Add JWT and OIDC role sync to v25.4 GA feature highlights (#21213)

mikeCRL · web-flow · commit 85fac5e52802 · 2025-11-20T09:55:05.000-05:00
diff --git a/src/current/_includes/releases/v25.4/v25.4.0.md b/src/current/_includes/releases/v25.4/v25.4.0.md
@@ -7,6 +7,7 @@ With the release of CockroachDB v25.4, we've added new capabilities to help you
 For a summary of the most significant changes, refer to [Feature Highlights](#v25-4-0-feature-highlights), which contains the following categories:
 
   - [SQL](#v25-4-0-sql)
+  - [Security](#v25-4-0-security)
   - [Observability](#v25-4-0-observability)
   - [CockroachDB Cloud](#v25-4-0-cloud)
 
@@ -87,6 +88,52 @@ This section summarizes the most significant user-facing changes in v25.4.0 and
  </tbody>
 </table>
 
+<h4 id="v25-4-0-security">Security</h4>
+
+<table>
+ <thead>
+  <tr>
+   <th class="center-align" colspan="1" rowspan="2">Feature</th>
+   <th class="center-align" colspan="5" rowspan="1">Availability</th>
+  </tr>
+  <tr>
+    <th colspan="1" rowspan="1">Ver.</th>
+    <th colspan="1" rowspan="1" style="white-space: nowrap;">Self-hosted</th>
+    <th colspan="1" rowspan="1">Advanced</th>
+    <th colspan="1" rowspan="1">Standard</th>
+    <th colspan="1" rowspan="1">Basic</th>
+  </tr>
+ </thead>
+ <tbody>
+  <tr>
+   <td>
+    <p class="feature-summary">Automatic Role Synchronization with JWT and OIDC Authentication (Preview)</p>
+    <p class="feature-description">
+      CockroachDB now automatically synchronizes user role memberships based on group claims from your identity provider (IdP), eliminating manual role management for SSO users. When users authenticate via OIDC for DB Console or JWT for SQL clients, CockroachDB automatically grants roles that match their IdP groups and revokes roles that no longer apply.
+    </p>
+    <p class="feature-description">
+      Additionally, JWT authentication now supports automatic user provisioning, creating SQL users on their first login without requiring pre-configuration. This streamlines onboarding for organizations managing users through external identity providers like Okta, Google, Azure AD, or Keycloak.
+    </p>
+    <p class="feature-description">Key capabilities:</p>
+    <ul class="feature-description" style="font-size: 16px;">
+      <li>OIDC Authorization (DB Console): Automatically sync roles from ID tokens, access tokens, or userinfo endpoints</li>
+      <li>JWT Authorization (SQL clients): Automatically sync roles from JWT group claims or userinfo endpoints</li>
+      <li>JWT User Provisioning: Auto-create SQL users on first authentication with proper audit tagging</li>
+      <li>Security-first design: Empty group lists block login; role changes apply on every authentication</li>
+    </ul>
+    <p class="feature-description">
+      This feature works with both CockroachDB Cloud Advanced and self-hosted clusters, supporting LDAP, OIDC, and JWT authentication methods.
+    </p>
+   </td>
+   <td>25.4</td>
+   <td class="icon-center">{% include icon-yes.html %}</td>
+   <td class="icon-center">{% include icon-yes.html %}</td>
+   <td class="icon-center">{% include icon-no.html %}</td>
+   <td class="icon-center">{% include icon-no.html %}</td>
+  </tr>
+ </tbody>
+</table>
+
 <h4 id="v25-4-0-observability">Observability</h4>
 
 <table>
