbols
insecureSkipEmailVerified, userIDClaim, oidc.extraConfig, and the oidc type in
schema.d.ts).
---
Nitpick comments:
In `@api/v1alpha1/organization_types.go`:
- Around line 97-99: The doc comment for UserIDClaim is misleading because the
same field is later used to set both UserNameKey and UserIDKey (see UserIDClaim,
UserNameKey, UserIDKey), so update the API comment on the UserIDClaim field to
state that this override controls both the user ID and the username claim (or
alternatively rename the field to something like UserIDAndNameClaim before the
API stabilizes); change the comment on the UserIDClaim declaration to explicitly
mention it is applied to both UserNameKey and UserIDKey so callers know it also
affects the username claim.
In `@config/samples/organization/demo.yaml`:
- Around line 56-58: The sample manifest's extraConfig currently enables
insecureSkipEmailVerified: true which should not be in a default/copyable
sample; remove the insecureSkipEmailVerified key from the extraConfig block in
the demo sample (or move it into a separate provider-specific sample) so the
top-level demo.yaml only contains safe defaults (e.g., keep userIDClaim: email)
and document that insecureSkipEmailVerified is only for testing or specific IdP
cases.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e1af7d7a-4f14-41b9-a22a-af118ad6390f
📒 Files selected for processing (8)
api/v1alpha1/organization_types.goapi/v1alpha1/zz_generated.deepcopy.gocharts/manager/crds/greenhouse.sap_organizations.yamlconfig/samples/organization/demo.yamldocs/reference/api/index.htmldocs/reference/api/openapi.yamlinternal/controller/organization/dex.gotypes/typescript/schema.d.ts
16 tasks
Signed-off-by: David Gogl <1381862+kengou@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add option to organization oidc config to change userID claim.
At the moment
login_nameis hardcoded, and with this change it could be changed toemailor any other claim to use as identifier.Possibility to skip
email_verifiedverification on oidc config. Keycloak turns the email_verified to off(false) by default if using SAML or other user federation.Description
What type of PR is this? (check all applicable)
Related Tickets & Documents
Added tests?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Added to documentation?
Checklist
Summary by CodeRabbit
Release Notes