Keycloak OIDC: Add field for client credential-based user/group search

[rak-phillip]

SURE-10538

Add an option to the Keycloak OIDC auth provider that allows for toggling client-based authentication for searches.

Proposed solution

Expose the new boolean field to toggle client-based authentication for searches (see https://github.com/rancher/rancher/blob/main/pkg/apis/management.cattle.io/v3/authn_types.go#L739) in the Keycloak OIDC Auth Provider configuration form.

Acceptance criteria

• The Keycloak OIDC configuration form includes the new toggle with the description: "Use the OIDC Client Credentials to authenticate to Keycloak when searching for users or groups. This will bypass user-based RBAC within the realm."
• The field is not shown on other OIDC provider forms
• The field value is saved to and read from the correct API field
• Help text or a hint informs operators that the Keycloak client must have appropriate service account permissions for this to work
• Unit tests cover the field's presence on the Keycloak form and absence on other OIDC forms

Additional details

The backend now supports authenticating these searches using OIDC client credentials instead, bypassing user-based RBAC within the realm.

[github-actions]

🤖 Issue grooming analysis

This issue is well-groomed and ready for triage. Here is a summary of the analysis:

• ✅ Clear Problem Statement: The issue clearly describes the need to expose a new Keycloak OIDC API field as a toggle in the auth provider configuration form, including context on why it matters (bypassing user-based RBAC for searches within the Keycloak realm).
• ✅ Acceptance Criteria: Five concrete, testable criteria are provided — toggle visibility scoped to Keycloak OIDC form only, accurate descriptive text, correct API field persistence, appropriate help text for service account permissions, and unit test coverage.
• ✅ Technical Details: References the exact backend API field location in rancher/rancher, specifies form context, and describes the toggle's expected behavior and security implications.
• ✅ Reproducibility (Feature): Clear user story — an operator enables the toggle on the Keycloak OIDC form so that user/group searches authenticate via OIDC client credentials rather than user-based RBAC.

This analysis was generated automatically based on the repository's grooming checklist.

Generated by Daily Issue Grooming · ◷