How to add a custom prefix to the user and groups claim coming from an external oidc

[deepanjan90]

Our k8's rbac architecture is setup in such a way that our existing rbac's use a prefix for both the group and username claims.

We have been using variations of --oidc-username-prefix and --oidc-groups-prefix as supported by the OIDC integration (EKS and GKE)
ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server

ref: (EKS) https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html

How can I support the same when I am using pinniped ?

[cfryanr]

Hi @deepanjan90,

Unfortunately, Pinniped doesn't have an option for this yet. We've considered adding a feature to allow prefixing usernames and groups (and maybe other string transformations too), but it hasn't been prioritized yet. If you could explain more about your use case, and why you would like to use prefixes, that might help us make prioritization decisions about the potential feature. (cc @anjaltelang)

You are able to configure which claims from the upstream OIDC Provider's ID tokens are used by Pinniped to discover the usernames and group memberships of your users (see https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.24/README.adoc#k8s-api-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-oidcclaims). If it is possible to configure your OIDC Identity Provider to add custom claims to the ID token with the prefixed username and group names, then Pinniped could consume those custom claims. For example, Okta allows you to configure custom claims which can include prefixes (see https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/main/).