openshift · ShazaAldawamneh · Mar 18, 2026 · Mar 18, 2026 · Mar 19, 2026 · ehearne-redhat
diff --git a/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml
@@ -617,6 +617,73 @@ tests:
                 claim: "preferred_username"
               groups:
                 claim: ""
+    - name: Cannot set prefixPolicy to Prefix when using username expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "claims.sub"
+                prefixPolicy: Prefix
+                prefix:
+                  prefixString: "myoidc:"
+      expectedError: "prefixPolicy must not be set to 'Prefix' when expression is set"
+
+    - name: Can set prefixPolicy to NoPrefix when using username expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "claims.sub"
+                prefixPolicy: NoPrefix
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                expression: "claims.sub"
+                prefixPolicy: NoPrefix
+
+    - name: Cannot set prefix when using groups expression
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: Authentication
+        spec:
+          type: OIDC
+          oidcProviders:
+          - name: myoidc
+            issuer:
+              issuerURL: https://meh.tld
+              audiences: ['openshift-aud']
+            claimMappings:
+              username:
+                claim: "preferred_username"
+              groups:
+                expression: "claims.groups"
+                prefix: "oidc-group:"
+      expectedError: "prefix must not be set when expression is set"
   onUpdate:
     - name: Should allow updating other fields if existing username claim mapping is longer than 256 characters
       initialCRDPatches:

diff --git a/config/v1/types_authentication.go b/config/v1/types_authentication.go
@@ -618,6 +618,7 @@ type OIDCClientReference struct {
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC,rule="has(self.claim)",message="claim is required"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,rule="has(self.claim)",message="claim is required"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? !has(self.prefixPolicy) || self.prefixPolicy != 'Prefix' : true",message="prefixPolicy must not be set to 'Prefix' when expression is set"
 type UsernameClaimMapping struct {
 	// claim is an optional field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	// claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled.
@@ -710,6 +711,7 @@ type UsernamePrefix struct {
 
 // PrefixedClaimMapping configures a claim mapping
 // that allows for an optional prefix.
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? self.prefix == \"\" : true",message="prefix must not be set when expression is set"
 type PrefixedClaimMapping struct {
 	TokenClaimMapping `json:",inline"`
 

diff --git a/...nerated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml b/...nerated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
@@ -218,6 +218,9 @@ spec:
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set when expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? self.prefix == "" : true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -341,6 +344,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==

diff --git a/...ted.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml b/...ted.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml
@@ -218,6 +218,9 @@ spec:
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set when expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? self.prefix == "" : true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -341,6 +344,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==

diff --git a/...ed.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml b/...ed.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml
@@ -218,6 +218,9 @@ spec:
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set when expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? self.prefix == "" : true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -341,6 +344,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==

diff --git a/...ted-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/...ted-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml
@@ -123,6 +123,9 @@ spec:
                               type: string
                           type: object
                           x-kubernetes-validations:
+                          - message: prefix must not be set when expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? self.prefix == "" : true'
                           - message: expression must not be set if claim is specified
                               and is not an empty string
                             rule: '(size(self.?claim.orValue("")) > 0) ? !has(self.expression)
@@ -204,6 +207,11 @@ spec:
                           - message: precisely one of claim or expression must be
                               set
                             rule: 'has(self.claim) ? !has(self.expression) : has(self.expression)'
+                          - message: prefixPolicy must not be set to 'Prefix' when
+                              expression is set
+                            rule: 'has(self.expression) && size(self.expression) >
+                              0 ? !has(self.prefixPolicy) || self.prefixPolicy !=
+                              ''Prefix'' : true'
                           - message: prefix must be set if prefixPolicy is 'Prefix',
                               but must remain unset otherwise
                             rule: 'has(self.prefixPolicy) && self.prefixPolicy ==