1 package v1 2 3 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 4 5 // OAuth Server and Identity Provider Config 6 7 // +genclient 8 // +genclient:nonNamespaced 9 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 10 11 // OAuth holds cluster-wide information about OAuth. The canonical name is `cluster`. 12 // It is used to configure the integrated OAuth server. 13 // This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. 14 // 15 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 16 // +openshift:compatibility-gen:level=1 17 type OAuth struct { 18 metav1.TypeMeta `json:",inline"` 19 20 // metadata is the standard object's metadata. 21 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 22 metav1.ObjectMeta `json:"metadata"` 23 // spec holds user settable values for configuration 24 // +kubebuilder:validation:Required 25 // +required 26 Spec OAuthSpec `json:"spec"` 27 // status holds observed values from the cluster. They may not be overridden. 28 // +optional 29 Status OAuthStatus `json:"status"` 30 } 31 32 // OAuthSpec contains desired cluster auth configuration 33 type OAuthSpec struct { 34 // identityProviders is an ordered list of ways for a user to identify themselves. 35 // When this list is empty, no identities are provisioned for users. 36 // +optional 37 // +listType=atomic 38 IdentityProviders []IdentityProvider `json:"identityProviders,omitempty"` 39 40 // tokenConfig contains options for authorization and access tokens 41 TokenConfig TokenConfig `json:"tokenConfig"` 42 43 // templates allow you to customize pages like the login page. 44 // +optional 45 Templates OAuthTemplates `json:"templates"` 46 } 47 48 // OAuthStatus shows current known state of OAuth server in the cluster 49 type OAuthStatus struct { 50 // TODO Fill in with status of identityProviders and templates (and maybe tokenConfig) 51 } 52 53 // TokenConfig holds the necessary configuration options for authorization and access tokens 54 type TokenConfig struct { 55 // accessTokenMaxAgeSeconds defines the maximum age of access tokens 56 AccessTokenMaxAgeSeconds int32 `json:"accessTokenMaxAgeSeconds,omitempty"` 57 58 // accessTokenInactivityTimeoutSeconds - DEPRECATED: setting this field has no effect. 59 // +optional 60 AccessTokenInactivityTimeoutSeconds int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"` 61 62 // accessTokenInactivityTimeout defines the token inactivity timeout 63 // for tokens granted by any client. 64 // The value represents the maximum amount of time that can occur between 65 // consecutive uses of the token. Tokens become invalid if they are not 66 // used within this temporal window. The user will need to acquire a new 67 // token to regain access once a token times out. Takes valid time 68 // duration string such as "5m", "1.5h" or "2h45m". The minimum allowed 69 // value for duration is 300s (5 minutes). If the timeout is configured 70 // per client, then that value takes precedence. If the timeout value is 71 // not specified and the client does not override the value, then tokens 72 // are valid until their lifetime. 73 // 74 // WARNING: existing tokens' timeout will not be affected (lowered) by changing this value 75 // +optional 76 AccessTokenInactivityTimeout *metav1.Duration `json:"accessTokenInactivityTimeout,omitempty"` 77 } 78 79 const ( 80 // LoginTemplateKey is the key of the login template in a secret 81 LoginTemplateKey = "login.html" 82 83 // ProviderSelectionTemplateKey is the key for the provider selection template in a secret 84 ProviderSelectionTemplateKey = "providers.html" 85 86 // ErrorsTemplateKey is the key for the errors template in a secret 87 ErrorsTemplateKey = "errors.html" 88 89 // BindPasswordKey is the key for the LDAP bind password in a secret 90 BindPasswordKey = "bindPassword" 91 92 // ClientSecretKey is the key for the oauth client secret data in a secret 93 ClientSecretKey = "clientSecret" 94 95 // HTPasswdDataKey is the key for the htpasswd file data in a secret 96 HTPasswdDataKey = "htpasswd" 97 ) 98 99 // OAuthTemplates allow for customization of pages like the login page 100 type OAuthTemplates struct { 101 // login is the name of a secret that specifies a go template to use to render the login page. 102 // The key "login.html" is used to locate the template data. 103 // If specified and the secret or expected key is not found, the default login page is used. 104 // If the specified template is not valid, the default login page is used. 105 // If unspecified, the default login page is used. 106 // The namespace for this secret is openshift-config. 