feat: automatic detection and configuration of OpenShift's external OIDC authentication (#2127)

* chore: automatic detection and configuration of OpenShift's external OIDC authentication

Author: tolusha

api/v2/checluster_types.go

@@ -615,11 +615,11 @@ type Auth struct {
 	// For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
 	// +optional
 	OAuthClientName string `json:"oAuthClientName,omitempty"`
-	// Defines the OAuth client secret.
-	// It can either be a plain text secret value or the name of a Kubernetes secret
-	// containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
-	// as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
-	// For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
+	// For OIDC, this is the client secret issued by the Identity Provider for the configured OIDC client.
+	// For OpenShift with built-in OAuth, this is the secret configured in the OAuthClient for OpenShift OAuth integration.
+	// The value can either be a plain text secret value (deprecated) or the name of a Kubernetes secret
+	// that contains the secret value under the `oAuthSecret` key. The Kubernetes secret must exist in the same namespace
+	// as the `CheCluster` resource namespace and must have a `app.kubernetes.io/part-of=che.eclipse.org` label.
 	// +optional
 	OAuthSecret string `json:"oAuthSecret,omitempty"`
 	// Defines the scope requested from the OIDC provider.

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2026-05-21T07:42:52Z"
+    createdAt: "2026-05-26T12:11:24Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.118.0-986.next
+  name: eclipse-che.v7.119.0-989.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -772,6 +772,7 @@ spec:
                 - cluster
               resources:
                 - proxies
+                - authentications
               verbs:
                 - get
             - apiGroups:
@@ -1152,7 +1153,7 @@ spec:
       name: gateway-authorization-sidecar
     - image: quay.io/che-incubator/header-rewrite-proxy:latest
       name: gateway-header-sidecar
-  version: 7.118.0-986.next
+  version: 7.119.0-989.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -22749,11 +22749,11 @@ spec:
                           type: string
                         oAuthSecret:
                           description: |-
-                            Defines the OAuth client secret.
-                            It can either be a plain text secret value or the name of a Kubernetes secret
-                            containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
-                            as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
-                            For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
+                            For OIDC, this is the client secret issued by the Identity Provider for the configured OIDC client.
+                            For OpenShift with built-in OAuth, this is the secret configured in the OAuthClient for OpenShift OAuth integration.
+                            The value can either be a plain text secret value (deprecated) or the name of a Kubernetes secret
+                            that contains the secret value under the `oAuthSecret` key. The Kubernetes secret must exist in the same namespace
+                            as the `CheCluster` resource namespace and must have a `app.kubernetes.io/part-of=che.eclipse.org` label.
                           type: string
                       type: object
                     domain:

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -22650,11 +22650,11 @@ spec:
                         type: string
                       oAuthSecret:
                         description: |-
-                          Defines the OAuth client secret.
-                          It can either be a plain text secret value or the name of a Kubernetes secret
-                          containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
-                          as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
-                          For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
+                          For OIDC, this is the client secret issued by the Identity Provider for the configured OIDC client.
+                          For OpenShift with built-in OAuth, this is the secret configured in the OAuthClient for OpenShift OAuth integration.
+                          The value can either be a plain text secret value (deprecated) or the name of a Kubernetes secret
+                          that contains the secret value under the `oAuthSecret` key. The Kubernetes secret must exist in the same namespace
+                          as the `CheCluster` resource namespace and must have a `app.kubernetes.io/part-of=che.eclipse.org` label.
                         type: string
                     type: object
                   domain:

config/rbac/cluster_role.yaml

@@ -247,6 +247,7 @@ rules:
       - config.openshift.io
     resources:
       - proxies
+      - authentications
     resourceNames:
       - cluster
     verbs:

