Add flag for OAuth 2.1 Enablement (#1091)

rashmi43 · web-flow · commit 3b60703ee1ed · 2025-09-09T10:14:00.000-04:00
Originating issue: [IBMPrivateCloud/roadmap#67163](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/67163) Signed-off-by: rashmi_kh <rashmi.khanna@in.ibm.com>
diff --git a/api/operator/v1alpha1/authentication_types.go b/api/operator/v1alpha1/authentication_types.go
@@ -159,6 +159,7 @@ type ConfigSpec struct {
 	AttrMappingFromConfig       bool           `json:"attrMappingFromConfig,omitempty"`
 	ZenFrontDoor                bool           `json:"zenFrontDoor,omitempty"`
 	Ingress                     *IngressConfig `json:"ingress,omitempty"`
+	OAuth21Enabled              *bool          `json:"oauth21Enabled,omitempty"`
 	IamUm                       *bool          `json:"iamUm,omitempty"`
 }
 
diff --git a/api/operator/v1alpha1/zz_generated.deepcopy.go b/api/operator/v1alpha1/zz_generated.deepcopy.go
diff --git a/internal/controller/operator/configmap.go b/internal/controller/operator/configmap.go
@@ -310,6 +310,7 @@ func updatePlatformAuthIDP(_ common.SecondaryReconciler, _ context.Context, obse
 			"ATTR_MAPPING_FROM_CONFIG",
 			"AUDIT_URL",
 			"AUDIT_SECRET",
+			"OAUTH_21_ENABLED",
 			"IAM_UM",
 		),
 		updatesValuesWhen(observedKeyValueSetTo[*corev1.ConfigMap]("OS_TOKEN_LENGTH", "45"),
@@ -465,6 +466,11 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 			return
 		}
 
+		var oauth21Enabled bool
+		if authCR.Spec.Config.OAuth21Enabled != nil {
+			reqLogger.Info("Found OAuth 21 enablement", "OAuth 2.1 enabled", *authCR.Spec.Config.OAuth21Enabled)
+			oauth21Enabled = *authCR.Spec.Config.OAuth21Enabled
+		}
 		var iamUm bool
 		if authCR.Spec.Config.IamUm != nil {
 			reqLogger.Info("Found user management install", "IamUm", *authCR.Spec.Config.IamUm)
@@ -562,6 +568,7 @@ func (r *AuthenticationReconciler) generateAuthIdpConfigMap(clusterInfo *corev1.
 				"SCIM_AUTH_CACHE_TTL_VALUE":          "60",
 				"SCIM_LDAP_ATTRIBUTES_MAPPING":       scimLdapAttributesMapping,
 				"IS_OPENSHIFT_ENV":                   strconv.FormatBool(isOSEnv),
+				"OAUTH_21_ENABLED":                   strconv.FormatBool(oauth21Enabled),
 			},
 		}
 
diff --git a/internal/controller/operator/configmap_test.go b/internal/controller/operator/configmap_test.go
@@ -729,6 +729,12 @@ var _ = Describe("ConfigMap handling", func() {
 						"AUDIT_SECRET",
 					},
 				},
+				{
+					"OAUTH_21_ENABLED",
+					[]string{
+						"OAUTH_21_ENABLED",
+					},
+				},
 				{
 					"IAM_UM",
 					[]string{
@@ -1109,6 +1115,7 @@ var _ = Describe("ConfigMap handling", func() {
 						ClaimsMap:             "someclaims",
 						ScopeClaim:            "scopeclaimexample",
 						IsOpenshiftEnv:        false,
+						OAuth21Enabled:        ptr.To(false),
 					},
 				},
 			}
diff --git a/internal/controller/operator/containers.go b/internal/controller/operator/containers.go
@@ -280,7 +280,7 @@ func buildAuthServiceContainer(instance *operatorv1alpha1.Authentication, authSe
 	idpEnvVarList := []string{"NODE_ENV", "MASTER_PATH", "MASTER_HOST", "IDENTITY_PROVIDER_URL", "HTTP_ONLY", "SESSION_TIMEOUT", "LDAP_RECURSIVE_SEARCH", "LDAP_ATTR_CACHE_SIZE", "LDAP_ATTR_CACHE_TIMEOUT", "LDAP_ATTR_CACHE_ENABLED", "LDAP_ATTR_CACHE_SIZELIMIT",
 		"LDAP_SEARCH_CACHE_SIZE", "LDAP_SEARCH_CACHE_TIMEOUT", "LDAP_CTX_POOL_INITSIZE", "LDAP_CTX_POOL_MAXSIZE", "LDAP_CTX_POOL_TIMEOUT", "LDAP_CTX_POOL_WAITTIME", "LDAP_CTX_POOL_PREFERREDSIZE", "IDENTITY_PROVIDER_URL", "IDENTITY_MGMT_URL", "LDAP_SEARCH_CACHE_ENABLED", "LDAP_SEARCH_CACHE_SIZELIMIT", "IDTOKEN_LIFETIME", "IBMID_CLIENT_ID", "IBMID_CLIENT_ISSUER",
 		"SAML_NAMEID_FORMAT", "FIPS_ENABLED", "LOGJAM_DHKEYSIZE_2048_BITS_ENABLED", "LOG_LEVEL_AUTHSVC", "LIBERTY_DEBUG_ENABLED", "NONCE_ENABLED", "CLAIMS_SUPPORTED", "CLAIMS_MAP", "SCOPE_CLAIM", "OIDC_ISSUER_URL",
-		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "IAM_UM"}
+		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "IAM_UM", "OAUTH_21_ENABLED"}
 	idpEnvVars := buildIdpEnvVars(idpEnvVarList)
 
