Automatically create OIDC authenticated user in Cockroach DB

[kmcchesney21]

Describe the problem

I am configuring cockroach db to use keycloak as an SSO OIDC provider and have successfully setup the keycloak client and authentication through the cockroach UI; however, once authenticated through Keycloak cockroach complains about the user not existing on the server. Is there a way to configure the user to automatically get created after a successful login through the OIDC provider?

To Reproduce

1. Deploy Cockroach DB on kubernetes using the operator
2. Create a cockroach client in Keycloak
3. Update Cockroach DB with the following settings:

   server.oidc_authentication.client_id = '\<client id\>'; 
   server.oidc_authentication.client_secret = '\<client secret\>';
   server.oidc_authentication.provider_url = 'https://keycloak.xxx.xxx/realms/infra';
   server.oidc_authentication.redirect_url = 'https://cockroach.xxx.xxx/oidc/v1/callback'; 
   server.oidc_authentication.scopes = 'openid email profile roles';
   server.oidc_authentication.claim_json_key = 'email';
   server.oidc_authentication.principal_regex = '^([^@]+)@myemaildomain$';
   server.oidc_authentication.button_text = 'Log in with Keycloak'; 
   server.oidc_authentication.enabled = true;

4. Browse to the UI -> Select the "Log in with Keycloak" button -> Successfully authenticate but then receive the following error:

   OIDC: unable to complete authentication

   Looking closer at the cockroach server/pods logs the following error is thrown:

   ccl/oidcccl/authentication_oidc.go : [-] 513 OIDC: failed to complete authentication: unable to create session for <myusername>: grpc: <the provided credentials did not match any account on the server> [code 16/Unauthenticated]

Expected behavior I expect cockroach to automatically create the user in the database instead of having to manually create every user that will authenticate using the OIDC provider

Additional data / screenshots Can provide more information as needed

Environment:

• CockroachDB version 24.1.1
• Running in Kubernetes 1.27.11

Jira issue: CRDB-40062

[blathers-crl[bot]]

Hi @kmcchesney21, please add branch-* labels to identify which branch(es) this C-bug affects.

_{:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl[bot]]

Hello, I am Blathers. I am here to help you get the issue triaged.

Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here.

I was unable to automatically find someone to ping.

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}