controllers/che/authentication.go

@@ -0,0 +1,206 @@
+//
+// Copyright (c) 2019-2026 Red Hat, Inc.
+// This program and the accompanying materials are made
+// available under the terms of the Eclipse Public License 2.0
+// which is available at https://www.eclipse.org/legal/epl-2.0/
+//
+// SPDX-License-Identifier: EPL-2.0
+//
+// Contributors:
+//   Red Hat, Inc. - initial API and implementation
+//
+
+package che
+
+import (
+	"context"
+	"fmt"
+	"slices"
+
+	"github.com/eclipse-che/che-operator/pkg/common/chetypes"
+	"github.com/eclipse-che/che-operator/pkg/common/infrastructure"
+	configv1 "github.com/openshift/api/config/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	// OpenShift external OIDC authentication constants.
+	// See: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/authentication_and_authorization/external-auth
+	openshiftConfigNamespace = "openshift-config"
+	issuerCAKey              = "ca-bundle.crt"
+	oidcClientSecretKey      = "clientSecret"
+)
+
+// ResolveAuthentication builds an Authentication config from the CheCluster spec,
+// falling back to the OpenShift cluster Authentication resource for any unset fields.
+func ResolveAuthentication(ctx *chetypes.DeployContext) (*chetypes.Authentication, error) {
+	authentication := &chetypes.Authentication{
+		UsernameClaim:  ctx.CheCluster.Spec.Components.CheServer.ExtraProperties["CHE_OIDC_USERNAME__CLAIM"],
+		UsernamePrefix: ctx.CheCluster.Spec.Components.CheServer.ExtraProperties["CHE_OIDC_USERNAME__PREFIX"],
+		GroupsClaim:    ctx.CheCluster.Spec.Components.CheServer.ExtraProperties["CHE_OIDC_GROUPS__CLAIM"],
+		GroupsPrefix:   ctx.CheCluster.Spec.Components.CheServer.ExtraProperties["CHE_OIDC_GROUPS__PREFIX"],
+		IssuerURL:      ctx.CheCluster.Spec.Networking.Auth.IdentityProviderURL,
+		// OIDC client ID must be explicitly defined; the openshift-console client
+		// cannot be reused because it has a different callback URL.
+		ClientId: ctx.CheCluster.Spec.Networking.Auth.OAuthClientName,
+	}
+
+	// must be outside main `if` condition
+	if ctx.CheCluster.Spec.Networking.Auth.OAuthSecret != "" {
+		// `OAuthSecret` can be a Kubernetes Secret name in CheCluster namespace
+		// or a literal value; resolve accordingly.
+		clientSecret, err := resolveOAuthSecretInCheNamespace(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("failed to resolve secret: %w", err)
+		}
+		authentication.ClientSecret = clientSecret
+	}
+
+	if infrastructure.IsOpenShiftExternalAuth() {
+		clusterAuthentication := &configv1.Authentication{}
+		err := ctx.ClusterAPI.NonCachingClient.Get(context.TODO(), types.NamespacedName{Name: "cluster"}, clusterAuthentication)
+		if err != nil {
+			return nil, fmt.Errorf("failed to fetch authentication config: %w", err)
+		}
+
+		if clusterAuthentication.Spec.Type != configv1.AuthenticationTypeOIDC {
+			return nil, fmt.Errorf("authentication type is not OIDC")
+		}
+
+		if len(clusterAuthentication.Spec.OIDCProviders) == 0 {
+			return nil, fmt.Errorf("no OIDC providers configured")
+		}
+
+		if len(clusterAuthentication.Spec.OIDCProviders) != 1 {
+			return nil, fmt.Errorf("multiple OIDC providers configured, expected exactly one")
+		}
+
+		oidcProvider := clusterAuthentication.Spec.OIDCProviders[0]
+
+		// issuer URL
+		if authentication.IssuerURL == "" {
+			authentication.IssuerURL = oidcProvider.Issuer.URL
+		}
+
+		// issuer certificate authority
+		if authentication.IssuerURL == oidcProvider.Issuer.URL {
+			if oidcProvider.Issuer.CertificateAuthority.Name != "" {
