docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon cockroachdb

Docs for JWT/OIDC authorization in v25.4

Open mikeCRL opened this issue 1 month ago • 4 comments

Fixes DOC-13052

  • NEW - v25.4/jwt-authorization.md

    • New page documenting JWT authorization for SQL clients
    • Covers automatic role synchronization based on JWT group claims from IdP
    • Includes automatic user provisioning configuration and PROVISIONSRC tagging
    • IdP-specific examples for Okta, Google, Azure AD, Keycloak

  • NEW - v25.4/oidc-authorization.md

    • New page documenting OIDC authorization for DB Console
    • Covers automatic role synchronization based on OIDC group claims from ID token, access token, or userinfo endpoint
    • Notes that automatic user provisioning not available (planned for 'future release')

  • REWRITE - v25.4/sso-sql.md

    • Rewrite intro: JWT authentication works with external IdPs (Okta, Google, Azure AD, etc.) as primary method; DB Console JWT generation (the doc's former focus) is optional convenience feature
    • Add v25.4 features intro: JWT authorization (automatic role sync) and automatic user provisioning
    • Fix prerequisites section: remove incorrect OIDC/DB Console requirement, add IdP requirement as primary prerequisite, clarify user provisioning is optional if automatic provisioning enabled
    • Update "Authenticate to your cluster" section: distinguish two JWT acquisition methods (direct from IdP APIs vs. DB Console generation)
    • Remove misplaced callout about DB Console tier availability (moved to sso-db-console.md)

Minor updates:

  • v25.4/sso-db-console.md: Add callout after prereqs: Doesn't apply to Basic/Standard; link out to cloud-sso-sql.md
  • v25.4/security-reference/authorization.md: Add "Automatic role synchronization" section documenting JWT, OIDC, LDAP authorization methods; cross-ref jwt-authorization.md, oidc-authorization.md, ldap-authorization.md
  • v25.4/security-reference/security-overview.md: Add 4 new rows to authentication table: JWT authorization, OIDC authorization, LDAP authorization, JWT user provisioning
  • v25.4/authentication.md: Enhance client authentication bullets: add mentions of authorization (automatic role sync) and user provisioning features for JWT and OIDC; cross-references to jwt-authorization.md and oidc-authorization.md

mikeCRL avatar Nov 03 '25 04:11 mikeCRL