EPIC Goal

What are we trying to solve here?

Currently, RHDH allows the configuration of auth providers without forcing the need to have catalog entities for users and groups. This is not a prod-ready configuration

Background/Feature Origin

Auth provider investigation revealed that many of our providers default to allowing sign-in without a pre-existing User/Group entity. The recommendation is to remove

SignInWithCatalogUserOptional

but in order to not break customers, allow it to work with development configs by default. If users switch to Prod, they will see an error

Why is this important?

This is a problem for prod ready deployments since identities need to exist and originate from a trusted source (the IdP) in order for security controls such as RBAC and Audit logging to be effective.

User Scenarios

• By default, RHDH will work the same way as long as config is designated as "development"
• Users will encounter an error if production config is used

Dependencies (internal and external)

• There may be some upstream changes. Need to investigate

Acceptance Criteria

• Test changes
• Update error message so it's informative enough to fix i.e. "deployment failed because users/groups need to be ingested"
• Documentation

Release Enablement/Demo - Provide necessary release enablement details
and documents

DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
Issue>

DEV - Upstream documentation merged: <link to meaningful PR or GitHub
Issue>

DEV - Downstream build attached to advisory: <link to errata>

QE - Test plans in Playwright: <link or reference to playwright>

QE - Automated tests merged: <link or reference to automated tests>

DOC - Downstream documentation merged: <link to meaningful PR>