Merge #149415

149415: pgwire,provisioning,jwtauthccl: support user provisioning in jwt authentication r=souravcrl a=shriramters

This commit introduces automatic user provisioning for JWT-based
authentication. Previously, a valid JWT for a user not yet present in
the database would result in a login failure. This change was necessary
to support identity-provider-managed user provisioning, where users can
be created on-the-fly during their first login.

To achieve this, the pgwire JWT authentication flow is updated to
conditionally create a new SQL user after successful token validation.
This change introduces a `VerifyAndExtractIssuer` function on the
`JWTVerifier` interface; this routine both verifies the token’s
signature and issuer and also returns the issuer string needed by the
provisioner, keeping the core pgwire layer decoupled from JWT library
details.

The provisioning source is recorded in the `PROVISIONSRC` role option
for the newly created user, linking them back to the JWT issuer. This
enables better auditing and management of provisioned users. The
provisioning source parser and its tests have also been refactored to
be more extensible for future authentication methods.

Fixes: CRDB-51730
Epic: CRDB-48764

Release note (enterprise change): Added the ability to automatically
provision users authenticating via JWT. This is controlled by the new
cluster setting `security.provisioning.jwt.enabled`. When set to true,
a successful JWT authentication for a non-existent user will create
that user in CockroachDB. The newly created role will have the
`PROVISIONSRC` role option set to `jwt_token:<issuer>`, identifying the
token's issuer as the source of the provisioned user.

Co-authored-by: Shriram Ravindranathan <[email protected]>

Author: craig[bot]

pkg/ccl/jwtauthccl/authentication_jwt.go

@@ -197,7 +197,7 @@ func (authenticator *jwtAuthenticator) ValidateJWTLogin(
 	}
 
 	// Match the input user identity against the user identities mapped within the JWT.
-	user, authError = authenticator.RetrieveIdentity(ctx, user, tokenBytes, identMap)
+	user, authError = authenticator.retrieveIdentityLocked(user, tokenBytes, identMap)
 	if authError != nil {
 		return
 	}
@@ -231,10 +231,40 @@ func (authenticator *jwtAuthenticator) ValidateJWTLogin(
 	return "", nil
 }
 
-// RetrieveIdentity is part of the JWTVerifier interface in pgwire.
+// RetrieveIdentity implements pgwire.JWTVerifier.
+//
+// It reloads the authenticator’s configuration from the passed
+// *cluster.Settings then delegates to retrieveIdentityLocked
+// while holding a.mu.
+//
+// The method parses `tokenBytes`, applies the ident-map, and returns
+// the SQL user that this JWT is allowed to act as. On success the
+// returned username is either `user` (when it matches a token
+// principal) or the single mapped identity. on failure it returns an
+// error context'd with "JWT authentication:".
 func (authenticator *jwtAuthenticator) RetrieveIdentity(
-	ctx context.Context, user username.SQLUsername, tokenBytes []byte, identMap *identmap.Conf,
+	ctx context.Context,
+	st *cluster.Settings,
+	user username.SQLUsername,
+	tokenBytes []byte,
+	identMap *identmap.Conf,
 ) (retrievedUser username.SQLUsername, authError error) {
+	authenticator.reloadConfig(ctx, st)
+	authenticator.mu.Lock()
+	defer authenticator.mu.Unlock()
+	return authenticator.retrieveIdentityLocked(user, tokenBytes, identMap)
+}
+
+// retrieveIdentityLocked contains the core principal-to-user mapping
+// logic. The caller must already hold a.mu; this helper therefore
+// performs no locking or config reloads and must never call anything
+// that would reacquire the same mutex.
+func (authenticator *jwtAuthenticator) retrieveIdentityLocked(
+	user username.SQLUsername, tokenBytes []byte, identMap *identmap.Conf,
+) (retrievedUser username.SQLUsername, authError error) {
+	if !authenticator.mu.conf.enabled {
+		return user, errors.New("JWT authentication: not enabled")
+	}
 	unverifiedToken, err := jwt.ParseInsecure(tokenBytes)
 	if err != nil {
 		return user, errors.WithDetailf(
@@ -299,6 +329,7 @@ func (authenticator *jwtAuthenticator) RetrieveIdentity(
 			break
 		}
 	}
+
 	if !principalMatch {
 		// If the username is not provided, and we match it to a single user,
 		// then use that user identity.
@@ -308,11 +339,78 @@ func (authenticator *jwtAuthenticator) RetrieveIdentity(
 		return user, errors.WithDetailf(
 			errors.Newf("JWT authentication: invalid principal"),
 			"token issued for %s and login was for %s", tokenPrincipals, user.Normalized())
+
 	}
 
