feat(identity): add HTTP filter to bypass field selector validation

Add IdentityFieldSelectorPassthrough filter that intercepts requests to
UserIdentities and Sessions APIs before the API server validates field
selectors.

For virtual/proxy resources that delegate to external backends, field
selector validation must happen at the backend, not the API server.
This filter extracts the raw field selector from the query string and
stores it in RequestInfo, bypassing Kubernetes API server validation.

The filter is registered in the handler chain before WithRequestInfo,
ensuring field selectors like status.userUID pass through to
auth-provider-zitadel for validation and authorization.

Author: OscarLlamas6

cmd/milo/apiserver/config.go

@@ -403,6 +403,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *server.Config, loopbac
 	handler = datumfilters.UserContactGroupMembershipListConstraintDecorator(handler)
 	handler = datumfilters.UserContactGroupMembershipRemovalListConstraintDecorator(handler)
 	handler = datumfilters.ContactGroupVisibilityWithoutPrivateDecorator(handler)
+	handler = datumfilters.IdentityFieldSelectorPassthrough(handler)
 	handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)
 	handler = genericapifilters.WithRequestReceivedTimestamp(handler)
 	// handler = genericapifilters.WithMuxAndDiscoveryComplete(handler, c.lifecycleSignals.MuxAndDiscoveryComplete.Signaled())

internal/apiserver/storage/identity/storageprovider.go

@@ -26,19 +26,17 @@ func (p StorageProvider) NewRESTStorage(
 	_ serverstorage.APIResourceConfigSource,
 	_ generic.RESTOptionsGetter,
 ) (genericapiserver.APIGroupInfo, error) {
-	// Create a custom scheme that includes identity types but NO field label conversion functions
-	// This allows field selectors to pass through without validation at the API server level
-	customScheme := runtime.NewScheme()
-	identityv1alpha1.AddToScheme(customScheme)
-	metav1.AddToGroupVersion(customScheme, identityv1alpha1.SchemeGroupVersion)
-
-	// Use the custom scheme for both the main scheme and parameter codec
-	// This ensures field selectors are not validated by the API server framework
-	parameterCodec := runtime.NewParameterCodec(customScheme)
+	// For virtual/proxy resources, we use the legacy scheme but with a custom ParameterCodec
+	// that includes identity types without field label conversion functions.
+	// This allows field selectors to pass through to the backend without API server validation.
+	parameterScheme := runtime.NewScheme()
+	identityv1alpha1.AddToScheme(parameterScheme)
+	metav1.AddToGroupVersion(parameterScheme, identityv1alpha1.SchemeGroupVersion)
+	parameterCodec := runtime.NewParameterCodec(parameterScheme)
 
 	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(
 		identityv1alpha1.SchemeGroupVersion.Group,
-		customScheme,
+		legacyscheme.Scheme,
 		parameterCodec,
 		legacyscheme.Codecs,
 	)

pkg/server/filters/identity_field_selector.go

@@ -0,0 +1,62 @@
+package filters
+
+import (
+	"net/http"
+	"net/url"
+
+	identityv1alpha1 "go.miloapis.com/milo/pkg/apis/identity/v1alpha1"
+	"k8s.io/apiserver/pkg/endpoints/request"
+)
+
+// IdentityFieldSelectorPassthrough is a filter that allows field selectors to pass through
+// to the identity API backend without validation by the API server framework.
+//
+// This is necessary because UserIdentity and Session are virtual/proxy resources that
+// delegate to an external backend (auth-provider-zitadel). The backend handles field
+// selector validation and authorization, not the Milo API server.
+//
+// Without this filter, the API server would validate field selectors against registered
+// field label conversion functions and reject unknown selectors like status.userUID.
+func IdentityFieldSelectorPassthrough(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		info, ok := request.RequestInfoFrom(req.Context())
+		if !ok {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		// Only intercept identity API list requests
+		if info.APIGroup != identityv1alpha1.SchemeGroupVersion.Group || info.Verb != "list" {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		// Only handle useridentities and sessions resources
+		if info.Resource != "useridentities" && info.Resource != "sessions" {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		// Extract field selector from query string before API server validation
+		query, err := url.ParseQuery(req.URL.RawQuery)
+		if err != nil {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		fieldSelector := query.Get("fieldSelector")
+		if fieldSelector == "" {
+			handler.ServeHTTP(w, req)
+			return
+		}
+
+		// Store the raw field selector in RequestInfo so it bypasses validation
+		// The API server will use this value instead of parsing/validating it
+		info.FieldSelector = fieldSelector
+
+		// Update the request context with modified RequestInfo
+		req = req.WithContext(request.WithRequestInfo(req.Context(), info))
+
+		handler.ServeHTTP(w, req)
+	})
+}