Composite claims in OIDC connector

connector/oidc/oidc.go

@@ -87,6 +87,23 @@ type Config struct {
 		// Configurable key which contains the groups claims
 		GroupsKey string `json:"groups"` // defaults to "groups"
 	} `json:"claimMapping"`
+
+	// ClaimModifications holds all claim modifications options, current has only newGroupsFromClaims
+	ClaimModifications struct {
+		NewGroupsFromClaims []NewGroupsFromClaims `json:"newGroupsFromClaims"`
+	}
+}
+
+// List of groups claim elements to create by concatenating other claims
+type NewGroupsFromClaims struct {
+	// List of claim to join together
+	ClaimList []string `json:"claimList"`
+
+	// String to separate the claims
+	Delimiter string `json:"delimiter"`
+
+	// String to place before the first claim
+	Prefix string `json:"prefix"`
 }
 
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -189,6 +206,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		preferredUsernameKey:      c.ClaimMapping.PreferredUsernameKey,
 		emailKey:                  c.ClaimMapping.EmailKey,
 		groupsKey:                 c.ClaimMapping.GroupsKey,
+		newGroupsFromClaims:       c.ClaimModifications.NewGroupsFromClaims,
 	}, nil
 }
 
@@ -216,6 +234,7 @@ type oidcConnector struct {
 	preferredUsernameKey      string
 	emailKey                  string
 	groupsKey                 string
+	newGroupsFromClaims       []NewGroupsFromClaims
 }
 
 func (c *oidcConnector) Close() error {
@@ -427,6 +446,26 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 		}
 	}
 
+	for _, cc := range c.newGroupsFromClaims {
+		newElement := ""
+		for _, clm := range cc.ClaimList {
+			// Non string claim value are ignored, concatenating them doesn't really make any sense
+			if claimValue, ok := claims[clm].(string); ok {
+				// Removing the delimiier string from the concatenated claim to ensure resulting claim structure
+				// is in full control of Dex operator
+				claimCleanedValue := strings.ReplaceAll(claimValue, cc.Delimiter, "")
+				if newElement == "" {
+					newElement = cc.Prefix + cc.Delimiter + claimCleanedValue
+				} else {
+					newElement = newElement + cc.Delimiter + claimCleanedValue
+				}
+			}
+		}
+		if newElement != "" {
+			groups = append(groups, newElement)
+		}
+	}
+
 	cd := connectorData{
 		RefreshToken: []byte(token.RefreshToken),
 	}

connector/oidc/oidc_test.go

@@ -62,6 +62,7 @@ func TestHandleCallback(t *testing.T) {
 		expectPreferredUsername   string
 		expectedEmailField        string
 		token                     map[string]interface{}
+		newGroupsFromClaims       []NewGroupsFromClaims
 	}{
 		{
 			name:               "simpleCase",
@@ -288,6 +289,68 @@ func TestHandleCallback(t *testing.T) {
 				"email_verified": true,
 			},
 		},
+		{
+			name:               "concatinateClaim",
+			userIDKey:          "", // not configured
+			userNameKey:        "", // not configured
+			expectUserID:       "subvalue",
+			expectUserName:     "namevalue",
+			expectGroups:       []string{"group1", "gh::acme::pipeline-one", "tfe-acme-foobar", "bk-emailvalue"},
+			expectedEmailField: "emailvalue",
+			newGroupsFromClaims: []NewGroupsFromClaims{
+				{ // The basic functionality, should create "gh::acme::pipeline-one".
+					ClaimList: []string{
+						"organization",
+						"pipeline",
+					},
+					Delimiter: "::",
+					Prefix:    "gh",
+				},
+				{ // Non existing claims, should not generate any any new group claim.
+					ClaimList: []string{
+						"non-existing1",
+						"non-existing2",
+					},
+					Delimiter: "::",
+					Prefix:    "tfe",
+				},
+				{ // In this case the delimiter character("-") should be removed removed from "claim-with-delimiter" claim to ensure the resulting
+					// claim structure is in full control of the Dex operator and not the person creating a new pipeline.
+					// Should create "tfe-acme-foobar" and not "tfe-acme-foo-bar".
+					ClaimList: []string{
+						"organization",
+						"claim-with-delimiter",
+					},
+					Delimiter: "-",
+					Prefix:    "tfe",
+				},
+				{ // Ignore non string claims (like arrays), this should result in "bk-emailvalue".
+					ClaimList: []string{
+						"non-string-claim",
+						"non-string-claim2",
+						"email",
+					},
+					Delimiter: "-",
+					Prefix:    "bk",
+				},
+			},
+
+			token: map[string]interface{}{
+				"sub":                  "subvalue",
+				"name":                 "namevalue",
+				"groups":               "group1",
+				"organization":         "acme",
+				"pipeline":             "pipeline-one",
+				"email":                "emailvalue",
+				"email_verified":       true,
+				"claim-with-delimiter": "foo-bar",
+				"non-string-claim": []string{
+					"element1",
+					"element2",
+				},
+				"non-string-claim2": 666,
+			},
+		},
 	}
 
 	for _, tc := range tests {
@@ -323,6 +386,7 @@ func TestHandleCallback(t *testing.T) {
 			config.ClaimMapping.PreferredUsernameKey = tc.preferredUsernameKey
 			config.ClaimMapping.EmailKey = tc.emailKey
 			config.ClaimMapping.GroupsKey = tc.groupsKey
+			config.ClaimModifications.NewGroupsFromClaims = tc.newGroupsFromClaims
 
 			conn, err := newConnector(config)
 			if err != nil {