OIDC Enhancements

[kumo-rn5s]

What this PR does:

• Adds support for custom claim keys for roles, usernames, and avatar URLs in OIDC configuration.
• Enables the use of custom authorization, token, and user info endpoints.
• Allows the OIDC client to retrieve additional user information from the UserInfo endpoint.
• Adds an example for the Okta provider.

Why we need it:

• Provides greater flexibility in configuring OIDC providers, especially when the default claim keys or endpoints do not match the user's setup.
• Ensures the OIDC client can retrieve more user information from the UserInfo endpoint.
• Enhances compatibility with various OIDC providers.

Which issue(s) this PR fixes:
Fixes #5330

Does this PR introduce a user-facing change?:
Yes

• How are users affected by this change:

  • Users can now specify custom claim keys for roles, usernames, and avatar URLs in their OIDC configuration. They can also set custom endpoints for authorization, token, and user info.
  • The UserInfo endpoint will be automatically used to get additional claim fields.
  • Users can now specify custom userinfo/authorize/token endpoints on the prerequisites of issuer discovery.

• Something to note:

  • Most OIDC providers support Discovery, so typically users only need to provide the issuer URL — the client will automatically fetch the necessary endpoints (authorization_endpoint, token_endpoint, userinfo_endpoint). This PR adds the ability to override specific values even after discovery, which is useful when:
    • You're using a custom OIDC provider that doesn't support Discovery.
    • You want to override one or more endpoints (e.g., userinfo_endpoint) from what Discovery provides.
  • While this feature improves flexibility, it's expected to be a niche use case. Testing it thoroughly may also be difficult without a non-standard provider.

• Is this a breaking change:
  No

• How to migrate (if breaking change):
  Not applicable

[t-kikuc]

Thank you! Let me check for some weeks

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This PR was closed because it has been stalled for 7 days with no activity. Feel free to reopen if still applicable.

[t-kikuc]

LGreatTM

Tested

It worked well. With the following control-plane-config.yaml and AWS Cognito configs, I could successfully use given_name instead of username.

spec:
  sharedSSOConfigs:
    - name: cognito
      provider: OIDC
      oidc:
        clientId: xxx
        clientSecret: xxx
        issuer: https://cognito-idp.xxx
        redirect_uri: xxx
        scopes:
          - openid
          - profile
        usernameClaimKey: given_name #HERE
        avatarUrlClaimKey: picture #HERE

Result: (the name is from given_name!)

For reviewers

Let me explain this issue & PR in short:

• Needs: Users want to assign custom claims for username/role/avatarImage on PipeCD UI
• Before this PR: It was unable
• The reasons:
  [1] There was no mapping between custom claims and username/role/avatarImage
  [2] IDToken does not have custom claims in some IdPs such as Okta
  - To get them, pipecd needs to access UserInfoEndpoint
• The solution:
  [1] Add mapping for custom claims by usernameClaimKey etc. and defaultUsernameClaimKeys etc.
  [2] Fetch custom claims from UserInfoEndpoint (here)

[t-kikuc]

I got it.

This func is based on https://github.com/coreos/go-oidc/blob/0fe98873951208147e6d412602432038c91cda54/oidc/oidc.go#L208 and basically the changed points are only overriding AuthorizationEndpoint etc. in providerConfig := oidc.ProviderConfig{.

[Warashi]

Because this function is based on the code written by other authors, we should include copyright notice in some places.
The go-oidc's notice is here, so please include the copyright notice around this function and the modification summary.
https://github.com/coreos/go-oidc/blob/a7c457eacb849c163a496b29274242474a8f44ab/NOTICE

[kumo-rn5s]

@Warashi Hi, I’ve added the NOTICE. Could you please review it and let me know if it looks okay?

[t-kikuc]

Needs: Users want to assign custom claims for username/role/avatarImage on PipeCD UI

For example,

• choose employeeID/userName/userID etc. for the name on UI.
• decide the role by some custom claim

[t-kikuc]

@kumo-rn5s
We're sorry, but would you please solve the conflict?
Maybe this is correct:

verifier := c.Verifier(&oidc.Config{ClientID: c.sharedSSOConfig.ClientId})

[Warashi]

The codes are good. I commented on the copyright notice of the codes taken from the go-oidc package.

[Warashi]

Because this function is based on the code written by other authors, we should include copyright notice in some places.
The go-oidc's notice is here, so please include the copyright notice around this function and the modification summary.
https://github.com/coreos/go-oidc/blob/a7c457eacb849c163a496b29274242474a8f44ab/NOTICE

[Warashi]

Looks Great! Thank you!

[t-kikuc]

Thank you so much for amazing feature!!!! 👍 🙏