OctopusDeploy · wlthomson · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/examples/accounts/create_azure_oidc.go b/examples/accounts/create_azure_oidc.go
@@ -28,6 +28,12 @@ func CreateAzureOIDCExample() {
 		// Other claims
 		audience string = ""
 
+		// Optional custom claims
+		customClaims = map[string]string{
+			"claim1": "value1",
+			"claim2": "value2",
+		}
+
 		// account values
 		accountName        string   = "Azure Account"
 		accountDescription string   = "My Azure Account"
@@ -59,6 +65,7 @@ func CreateAzureOIDCExample() {
 	azureAccount.HealthCheckSubjectKeys = healthCheckSubjectKeys
 	azureAccount.AccountTestSubjectKeys = accountTestSubjectKeys
 	azureAccount.Audience = audience
+	azureAccount.CustomClaims = customClaims
 
 	// fill in account details
 	azureAccount.Description = accountDescription

diff --git a/pkg/accounts/account_resource.go b/pkg/accounts/account_resource.go
@@ -44,6 +44,7 @@ type AccountResource struct {
 	AccountTestSubjectKeys  []string                    `json:"AccountTestSubjectKeys,omitempty"`
 	RoleArn                 string                      `json:"RoleArn,omitempty"`
 	SessionDuration         string                      `json:"SessionDuration,omitempty"`
+	CustomClaims            map[string]string           `json:"CustomClaims,omitempty"`
 
 	resources.Resource
 }

diff --git a/pkg/accounts/account_utilities.go b/pkg/accounts/account_utilities.go
@@ -35,6 +35,7 @@ func ToAccount(accountResource *AccountResource) (IAccount, error) {
 		awsOIDCAccount.DeploymentSubjectKeys = accountResource.DeploymentSubjectKeys
 		awsOIDCAccount.AccountTestSubjectKeys = accountResource.AccountTestSubjectKeys
 		awsOIDCAccount.HealthCheckSubjectKeys = accountResource.HealthCheckSubjectKeys
+		awsOIDCAccount.CustomClaims = accountResource.CustomClaims
 		account = awsOIDCAccount
 	case AccountTypeAzureServicePrincipal:
 		azureServicePrincipalAccount, err := NewAzureServicePrincipalAccount(accountResource.GetName(), *accountResource.SubscriptionID, *accountResource.TenantID, *accountResource.ApplicationID, accountResource.ApplicationPassword)
@@ -57,6 +58,7 @@ func ToAccount(accountResource *AccountResource) (IAccount, error) {
 		azureOIDCAccount.DeploymentSubjectKeys = accountResource.DeploymentSubjectKeys
 		azureOIDCAccount.AccountTestSubjectKeys = accountResource.AccountTestSubjectKeys
 		azureOIDCAccount.HealthCheckSubjectKeys = accountResource.HealthCheckSubjectKeys
+		azureOIDCAccount.CustomClaims = accountResource.CustomClaims
 		account = azureOIDCAccount
 	case AccountTypeAzureSubscription:
 		azureSubscriptionAccount, err := NewAzureSubscriptionAccount(accountResource.GetName(), *accountResource.SubscriptionID)
@@ -76,6 +78,7 @@ func ToAccount(accountResource *AccountResource) (IAccount, error) {
 		}
 		genericOIDCAccount.Audience = accountResource.Audience
 		genericOIDCAccount.DeploymentSubjectKeys = accountResource.DeploymentSubjectKeys
+		genericOIDCAccount.CustomClaims = accountResource.CustomClaims
 		account = genericOIDCAccount
 	case AccountTypeGoogleCloudPlatformAccount:
 		googleCloudPlatformAccount, err := NewGoogleCloudPlatformAccount(accountResource.GetName(), accountResource.JsonKey)
@@ -154,6 +157,7 @@ func ToAccountResource(account IAccount) (*AccountResource, error) {
 		accountResource.DeploymentSubjectKeys = awsOIDCAccount.DeploymentSubjectKeys
 		accountResource.AccountTestSubjectKeys = awsOIDCAccount.AccountTestSubjectKeys
 		accountResource.HealthCheckSubjectKeys = awsOIDCAccount.HealthCheckSubjectKeys
+		accountResource.CustomClaims = awsOIDCAccount.CustomClaims
 	case AccountTypeAzureServicePrincipal:
 		azureServicePrincipalAccount := account.(*AzureServicePrincipalAccount)
 		accountResource.ApplicationID = azureServicePrincipalAccount.ApplicationID
@@ -175,6 +179,7 @@ func ToAccountResource(account IAccount) (*AccountResource, error) {
 		accountResource.DeploymentSubjectKeys = azureOIDCAccount.DeploymentSubjectKeys
 		accountResource.AccountTestSubjectKeys = azureOIDCAccount.AccountTestSubjectKeys
 		accountResource.HealthCheckSubjectKeys = azureOIDCAccount.HealthCheckSubjectKeys
+		accountResource.CustomClaims = azureOIDCAccount.CustomClaims
 	case AccountTypeAzureSubscription:
 		azureSubscriptionAccount := account.(*AzureSubscriptionAccount)
 		accountResource.AzureEnvironment = azureSubscriptionAccount.AzureEnvironment
@@ -187,6 +192,7 @@ func ToAccountResource(account IAccount) (*AccountResource, error) {
 		genericOidcAccount := account.(*GenericOIDCAccount)
 		accountResource.DeploymentSubjectKeys = genericOidcAccount.DeploymentSubjectKeys
 		accountResource.Audience = genericOidcAccount.Audience
+		accountResource.CustomClaims = genericOidcAccount.CustomClaims
 	case AccountTypeGoogleCloudPlatformAccount:
 		googleCloudPlatformAccount := account.(*GoogleCloudPlatformAccount)
 		accountResource.JsonKey = googleCloudPlatformAccount.JsonKey

