openshift · ShazaAldawamneh · Feb 19, 2026 · Feb 19, 2026 · Feb 23, 2026 · Feb 23, 2026
diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDC.yaml
@@ -535,6 +535,90 @@ tests:
             claimMappings:
               username:
                 claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
+    - name: Should allow updating groups claim mapping from a previously invalid long value to a valid value
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "claim"
+              groups:
+                claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse-thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse-thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "claim"
+              groups:
+                claim: "groups"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "claim"
+              groups:
+                claim: "groups"
+    - name: Should not allow updating groups claim mapping from a previously invalid long value to a still invalid long value
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/groups/properties/claim/maxLength
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "claim"
+              groups:
+                claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse-thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse-thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
+      updated: |        
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "claim"
+              groups:
+                claim: "thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse-thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse-thisisanextremelylonggroupclaimnamethatexceedsthetypicalmaximummappinglengthandshouldfailvalidationbecauseitiswaytoobigforsaneuse"
+      expectedError: "Too long: may not be more than 256 bytes"
     - name: Should allow updating other fields if issuerURL contains fragment
       initialCRDPatches:
         - op: remove

diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml
@@ -197,7 +197,7 @@ tests:
                 prefix:
                   prefixString: "myoidc:"
       expectedError: "discoveryURL must be different from issuerURL"
-
+      
     - name: Valid RequiredClaim rule
       initial: |
         apiVersion: config.openshift.io/v1
@@ -435,7 +435,6 @@ tests:
                   message: "Empty expressions are invalid"
       expectedError: "spec.oidcProviders[0].userValidationRules[0].expression: Invalid value: \"\": spec.oidcProviders[0].userValidationRules[0].expression in body should be at least 1 chars long"
 
-
     - name: Invalid TokenUserValidationRule with expression only
       initial: |
         apiVersion: config.openshift.io/v1
@@ -456,3 +455,201 @@ tests:
               userValidationRules:
                 - expression: "user.username.startsWith('admin')"
       expectedError: "message: Required value"
+
+    - name: Can set username claim mapping using a CEL expression only
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "has(claims.upn) ? claims.upn : claims.oid"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "has(claims.upn) ? claims.upn : claims.oid"
+
+    - name: Cannot set both claim and expression for username mapping
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+                expression: "claims.sub"
+      expectedError: "expression must not be set if claim is specified and is not an empty string"
+
+    - name: Can set groups mapping using a CEL expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                expression: "claims.roles.split(',')"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                expression: "claims.roles.split(',')"
+
+    - name: Cannot set both claim and expression for groups mapping
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                claim: "roles"
+                expression: "claims.roles.split(',')"
+      expectedError: "expression must not be set if claim is specified and is not an empty string"
+
+    - name: Should allow empty claim with expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://example.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              groups:
+                claim: ""
+                expression: "claims.groups"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://example.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              groups:
+                claim: ""
+                expression: "claims.groups"
+
+    - name: Should allow empty claim without expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://example.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              groups:
+                claim: ""
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://example.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              groups:
+                claim: ""
+  onUpdate:
+    - name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/oidcProviders/items/properties/claimMappings/properties/username/properties/claim/maxLength
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://huh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://huh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "thisisanincrediblylongclaimnamethatwhileacceptableinjwtsisgenerallyadvisedagainstbecauseitisextremelylongandnoteasilyusablebutmaybethereisausecaseouttherethathasdecidedthattheyneedtousethisextremelylongclaimnameforsomereasoneventhoughtheyreallyshouldreconsiderthis"
diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go
@@ -350,11 +350,28 @@ type TokenClaimMappings struct {
 }
 
 // TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule="has(self.claim)",message="claim is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="has(self.claim)",message="claim is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,rule="has(self.claim)",message="claim is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="(size(self.?claim.orValue(\"\")) > 0) ? !has(self.expression) : true",message="expression must not be set if claim is specified and is not an empty string"
 type TokenClaimMapping struct {
-	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
+	// claim is an optional field for specifying the JWT token claim that is used in the mapping.
+	// The value of this claim will be assigned to the field in which this mapping is associated.
 	//
-	// +required
+	// +optional
+	// +kubebuilder:validation:MaxLength=256
 	Claim string `json:"claim"`
+
+	// expression is an optional CEL expression used to derive
+	// group values from JWT claims.
+	//
+	// When specified, claim must not be set.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	Expression string `json:"expression,omitempty"`
 }
 
 // TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.
@@ -590,15 +607,37 @@ type OIDCClientReference struct {
 
 // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
 // +union
+// +openshift:validation:FeatureGateAwareXValidation:featureGate="",rule="has(self.claim)",message="claim is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="has(self.claim)",message="claim is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,rule="has(self.claim)",message="claim is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set"
 type UsernameClaimMapping struct {
-	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
+	// claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
+	//
+	// Precisely one of claim or expression must be set if the
+	// ExternalOIDCWithUpstreamParity feature gate is enabled.
 	//
 	// claim must not be an empty string ("") and must not exceed 256 characters.
 	//
-	// +required
+	// +optional
 	// +kubebuilder:validation:MinLength:=1
 	// +kubebuilder:validation:MaxLength:=256
-	Claim string `json:"claim"`
+	Claim string `json:"claim,omitempty"`
+
+	// expression is an optional CEL expression used to derive
+	// the username from JWT claims.
+	//
+	// CEL expressions have access to the token claims
+	// through a CEL variable, 'claims'.
+	//
+	// Precisely one of claim or expression must be set if the
+	// ExternalOIDCWithUpstreamParity feature gate is enabled.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	Expression string `json:"expression,omitempty"`
 
 	// prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.
 	//