1. Proposed title of this feature request

Support for Specifying Additional Scopes for OpenShift Console with External Authentication

2. What is the nature and description of the request?

External Authentication in OpenShift introduces the ability to integrate authentication external OIDC providers and support for making use of this functionality within the OpenShift Web Console. This feature includes the ability to specify username and group claims in order to associate details from the external OIDC provider with OpenShift entities.

The design of this feature focused on usernames originating from a claim in the ID token, such as email and groups using the groups claim. However, customers may need to make use of alternate claims, which is a supported feature. However, OpenShift only requests the openid OIDC scope when communicating with the external authentication provider. However, some external providers will not provide certain claims unless a specific scope is requested. Without the ability to specify an OIDC scoped, desired claims cannot be utilized.

It is important to note that CLI based integration with External Authentication using kubectl plugins do support the ability to integrate additional scopes and a desired custom claim.

3. Why does the customer need this? (List the business requirements here)

The inability to request additional scopes impacts the use of the External Authentication feature within OpenShift with the OpenShift Console.

4. List any affected packages or components.

• OpenShift Authentication
• OpenShift Web Console
• OCM
• ROSA