diff --git a/pkg/accounts/aws_oidc_account.go b/pkg/accounts/aws_oidc_account.go
@@ -9,12 +9,13 @@ import (
 
 // AwsOIDCAccount represents an AWS OIDC account.
 type AwsOIDCAccount struct {
-	RoleArn                string   `json:"RoleArn"`
-	SessionDuration        string   `json:"SessionDuration,omitempty"`
-	Audience               string   `json:"Audience,omitempty"`
-	DeploymentSubjectKeys  []string `json:"DeploymentSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space environment project tenant runbook account type'"`
-	HealthCheckSubjectKeys []string `json:"HealthCheckSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account target type'"`
-	AccountTestSubjectKeys []string `json:"AccountTestSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account type'"`
+	RoleArn                string            `json:"RoleArn"`
+	SessionDuration        string            `json:"SessionDuration,omitempty"`
+	Audience               string            `json:"Audience,omitempty"`
+	DeploymentSubjectKeys  []string          `json:"DeploymentSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space environment project tenant runbook account type'"`
+	HealthCheckSubjectKeys []string          `json:"HealthCheckSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account target type'"`
+	AccountTestSubjectKeys []string          `json:"AccountTestSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account type'"`
+	CustomClaims           map[string]string `json:"CustomClaims,omitempty"`
 
 	account
 }

diff --git a/pkg/accounts/aws_oidc_account_test.go b/pkg/accounts/aws_oidc_account_test.go
@@ -20,6 +20,10 @@ func TestAwsOIDCAccount(t *testing.T) {
 	invalidDeploymentSubjectKeys := []string{"space", "target"}
 	invalidHealthCheckSubjectKeys := []string{"space", "project"}
 	invalidAccountTestSubjectKeys := []string{"space", "project"}
+	customClaims := map[string]string{
+		"claim1": "value1",
+		"claim2": "value2",
+	}
 