107 // +optional 108 Login SecretNameReference `json:"login"` 109 110 // providerSelection is the name of a secret that specifies a go template to use to render 111 // the provider selection page. 112 // The key "providers.html" is used to locate the template data. 113 // If specified and the secret or expected key is not found, the default provider selection page is used. 114 // If the specified template is not valid, the default provider selection page is used. 115 // If unspecified, the default provider selection page is used. 116 // The namespace for this secret is openshift-config. 117 // +optional 118 ProviderSelection SecretNameReference `json:"providerSelection"` 119 120 // error is the name of a secret that specifies a go template to use to render error pages 121 // during the authentication or grant flow. 122 // The key "errors.html" is used to locate the template data. 123 // If specified and the secret or expected key is not found, the default error page is used. 124 // If the specified template is not valid, the default error page is used. 125 // If unspecified, the default error page is used. 126 // The namespace for this secret is openshift-config. 127 // +optional 128 Error SecretNameReference `json:"error"` 129 } 130 131 // IdentityProvider provides identities for users authenticating using credentials 132 type IdentityProvider struct { 133 // name is used to qualify the identities returned by this provider. 134 // - It MUST be unique and not shared by any other identity provider used 135 // - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" 136 // Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName 137 Name string `json:"name"` 138 139 // mappingMethod determines how identities from this provider are mapped to users 140 // Defaults to "claim" 141 // +optional 142 MappingMethod MappingMethodType `json:"mappingMethod,omitempty"` 143 144 IdentityProviderConfig `json:",inline"` 145 } 146 147 // MappingMethodType specifies how new identities should be mapped to users when they log in 148 type MappingMethodType string 149 150 const ( 151 // MappingMethodClaim provisions a user with the identity’s preferred user name. Fails if a user 152 // with that user name is already mapped to another identity. 153 // Default. 154 MappingMethodClaim MappingMethodType = "claim" 155 156 // MappingMethodLookup looks up existing users already mapped to an identity but does not 157 // automatically provision users or identities. Requires identities and users be set up 158 // manually or using an external process. 159 MappingMethodLookup MappingMethodType = "lookup" 160 161 // MappingMethodAdd provisions a user with the identity’s preferred user name. If a user with 162 // that user name already exists, the identity is mapped to the existing user, adding to any 163 // existing identity mappings for the user. 164 MappingMethodAdd MappingMethodType = "add" 165 ) 166 167 type IdentityProviderType string 168 169 const ( 170 // IdentityProviderTypeBasicAuth provides identities for users authenticating with HTTP Basic Auth 171 IdentityProviderTypeBasicAuth IdentityProviderType = "BasicAuth" 172 173 // IdentityProviderTypeGitHub provides identities for users authenticating using GitHub credentials 174 IdentityProviderTypeGitHub IdentityProviderType = "GitHub" 175 176 // IdentityProviderTypeGitLab provides identities for users authenticating using GitLab credentials 177 IdentityProviderTypeGitLab IdentityProviderType = "GitLab" 178 179 // IdentityProviderTypeGoogle provides identities for users authenticating using Google credentials 180 IdentityProviderTypeGoogle IdentityProviderType = "Google" 181 182 // IdentityProviderTypeHTPasswd provides identities from an HTPasswd file 183 IdentityProviderTypeHTPasswd IdentityProviderType = "HTPasswd" 184 185 // IdentityProviderTypeKeystone provides identitities for users authenticating using keystone password credentials 186 IdentityProviderTypeKeystone IdentityProviderType = "Keystone" 187 188 // IdentityProviderTypeLDAP provides identities for users authenticating using LDAP credentials 189 IdentityProviderTypeLDAP IdentityProviderType = "LDAP" 190 191 // IdentityProviderTypeOpenID provides identities for users authenticating using OpenID credentials 192 IdentityProviderTypeOpenID IdentityProviderType = "OpenID" 193 194 // IdentityProviderTypeRequestHeader provides identities for users authenticating using request header credentials 195 IdentityProviderTypeRequestHeader IdentityProviderType = "RequestHeader" 196 ) 197 198 // IdentityProviderConfig contains configuration for using a specific identity provider 199 type IdentityProviderConfig struct { 200 // type identifies the identity provider type for this entry. 