Objective: Verify that the KAS JWT authenticator correctly maps Azure AD token claims to Kubernetes user attributes per the OIDC provider configuration.
| Claim Mapping | OIDC Config | Expected | Actual | Result |
|---|---|---|---|---|
| Username | preferred_username (prefixPolicy: NoPrefix) |
User's Azure AD UPN | br...@redhat.com |
PASS |
| Groups | groups (prefix: aad:) |
Azure AD security group IDs with aad: prefix |
7 groups, all prefixed with aad: |
PASS |
| UID | oid |
Azure AD object ID (GUID) | aaa1f0e0-...f06f |
PASS |
$ kubectl --server="https://api-brcox-sm-dev-hc.brcox.hcp-sm-azure.azure.devcluster.openshift.com:443" \
--token="${ID_TOKEN}" --insecure-skip-tls-verify auth whoami
ATTRIBUTE VALUE
Username br...@redhat.com
UID aaa1f0e0-...f06f
Groups [aad:da60a6c8-...945b
aad:378cec49-...be46
aad:fde71898-...99b
aad:9339b2f3-...8597
aad:0ebcb799-...0217
aad:bd761c62-...905f
aad:10f926ca-...506c
system:authenticated]
"claimMappings": {
"username": {"claim": "preferred_username", "prefixPolicy": "NoPrefix"},
"groups": {"claim": "groups", "prefix": "aad:"},
"uid": {"claim": "oid"}
}
preferred_username claim maps directly to the user's Azure AD UPN (br...@redhat.com) with no prefix, matching the NoPrefix policy.groups claim. The aad: prefix distinguishes OIDC-sourced groups from Kubernetes-native groups. 7 security groups were returned.oid claim (Azure AD object ID) is a stable, unique identifier for the user across all Azure AD applications.ExternalOIDCWithUIDAndExtraClaimMappings=true feature gate enables the UID claim mapping (GA in this release).