Refactor auth service; add OIDC auto-provisioning

Split the monolithic unified auth module into submodules (unified::types, audit, bearer, password, mod). Introduces provider-aware bearer logic: deterministic provider username composition, provider user resolution/auto-provisioning, and provider-based user-id hashing. Add JWT claim mapping for preferred_username, and propagate a new config flag (auth.auto_create_users_from_provider) through jwt_config/init_auth_config with a default (false). Remove the old unified.rs and wire the new modules into authentication flow. Misc: add docs (security, datatypes), Keycloak realm file, and update docker-compose and server.toml and related config defaults/overrides to reflect the new settings.

Author: jamals86

Cargo.lock

@@ -1284,6 +1284,17 @@ come uop with a better and shorter one without causing issues in the future
 
 188) Instead of notify all followers remember where the user is connected to through the livequerymanager and forward the notification to that exact node only
 
+189) pub fn parse_basic_auth_header(auth_header: &str) -> AuthResult<(String, String)> should return UserId instead of String for the username
+also:     Credentials { username: String, password: String },
+async fn authenticate_credentials(
+    username: &str,
+
+
+190) when auto create user use the userid generation like the rest in the code
+
+191) /// TODO: This will hurt the sharding distribution of provider users, i prefer adding the provider code as a prefix to the username instead of suffixing it, but we can revisit this if it becomes an issue.
+pub(crate) fn compose_provider_username(issuer: &str, subject: &str) -> UserName
+
 
 
 

Notes.md

@@ -44,7 +44,8 @@ pub struct JwtClaims {
     pub exp: usize,
     /// Issued at (Unix timestamp)
     pub iat: usize,
-    /// Username (custom claim)
+    /// Username (custom claim). Also maps provider claim `preferred_username`.
+    #[serde(alias = "preferred_username")]
     pub username: Option<UserName>,
     /// Email (custom claim)
     pub email: Option<String>,

backend/crates/kalamdb-auth/src/providers/jwt_auth.rs

@@ -10,6 +10,7 @@ use once_cell::sync::OnceCell;
 pub struct JwtConfig {
     pub secret: String,
     pub trusted_issuers: Vec<String>,
+    pub auto_create_users_from_provider: bool,
 }
 
 static JWT_CONFIG: OnceCell<JwtConfig> = OnceCell::new();
@@ -18,10 +19,15 @@ static JWT_CONFIG: OnceCell<JwtConfig> = OnceCell::new();
 ///
 /// This should be called once at startup after loading server.toml and applying
 /// environment overrides. If not called, defaults are used.
-pub fn init_jwt_config(secret: &str, trusted_issuers: &str) {
+pub fn init_jwt_config(
+    secret: &str,
+    trusted_issuers: &str,
+    auto_create_users_from_provider: bool,
+) {
     let config = JwtConfig {
         secret: secret.to_string(),
         trusted_issuers: parse_trusted_issuers(trusted_issuers),
+        auto_create_users_from_provider,
     };
     let _ = JWT_CONFIG.set(config);
 }
@@ -32,6 +38,8 @@ pub fn get_jwt_config() -> &'static JwtConfig {
         trusted_issuers: parse_trusted_issuers(
             &kalamdb_configs::defaults::default_auth_jwt_trusted_issuers(),
         ),
+        auto_create_users_from_provider:
+            kalamdb_configs::defaults::default_auth_auto_create_users_from_provider(),
     })
 }