201 Type IdentityProviderType `json:"type"` 202 203 // Provider-specific configuration 204 // The json tag MUST match the `Type` specified above, case-insensitively 205 // e.g. For `Type: "LDAP"`, the `ldap` configuration should be provided 206 207 // basicAuth contains configuration options for the BasicAuth IdP 208 // +optional 209 BasicAuth *BasicAuthIdentityProvider `json:"basicAuth,omitempty"` 210 211 // github enables user authentication using GitHub credentials 212 // +optional 213 GitHub *GitHubIdentityProvider `json:"github,omitempty"` 214 215 // gitlab enables user authentication using GitLab credentials 216 // +optional 217 GitLab *GitLabIdentityProvider `json:"gitlab,omitempty"` 218 219 // google enables user authentication using Google credentials 220 // +optional 221 Google *GoogleIdentityProvider `json:"google,omitempty"` 222 223 // htpasswd enables user authentication using an HTPasswd file to validate credentials 224 // +optional 225 HTPasswd *HTPasswdIdentityProvider `json:"htpasswd,omitempty"` 226 227 // keystone enables user authentication using keystone password credentials 228 // +optional 229 Keystone *KeystoneIdentityProvider `json:"keystone,omitempty"` 230 231 // ldap enables user authentication using LDAP credentials 232 // +optional 233 LDAP *LDAPIdentityProvider `json:"ldap,omitempty"` 234 235 // openID enables user authentication using OpenID credentials 236 // +optional 237 OpenID *OpenIDIdentityProvider `json:"openID,omitempty"` 238 239 // requestHeader enables user authentication using request header credentials 240 // +optional 241 RequestHeader *RequestHeaderIdentityProvider `json:"requestHeader,omitempty"` 242 } 243 244 // BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials 245 type BasicAuthIdentityProvider struct { 246 // OAuthRemoteConnectionInfo contains information about how to connect to the external basic auth server 247 OAuthRemoteConnectionInfo `json:",inline"` 248 } 249 250 // OAuthRemoteConnectionInfo holds information necessary for establishing a remote connection 251 type OAuthRemoteConnectionInfo struct { 252 // url is the remote URL to connect to 253 URL string `json:"url"` 254 255 // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. 256 // It is used as a trust anchor to validate the TLS certificate presented by the remote server. 257 // The key "ca.crt" is used to locate the data. 258 // If specified and the config map or expected key is not found, the identity provider is not honored. 259 // If the specified ca data is not valid, the identity provider is not honored. 260 // If empty, the default system roots are used. 261 // The namespace for this config map is openshift-config. 262 // +optional 263 CA ConfigMapNameReference `json:"ca"` 264 265 // tlsClientCert is an optional reference to a secret by name that contains the 266 // PEM-encoded TLS client certificate to present when connecting to the server. 267 // The key "tls.crt" is used to locate the data. 268 // If specified and the secret or expected key is not found, the identity provider is not honored. 269 // If the specified certificate data is not valid, the identity provider is not honored. 270 // The namespace for this secret is openshift-config. 271 // +optional 272 TLSClientCert SecretNameReference `json:"tlsClientCert"` 273 274 // tlsClientKey is an optional reference to a secret by name that contains the 275 // PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. 276 // The key "tls.key" is used to locate the data. 277 // If specified and the secret or expected key is not found, the identity provider is not honored. 278 // If the specified certificate data is not valid, the identity provider is not honored. 279 // The namespace for this secret is openshift-config. 280 // +optional 281 TLSClientKey SecretNameReference `json:"tlsClientKey"` 282 } 283 284 // HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials 285 type HTPasswdIdentityProvider struct { 286 // fileData is a required reference to a secret by name containing the data to use as the htpasswd file. 287 // The key "htpasswd" is used to locate the data. 288 // If the secret or expected key is not found, the identity provider is not honored. 289 // If the specified htpasswd data is not valid, the identity provider is not honored. 290 // The namespace for this secret is openshift-config. 291 FileData SecretNameReference `json:"fileData"` 292 } 293 294 // LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials 295 type LDAPIdentityProvider struct { 296 // url is an RFC 2255 URL which specifies the LDAP search parameters to use. 297 // The syntax of the URL is: 298 // ldap://host:port/basedn?attribute?scope?filter 299 URL string `json:"url"` 300 301 // bindDN is an optional DN to bind with during the search phase. 