 	return user, nil
 }
 
+// VerifyAndExtractIssuer checks a JWT’s JWS signature with the configured
+// key set and confirms the `iss` claim matches a configured issuer.
+//
+// It is called from the provisioning path in authJwtToken, AFTER
+// RetrieveIdentity has set the replacement identity. Audience, expiry and
+// other claim checks happen later in Authenticate(); this helper should not
+// modify state.
+//
+// Like ValidateJWTLogin, it returns two error values:
+//
+//	issuer       – the verified `iss` claim to build "jwt_token:<issuer>"
+//	detailedErr  – redactable detail for LogAuthFailed
+//	authErr      – high-level error shown to the client
+func (a *jwtAuthenticator) VerifyAndExtractIssuer(
+	ctx context.Context, st *cluster.Settings, tokenBytes []byte,
+) (issuer string, detailedErr redact.RedactableString, authErr error) {
+	a.reloadConfig(ctx, st)
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if !a.mu.conf.enabled {
+		return "", "", errors.New("JWT authentication: not enabled")
+	}
+
+	// Parse token without verifying signature to pull out issuer & key id.
+	unverified, err := jwt.ParseInsecure(tokenBytes)
+	if err != nil {
+		return "", redact.Sprintf("JWT authentication: invalid token format: %v", err),
+			errors.New("JWT authentication: invalid token")
+	}
+
+	issuer = unverified.Issuer()
+	if err := a.mu.conf.issuersConf.checkIssuerConfigured(issuer); err != nil {
+		return "", "", errors.WithDetail(
+			errors.New("JWT authentication: invalid issuer"),
+			fmt.Sprintf("token issued by %s", issuer),
+		)
+	}
+
+	// Fetch the JWKS (auto-fetch or static) for that issuer.
+	var set jwk.Set
+	if a.mu.conf.jwksAutoFetchEnabled {
+		set, err = a.remoteFetchJWKS(ctx, issuer)
+		if err != nil {
+			return "", redact.Sprintf("JWT authentication: unable to fetch jwks: %v", err),
+				errors.New("JWT authentication: unable to validate token")
+		}
+	} else {
+		set = a.mu.conf.jwks
+	}
+
+	// JWS verification
+	if _, err := jwt.Parse(
+		tokenBytes,
+		jwt.WithKeySet(set, jws.WithInferAlgorithmFromKey(true)),
+		jwt.WithValidate(false),
+	); err != nil {
+		return "", "", errors.WithDetailf(
+			errors.New("JWT authentication: invalid token"),
+			"unable to parse token: %v", err,
+		)
+	}
+
+	return issuer, "", nil
+}
+
 // remoteFetchJWKS fetches the JWKS URI from the provided issuer URL.
 func (authenticator *jwtAuthenticator) remoteFetchJWKS(
 	ctx context.Context, issuerURL string,

pkg/ccl/jwtauthccl/authentication_jwt_test.go

@@ -498,14 +498,14 @@ func TestSingleClaim(t *testing.T) {
 	require.ErrorContains(t, err, "JWT authentication: invalid principal")
 
 	// Validation is successful for a token with a matched principal.
-	retrievedUser, err := verifier.RetrieveIdentity(ctx, username.MakeSQLUsernameFromPreNormalizedString(username1), token, identMap)
+	retrievedUser, err := verifier.RetrieveIdentity(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(username1), token, identMap)
 	require.NoError(t, err)
 	require.Equal(t, username.MakeSQLUsernameFromPreNormalizedString(username1), retrievedUser)
 	_, err = verifier.ValidateJWTLogin(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(username1), token, identMap)
 	require.NoError(t, err)
 
 	// Validation is successful for a token without a username provided, as a single principal is matched.
-	retrievedUser, err = verifier.RetrieveIdentity(ctx, username.MakeSQLUsernameFromPreNormalizedString(""), token, identMap)
+	retrievedUser, err = verifier.RetrieveIdentity(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(""), token, identMap)
 	require.NoError(t, err)
 	require.Equal(t, username.MakeSQLUsernameFromPreNormalizedString(username1), retrievedUser)
 	_, err = verifier.ValidateJWTLogin(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(""), token, identMap)
@@ -539,21 +539,21 @@ func TestMultipleClaim(t *testing.T) {
 	require.ErrorContains(t, err, "JWT authentication: invalid principal")
 