 	testCases := []struct {
 		TestName               string
@@ -32,16 +36,18 @@ func TestAwsOIDCAccount(t *testing.T) {
 		DeploymentSubjectKeys  []string
 		HealthCheckSubjectKeys []string
 		AccountTestSubjectKeys []string
+		CustomClaims           map[string]string
 	}{
-		{"Valid", false, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys},
-		{"EmptyName", true, "", spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys},
-		{"WhitespaceName", true, " ", spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys},
-		{"EmptySpaceID", false, name, "", tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys},
-		{"WhitespaceSpaceID", false, name, " ", tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys},
-		{"NilSubjectKeys", false, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, nil, nil, nil},
-		{"InvalidDeploymentSubjectKeys", true, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, invalidDeploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys},
-		{"InvalidHealthCheckSubjectKeys", true, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, invalidHealthCheckSubjectKeys, invalidAccountTestSubjectKeys},
-		{"InvalidAccountTestSubjectKeys", true, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, invalidAccountTestSubjectKeys},
+		{"Valid", false, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, nil},
+		{"ValidWithCustomClaims", false, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, customClaims},
+		{"EmptyName", true, "", spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, nil},
+		{"WhitespaceName", true, " ", spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, nil},
+		{"EmptySpaceID", false, name, "", tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, nil},
+		{"WhitespaceSpaceID", false, name, " ", tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, nil},
+		{"NilSubjectKeys", false, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, nil, nil, nil, nil},
+		{"InvalidDeploymentSubjectKeys", true, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, invalidDeploymentSubjectKeys, healthCheckSubjectKeys, accountTestSubjectKeys, nil},
+		{"InvalidHealthCheckSubjectKeys", true, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, invalidHealthCheckSubjectKeys, invalidAccountTestSubjectKeys, nil},
+		{"InvalidAccountTestSubjectKeys", true, name, spaceID, tenantedDeploymentMode, roleArn, sessionDuration, deploymentSubjectKeys, healthCheckSubjectKeys, invalidAccountTestSubjectKeys, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.TestName, func(t *testing.T) {
@@ -51,6 +57,7 @@ func TestAwsOIDCAccount(t *testing.T) {
 				DeploymentSubjectKeys:  tc.DeploymentSubjectKeys,
 				HealthCheckSubjectKeys: tc.HealthCheckSubjectKeys,
 				AccountTestSubjectKeys: tc.AccountTestSubjectKeys,
+				CustomClaims:           tc.CustomClaims,
 			}
 			awsOIDCAccount.AccountType = AccountTypeAwsOIDC
 			awsOIDCAccount.Name = tc.Name

diff --git a/pkg/accounts/azure_oidc_account.go b/pkg/accounts/azure_oidc_account.go
@@ -10,16 +10,17 @@ import (
 
 // AzureOIDCAccount represents an Azure OIDC account.
 type AzureOIDCAccount struct {
-	ApplicationID           *uuid.UUID `json:"ClientId" validate:"required"`
-	AuthenticationEndpoint  string     `json:"ActiveDirectoryEndpointBaseUri,omitempty" validate:"required_with=AzureEnvironment,omitempty,uri"`
-	AzureEnvironment        string     `json:"AzureEnvironment,omitempty" validate:"omitempty,oneof=AzureCloud AzureChinaCloud AzureGermanCloud AzureUSGovernment"`
-	ResourceManagerEndpoint string     `json:"ResourceManagementEndpointBaseUri" validate:"required_with=AzureEnvironment,omitempty,uri"`
-	SubscriptionID          *uuid.UUID `json:"SubscriptionNumber" validate:"required"`
-	TenantID                *uuid.UUID `json:"TenantId" validate:"required"`
-	Audience                string     `json:"Audience,omitempty"`
-	DeploymentSubjectKeys   []string   `json:"DeploymentSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space environment project tenant runbook account type'"`
-	HealthCheckSubjectKeys  []string   `json:"HealthCheckSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account target type'"`
-	AccountTestSubjectKeys  []string   `json:"AccountTestSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account type'"`
+	ApplicationID           *uuid.UUID        `json:"ClientId" validate:"required"`
+	AuthenticationEndpoint  string            `json:"ActiveDirectoryEndpointBaseUri,omitempty" validate:"required_with=AzureEnvironment,omitempty,uri"`
+	AzureEnvironment        string            `json:"AzureEnvironment,omitempty" validate:"omitempty,oneof=AzureCloud AzureChinaCloud AzureGermanCloud AzureUSGovernment"`
+	ResourceManagerEndpoint string            `json:"ResourceManagementEndpointBaseUri" validate:"required_with=AzureEnvironment,omitempty,uri"`
+	SubscriptionID          *uuid.UUID        `json:"SubscriptionNumber" validate:"required"`
+	TenantID                *uuid.UUID        `json:"TenantId" validate:"required"`
+	Audience                string            `json:"Audience,omitempty"`
+	DeploymentSubjectKeys   []string          `json:"DeploymentSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space environment project tenant runbook account type'"`
+	HealthCheckSubjectKeys  []string          `json:"HealthCheckSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account target type'"`
+	AccountTestSubjectKeys  []string          `json:"AccountTestSubjectKeys,omitempty" validate:"omitempty,dive,oneof=space account type'"`
+	CustomClaims            map[string]string `json:"CustomClaims,omitempty"`
 
 	account
 }