302 // +optional 303 BindDN string `json:"bindDN"` 304 305 // bindPassword is an optional reference to a secret by name 306 // containing a password to bind with during the search phase. 307 // The key "bindPassword" is used to locate the data. 308 // If specified and the secret or expected key is not found, the identity provider is not honored. 309 // The namespace for this secret is openshift-config. 310 // +optional 311 BindPassword SecretNameReference `json:"bindPassword"` 312 313 // insecure, if true, indicates the connection should not use TLS 314 // WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always 315 // attempt to connect using TLS, even when `insecure` is set to `true` 316 // When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to 317 // a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. 318 Insecure bool `json:"insecure"` 319 320 // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. 321 // It is used as a trust anchor to validate the TLS certificate presented by the remote server. 322 // The key "ca.crt" is used to locate the data. 323 // If specified and the config map or expected key is not found, the identity provider is not honored. 324 // If the specified ca data is not valid, the identity provider is not honored. 325 // If empty, the default system roots are used. 326 // The namespace for this config map is openshift-config. 327 // +optional 328 CA ConfigMapNameReference `json:"ca"` 329 330 // attributes maps LDAP attributes to identities 331 Attributes LDAPAttributeMapping `json:"attributes"` 332 } 333 334 // LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields 335 type LDAPAttributeMapping struct { 336 // id is the list of attributes whose values should be used as the user ID. Required. 337 // First non-empty attribute is used. At least one attribute is required. If none of the listed 338 // attribute have a value, authentication fails. 339 // LDAP standard identity attribute is "dn" 340 ID []string `json:"id"` 341 342 // preferredUsername is the list of attributes whose values should be used as the preferred username. 343 // LDAP standard login attribute is "uid" 344 // +optional 345 PreferredUsername []string `json:"preferredUsername,omitempty"` 346 347 // name is the list of attributes whose values should be used as the display name. Optional. 348 // If unspecified, no display name is set for the identity 349 // LDAP standard display name attribute is "cn" 350 // +optional 351 Name []string `json:"name,omitempty"` 352 353 // email is the list of attributes whose values should be used as the email address. Optional. 354 // If unspecified, no email is set for the identity 355 // +optional 356 Email []string `json:"email,omitempty"` 357 } 358 359 // KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials 360 type KeystoneIdentityProvider struct { 361 // OAuthRemoteConnectionInfo contains information about how to connect to the keystone server 362 OAuthRemoteConnectionInfo `json:",inline"` 363 364 // domainName is required for keystone v3 365 DomainName string `json:"domainName"` 366 367 // TODO if we ever add support for 3.11 to 4.0 upgrades, add this configuration 368 // useUsernameIdentity indicates that users should be authenticated by username, not keystone ID 369 // DEPRECATED - only use this option for legacy systems to ensure backwards compatibility 370 // +optional 371 // UseUsernameIdentity bool `json:"useUsernameIdentity"` 372 } 373 374 // RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials 375 type RequestHeaderIdentityProvider struct { 376 // loginURL is a URL to redirect unauthenticated /authorize requests to 377 // Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here 378 // ${url} is replaced with the current URL, escaped to be safe in a query parameter 379 // https://www.example.com/sso-login?then=${url} 380 // ${query} is replaced with the current query string 381 // https://www.example.com/auth-proxy/oauth/authorize?${query} 382 // Required when login is set to true. 383 LoginURL string `json:"loginURL"` 384 385 // challengeURL is a URL to redirect unauthenticated /authorize requests to 386 // Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be 387 // redirected here. 388 // ${url} is replaced with the current URL, escaped to be safe in a query parameter 389 // https://www.example.com/sso-login?then=${url} 390 // ${query} is replaced with the current query string 391 // https://www.example.com/auth-proxy/oauth/authorize?