 	// Validation is successful for a token with a matched principal - test1.
-	retrievedUser, err := verifier.RetrieveIdentity(ctx, username.MakeSQLUsernameFromPreNormalizedString(username1), token, identMap)
+	retrievedUser, err := verifier.RetrieveIdentity(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(username1), token, identMap)
 	require.NoError(t, err)
 	require.Equal(t, username.MakeSQLUsernameFromPreNormalizedString(username1), retrievedUser)
 	_, err = verifier.ValidateJWTLogin(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(username1), token, identMap)
 	require.NoError(t, err)
 
 	// Validation is successful for a token with a matched principal - test2.
-	retrievedUser, err = verifier.RetrieveIdentity(ctx, username.MakeSQLUsernameFromPreNormalizedString(username2), token, identMap)
+	retrievedUser, err = verifier.RetrieveIdentity(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(username2), token, identMap)
 	require.NoError(t, err)
 	require.Equal(t, username.MakeSQLUsernameFromPreNormalizedString(username2), retrievedUser)
 	_, err = verifier.ValidateJWTLogin(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(username2), token, identMap)
 	require.NoError(t, err)
 
 	// Validation fails for a token without a username provided, as multiple principals are matched.
-	_, err = verifier.RetrieveIdentity(ctx, username.MakeSQLUsernameFromPreNormalizedString(""), token, identMap)
+	_, err = verifier.RetrieveIdentity(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(""), token, identMap)
 	require.ErrorContains(t, err, "JWT authentication: invalid principal")
 	_, err = verifier.ValidateJWTLogin(ctx, s.ClusterSettings(), username.MakeSQLUsernameFromPreNormalizedString(""), token, identMap)
 	require.ErrorContains(t, err, "JWT authentication: invalid principal")
@@ -1166,3 +1166,43 @@ func TestJWTAuthWithIssuerJWKSConfAutoFetchJWKS(t *testing.T) {
 		})
 	}
 }
+
+func TestVerifyAndExtractIssuer(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+	defer log.Scope(t).Close(t)
+
+	ctx := context.Background()
+	s := serverutils.StartServerOnly(t, base.TestServerArgs{})
+	defer s.Stopper().Stop(ctx)
+
+	// Enable JWT and configure a single issuer.
+	JWTAuthEnabled.Override(ctx, &s.ClusterSettings().SV, true)
+	JWTAuthIssuersConfig.Override(ctx, &s.ClusterSettings().SV, issuer1)
+
+	// Create signing material.
+	keySet, key, _ := createJWKS(t)
+	token := createJWT(t, username1, audience1, issuer1, timeutil.Now().Add(time.Hour), key, jwa.RS256, "", "")
+	JWTAuthJWKS.Override(ctx, &s.ClusterSettings().SV, serializePublicKeySet(t, keySet))
+
+	verifier := ConfigureJWTAuth(ctx, s.AmbientCtx(), s.ClusterSettings(), s.StorageClusterID())
+
+	// Succeeds with correct issuer & signature.
+	iss, detail, err := verifier.VerifyAndExtractIssuer(ctx, s.ClusterSettings(), token)
+	require.NoError(t, err)
+	require.Empty(t, detail)
+	require.Equal(t, issuer1, iss)
+
+	// Fails on wrong issuer.
+	badIssuerToken := createJWT(t, username1, audience1, issuer2, timeutil.Now().Add(time.Hour), key, jwa.RS256, "", "")
+	_, detail, err = verifier.VerifyAndExtractIssuer(ctx, s.ClusterSettings(), badIssuerToken)
+	require.ErrorContains(t, err, "JWT authentication: invalid issuer")
+	require.Contains(t, errors.FlattenDetails(err), "token issued by issuer2")
+	require.Empty(t, detail)
+
+	// Fails on bad signature (different key).
+	_, _, otherKey := createJWKS(t)
+	badSigToken := createJWT(t, username1, audience1, issuer1, timeutil.Now().Add(time.Hour), otherKey, jwa.ES384, "", "")
+	_, detail, err = verifier.VerifyAndExtractIssuer(ctx, s.ClusterSettings(), badSigToken)
+	require.ErrorContains(t, err, "JWT authentication: invalid token")
+	require.Empty(t, detail)
+}

pkg/ccl/logictestccl/testdata/logic_test/provisioning

@@ -4,7 +4,7 @@
 statement error role "root" cannot have a PROVISIONSRC
 ALTER ROLE root PROVISIONSRC 'ldap:ldap.example.com'
 
-statement error pq: PROVISIONSRC "ldap.example.com" was not prefixed with any valid auth methods \["ldap"\]
+statement error pq: PROVISIONSRC "ldap.example.com" was not prefixed with any valid auth methods \["ldap" "jwt_token"\]
 CREATE ROLE role_with_provisioning PROVISIONSRC 'ldap.example.com'
 
 statement error pq: conflicting role options