 	envVars = append(envVars, idpEnvVars...)
@@ -632,7 +632,7 @@ func buildIdentityProviderContainer(instance *operatorv1alpha1.Authentication, i
 		"LDAP_SEARCH_CACHE_SIZE", "LDAP_SEARCH_CACHE_TIMEOUT", "LDAP_CTX_POOL_INITSIZE", "LDAP_CTX_POOL_MAXSIZE",
 		"LDAP_CTX_POOL_TIMEOUT", "LDAP_CTX_POOL_WAITTIME", "LDAP_CTX_POOL_PREFERREDSIZE", "LDAP_SEARCH_CACHE_ENABLED",
 		"LDAP_SEARCH_CACHE_SIZELIMIT", "LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS", "LDAP_SEARCH_SIZE_LIMIT", "IAM_UM",
-		"LDAP_SEARCH_TIME_LIMIT", "LDAP_SEARCH_CN_ATTR_ONLY", "LDAP_SEARCH_ID_ATTR_ONLY", "AUDIT_URL",
+		"LDAP_SEARCH_TIME_LIMIT", "LDAP_SEARCH_CN_ATTR_ONLY", "LDAP_SEARCH_ID_ATTR_ONLY", "AUDIT_URL", "OAUTH_21_ENABLED",
 		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "SEQL_LOGGING"}
 	idpEnvVars := buildIdpEnvVars(idpEnvVarList)
 
@@ -973,7 +973,7 @@ func buildIdentityManagerContainer(instance *operatorv1alpha1.Authentication, id
 		"ROKS_ENABLED", "ROKS_USER_PREFIX", "IDENTITY_AUTH_DIRECTORY_URL", "OIDC_ISSUER_URL", "BOOTSTRAP_USERID", "CLUSTER_NAME", "HTTP_ONLY", "LDAP_SEARCH_SIZE_LIMIT", "LDAP_SEARCH_TIME_LIMIT",
 		"LDAP_SEARCH_CN_ATTR_ONLY", "LDAP_SEARCH_ID_ATTR_ONLY", "LDAP_SEARCH_EXCLUDE_WILDCARD_CHARS", "IGNORE_LDAP_FILTERS_VALIDATION", "AUTH_SVC_LDAP_CONFIG_TIMEOUT",
 		"SCIM_LDAP_SEARCH_SIZE_LIMIT", "SCIM_LDAP_SEARCH_TIME_LIMIT", "SCIM_ASYNC_PARALLEL_LIMIT", "SCIM_GET_DISPLAY_FOR_GROUP_USERS", "ATTR_MAPPING_FROM_CONFIG", "SCIM_AUTH_CACHE_MAX_SIZE", "SCIM_AUTH_CACHE_TTL_VALUE",
-		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "SEQL_LOGGING", "AUDIT_URL", "IAM_UM"}
+		"DB_CONNECT_TIMEOUT", "DB_IDLE_TIMEOUT", "DB_CONNECT_MAX_RETRIES", "DB_POOL_MIN_SIZE", "DB_POOL_MAX_SIZE", "DB_SSL_MODE", "SEQL_LOGGING", "AUDIT_URL", "IAM_UM", "OAUTH_21_ENABLED"}
 
 	idpEnvVars := buildIdpEnvVars(idpEnvVarList)
 

Original file line number	Diff line number	Diff line change
`@@ -159,6 +159,7 @@ type ConfigSpec struct {`
`159`	`159`	AttrMappingFromConfig bool `json:"attrMappingFromConfig,omitempty"`
`160`	`160`	ZenFrontDoor bool `json:"zenFrontDoor,omitempty"`
`161`	`161`	Ingress *IngressConfig `json:"ingress,omitempty"`
	`162`	+ OAuth21Enabled *bool `json:"oauth21Enabled,omitempty"`
`162`	`163`	IamUm *bool `json:"iamUm,omitempty"`
`163`	`164`	`}`
`164`	`165`