${query} 392 // Required when challenge is set to true. 393 ChallengeURL string `json:"challengeURL"` 394 395 // ca is a required reference to a config map by name containing the PEM-encoded CA bundle. 396 // It is used as a trust anchor to validate the TLS certificate presented by the remote server. 397 // Specifically, it allows verification of incoming requests to prevent header spoofing. 398 // The key "ca.crt" is used to locate the data. 399 // If the config map or expected key is not found, the identity provider is not honored. 400 // If the specified ca data is not valid, the identity provider is not honored. 401 // The namespace for this config map is openshift-config. 402 ClientCA ConfigMapNameReference `json:"ca"` 403 404 // clientCommonNames is an optional list of common names to require a match from. If empty, any 405 // client certificate validated against the clientCA bundle is considered authoritative. 406 // +optional 407 ClientCommonNames []string `json:"clientCommonNames,omitempty"` 408 409 // headers is the set of headers to check for identity information 410 Headers []string `json:"headers"` 411 412 // preferredUsernameHeaders is the set of headers to check for the preferred username 413 PreferredUsernameHeaders []string `json:"preferredUsernameHeaders"` 414 415 // nameHeaders is the set of headers to check for the display name 416 NameHeaders []string `json:"nameHeaders"` 417 418 // emailHeaders is the set of headers to check for the email address 419 EmailHeaders []string `json:"emailHeaders"` 420 } 421 422 // GitHubIdentityProvider provides identities for users authenticating using GitHub credentials 423 type GitHubIdentityProvider struct { 424 // clientID is the oauth client ID 425 ClientID string `json:"clientID"` 426 427 // clientSecret is a required reference to the secret by name containing the oauth client secret. 428 // The key "clientSecret" is used to locate the data. 429 // If the secret or expected key is not found, the identity provider is not honored. 430 // The namespace for this secret is openshift-config. 431 ClientSecret SecretNameReference `json:"clientSecret"` 432 433 // organizations optionally restricts which organizations are allowed to log in 434 // +optional 435 Organizations []string `json:"organizations,omitempty"` 436 437 // teams optionally restricts which teams are allowed to log in. Format is <org>/<team>. 438 // +optional 439 Teams []string `json:"teams,omitempty"` 440 441 // hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of 442 // GitHub Enterprise. 443 // It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. 444 // +optional 445 Hostname string `json:"hostname"` 446 447 // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. 448 // It is used as a trust anchor to validate the TLS certificate presented by the remote server. 449 // The key "ca.crt" is used to locate the data. 450 // If specified and the config map or expected key is not found, the identity provider is not honored. 451 // If the specified ca data is not valid, the identity provider is not honored. 452 // If empty, the default system roots are used. 453 // This can only be configured when hostname is set to a non-empty value. 454 // The namespace for this config map is openshift-config. 455 // +optional 456 CA ConfigMapNameReference `json:"ca"` 457 } 458 459 // GitLabIdentityProvider provides identities for users authenticating using GitLab credentials 460 type GitLabIdentityProvider struct { 461 // clientID is the oauth client ID 462 ClientID string `json:"clientID"` 463 464 // clientSecret is a required reference to the secret by name containing the oauth client secret. 465 // The key "clientSecret" is used to locate the data. 466 // If the secret or expected key is not found, the identity provider is not honored. 467 // The namespace for this secret is openshift-config. 468 ClientSecret SecretNameReference `json:"clientSecret"` 469 470 // url is the oauth server base URL 471 URL string `json:"url"` 472 473 // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. 474 // It is used as a trust anchor to validate the TLS certificate presented by the remote server. 475 // The key "ca.crt" is used to locate the data. 476 // If specified and the config map or expected key is not found, the identity provider is not honored. 477 // If the specified ca data is not valid, the identity provider is not honored. 478 // If empty, the default system roots are used. 479 // The namespace for this config map is openshift-config. 480 // +optional 481 CA ConfigMapNameReference `json:"ca"` 482 } 483 484 // GoogleIdentityProvider provides identities for users authenticating using Google credentials 485 type GoogleIdentityProvider struct { 486 // clientID is the oauth client ID 487 ClientID string `json:"clientID"` 488 489 // clientSecret is a required reference to the secret by name containing the oauth client secret. 