+				issuerCA, err := readIssuerCA(oidcProvider.Issuer.CertificateAuthority.Name, ctx)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read issuer CA: %w", err)
+				}
+				authentication.IssuerCA = issuerCA
+			}
+		}
+
+		// username/groups claim mappings
+		if authentication.GroupsClaim == "" {
+			authentication.GroupsClaim = oidcProvider.ClaimMappings.Groups.Claim
+		}
+		if authentication.GroupsClaim != "" && authentication.GroupsPrefix == "" {
+			authentication.GroupsPrefix = oidcProvider.ClaimMappings.Groups.Prefix
+		}
+
+		if authentication.UsernameClaim == "" {
+			authentication.UsernameClaim = oidcProvider.ClaimMappings.Username.Claim
+		}
+		if authentication.UsernameClaim != "" && authentication.UsernamePrefix == "" {
+			switch oidcProvider.ClaimMappings.Username.PrefixPolicy {
+			case configv1.NoOpinion:
+				// See `NoOpinion` description
+				if authentication.UsernameClaim != "email" {
+					authentication.UsernamePrefix = fmt.Sprintf("%s#", authentication.IssuerURL)
+				}
+			case configv1.Prefix:
+				if oidcProvider.ClaimMappings.Username.Prefix != nil {
+					authentication.UsernamePrefix = oidcProvider.ClaimMappings.Username.Prefix.PrefixString
+				}
+			}
+		}
+
+		// client secret
+		if len(authentication.ClientSecret) == 0 {
+			idx := slices.IndexFunc(oidcProvider.OIDCClients, func(config configv1.OIDCClientConfig) bool {
+				return config.ClientID == authentication.ClientId
+			})
+
+			if idx != -1 {
+				oidcClient := oidcProvider.OIDCClients[idx]
+				if oidcClient.ClientSecret.Name != "" {
+					clientSecret, err := resolveClientSecretInOpenShiftConfigNamespace(oidcClient.ClientSecret.Name, ctx)
+					if err != nil {
+						return nil, fmt.Errorf("failed to read client secret: %w", err)
+					}
+					authentication.ClientSecret = clientSecret
+				}
+			}
+		}
+	}
+
+	return authentication, nil
+}
+
+func resolveClientSecretInOpenShiftConfigNamespace(secretName string, ctx *chetypes.DeployContext) ([]byte, error) {
+	secret := &corev1.Secret{}
+	err := ctx.ClusterAPI.NonCachingClient.Get(
+		context.TODO(),
+		types.NamespacedName{Name: secretName, Namespace: openshiftConfigNamespace},
+		secret,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	value, ok := secret.Data[oidcClientSecretKey]
+	if ok {
+		return value, nil
+	}
+
+	return nil, fmt.Errorf("client secret not found in: %s", secretName)
+}
+
+func resolveOAuthSecretInCheNamespace(ctx *chetypes.DeployContext) ([]byte, error) {
+	secret := &corev1.Secret{}
+	exists, err := ctx.ClusterAPI.ClientWrapper.GetIgnoreNotFound(
+		context.TODO(),
+		types.NamespacedName{
+			Name:      ctx.CheCluster.Spec.Networking.Auth.OAuthSecret,
+			Namespace: ctx.CheCluster.Namespace,
+		},
+		secret,
+	)
+	if err != nil {
+		return nil, err
+	}
+	if exists {
+		value, ok := secret.Data["oAuthSecret"]
+		if ok {
+			return value, nil
+		}
+
+		return nil, fmt.Errorf("client secret not found in: %s", ctx.CheCluster.Spec.Networking.Auth.OAuthSecret)
+	}
+
+	// Backward compatibility: treat as a literal secret value, not a reference.
+	return []byte(ctx.CheCluster.Spec.Networking.Auth.OAuthSecret), nil
+}
+
+func readIssuerCA(cmName string, ctx *chetypes.DeployContext) (string, error) {
+	cm := &corev1.ConfigMap{}
+	err := ctx.ClusterAPI.NonCachingClient.Get(
+		context.TODO(),
+		types.NamespacedName{Name: cmName, Namespace: openshiftConfigNamespace},
+		cm,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	ca, ok := cm.Data[issuerCAKey]
+	if !ok {
+		return "", fmt.Errorf("issuer CA not found in the ConfigMap %s", cmName)
+	}
+
+	return ca, nil
+}