Automatically create a teleport user when using OIDC

[tehsis]

It would be nice if you are not forced to create a Teleport user when using OIDC.
i.e. If the provider verifies the user correctly, then you should be able to log into Teleport.

This way you can manage users completely from the provider without having to re-create each provider user in Teleport.

My first attempt to accomplish this is to create the user in Teleport if it's not found using a new configuration field on OIDC configuration (allowed_login).
An user created in this way should not need a password nor a Google Authenticator token.

master...tehsis:odic-automatic-user-creation

thoughts?

[klizhentas]

I think we are going to address this problem in the context of #620 - check out it's comments for details on how are we going to provide mapping from OIDC claims to Teleport roles.

In some cases there's no need to have a local user entry, and I think your use case is very similar. Let me know if the proposed design doc fits your use-case.

[tehsis]

It certainly does.
I think that not having to maintain an user on Teleport when using OIDC is a must.

Is there some estimate for this task? Are you already working on it? Is there some WIP I can take a look on? Thanks!

[jeremyd]

+1 wish I had this.. Not sure how to use SSO and not have to create a bunch of one-time google authenticator authentications...

[klizhentas]

@jeremyd #620 should solve your problem then

[kontsevoy]

Closing this because it's a part of the ongoing RBAC work.