490 // The key "clientSecret" is used to locate the data. 491 // If the secret or expected key is not found, the identity provider is not honored. 492 // The namespace for this secret is openshift-config. 493 ClientSecret SecretNameReference `json:"clientSecret"` 494 495 // hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to 496 // +optional 497 HostedDomain string `json:"hostedDomain"` 498 } 499 500 // OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials 501 type OpenIDIdentityProvider struct { 502 // clientID is the oauth client ID 503 ClientID string `json:"clientID"` 504 505 // clientSecret is a required reference to the secret by name containing the oauth client secret. 506 // The key "clientSecret" is used to locate the data. 507 // If the secret or expected key is not found, the identity provider is not honored. 508 // The namespace for this secret is openshift-config. 509 ClientSecret SecretNameReference `json:"clientSecret"` 510 511 // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. 512 // It is used as a trust anchor to validate the TLS certificate presented by the remote server. 513 // The key "ca.crt" is used to locate the data. 514 // If specified and the config map or expected key is not found, the identity provider is not honored. 515 // If the specified ca data is not valid, the identity provider is not honored. 516 // If empty, the default system roots are used. 517 // The namespace for this config map is openshift-config. 518 // +optional 519 CA ConfigMapNameReference `json:"ca"` 520 521 // extraScopes are any scopes to request in addition to the standard "openid" scope. 522 // +optional 523 ExtraScopes []string `json:"extraScopes,omitempty"` 524 525 // extraAuthorizeParameters are any custom parameters to add to the authorize request. 526 // +optional 527 ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters,omitempty"` 528 529 // issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. 530 // It must use the https scheme with no query or fragment component. 531 Issuer string `json:"issuer"` 532 533 // claims mappings 534 Claims OpenIDClaims `json:"claims"` 535 } 536 537 // UserIDClaim is the claim used to provide a stable identifier for OIDC identities. 538 // Per http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability 539 // 540 // "The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can 541 // rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique 542 // and never reassigned within the Issuer for a particular End-User, as described in Section 2. 543 // Therefore, the only guaranteed unique identifier for a given End-User is the combination of the 544 // iss Claim and the sub Claim." 545 const UserIDClaim = "sub" 546 547 // OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo 548 // responses 549 // +kubebuilder:validation:MinLength=1 550 type OpenIDClaim string 551 552 // OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider 553 type OpenIDClaims struct { 554 // preferredUsername is the list of claims whose values should be used as the preferred username. 555 // If unspecified, the preferred username is determined from the value of the sub claim 556 // +listType=atomic 557 // +optional 558 PreferredUsername []string `json:"preferredUsername,omitempty"` 559 560 // name is the list of claims whose values should be used as the display name. Optional. 561 // If unspecified, no display name is set for the identity 562 // +listType=atomic 563 // +optional 564 Name []string `json:"name,omitempty"` 565 566 // email is the list of claims whose values should be used as the email address. Optional. 567 // If unspecified, no email is set for the identity 568 // +listType=atomic 569 // +optional 570 Email []string `json:"email,omitempty"` 571 572 // groups is the list of claims value of which should be used to synchronize groups 573 // from the OIDC provider to OpenShift for the user. 574 // If multiple claims are specified, the first one with a non-empty value is used. 575 // +listType=atomic 576 // +optional 577 Groups []OpenIDClaim `json:"groups,omitempty"` 578 } 579 580 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 581 582 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 583 // +openshift:compatibility-gen:level=1 584 type OAuthList struct { 585 metav1.TypeMeta `json:",inline"` 586 587 // metadata is the standard list's metadata. 588 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 589 metav1.ListMeta `json:"metadata"` 590 591 Items []OAuth `json:"items"` 592 } 593